summary refs log tree commit diff
path: root/synapse/handlers/sso.py (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Add support for stable MSC2858 API (#9617)Richard van der Hoff2021-03-161-0/+5
| | | | | The stable format uses different brand identifiers, so we need to support two identifiers for each IdP.
* Prometheus metrics for logins and registrations (#9511)Richard van der Hoff2021-03-041-0/+1
| | | Add prom metrics for number of users successfully registering and logging in, by SSO provider.
* Record the SSO Auth Provider in the login token (#9510)Richard van der Hoff2021-03-041-0/+2
| | | This great big stack of commits is a a whole load of hoop-jumping to make it easier to store additional values in login tokens, and then to actually store the SSO Identity Provider in the login token. (Making use of that data will follow in a subsequent PR.)
* Use the proper Request in type hints. (#9515)Patrick Cloke2021-03-011-1/+1
| | | | This also pins the Twisted version in the mypy job for CI until proper type hints are fixed throughout Synapse.
* Update black, and run auto formatting over the codebase (#9381)Eric Eastwood2021-02-161-7/+15
| | | | | | | - Update black version to the latest - Run black auto formatting over the codebase - Run autoformatting according to [`docs/code_style.md `](https://github.com/matrix-org/synapse/blob/80d6dc9783aa80886a133756028984dbf8920168/docs/code_style.md) - Update `code_style.md` docs around installing black to use the correct version
* Combine the CAS & SAML implementations for required attributes. (#9326)Patrick Cloke2021-02-111-0/+71
|
* Fix formatting for "bad session" error during sso registration flow (#9296)Richard van der Hoff2021-02-031-3/+16
|
* Collect terms consent from the user during SSO registration (#9276)Richard van der Hoff2021-02-011-0/+44
|
* Make importing display name and email optional (#9277)Richard van der Hoff2021-02-011-8/+44
|
* Replace username picker with a template (#9275)Richard van der Hoff2021-02-011-1/+1
| | | | | There's some prelimiary work here to pull out the construction of a jinja environment to a separate function. I wanted to load the template at display time rather than load time, so that it's easy to update on the fly. Honestly, I think we should do this with all our templates: the risk of ending up with malformed templates is far outweighed by the improved turnaround time for an admin trying to update them.
* Improve styling and wording of SSO redirect confirm template (#9272)Richard van der Hoff2021-02-011-1/+9
|
* Split out a separate endpoint to complete SSO registration (#9262)Richard van der Hoff2021-02-011-15/+66
| | | There are going to be a couple of paths to get to the final step of SSO reg, and I want the URL in the browser to consistent. So, let's move the final step onto a separate path, which we redirect to.
* Add 'brand' field to MSC2858 response (#9242)Richard van der Hoff2021-01-271-0/+5
| | | | | | We've decided to add a 'brand' field to help clients decide how to style the buttons. Also, fix up the allowed characters for idp_id, while I'm in the area.
* Implement MSC2858 support (#9183)Richard van der Hoff2021-01-271-5/+18
| | | Fixes #8928.
* Support icons for Identity Providers (#9154)Richard van der Hoff2021-01-201-0/+5
|
* Move `complete_sso_ui_auth` into SSOHandlerRichard van der Hoff2021-01-131-3/+13
| | | | | since we're hacking on this code anyway, may as well move it out of the cluttered AuthHandler.
* Give the user a better error when they present bad SSO credsRichard van der Hoff2021-01-131-5/+28
| | | | | | | | | If a user tries to do UI Auth via SSO, but uses the wrong account on the SSO IdP, try to give them a better error. Previously, the UIA would claim to be successful, but then the operation in question would simply fail with "auth fail". Instead, serve up an error page which explains the failure.
* UI Auth via SSO: redirect the user to an appropriate SSO. (#9081)Richard van der Hoff2021-01-121-0/+31
| | | | | | | If we have integrations with multiple identity providers, when the user does a UI Auth, we need to redirect them to the right one. There are a few steps to this. First of all we actually need to store the userid of the user we are trying to validate in the UIA session, since the /auth/sso/fallback/web request is unauthenticated. Then, once we get the /auth/sso/fallback/web request, we can fish the user id out of the session, and use it to look up the external id mappings, and hence pick an SSO provider for them.
* Remove SynapseRequest.get_user_agent (#9069)Richard van der Hoff2021-01-121-2/+3
| | | | | | | | | | | SynapseRequest is in danger of becoming a bit of a dumping-ground for "useful stuff relating to Requests", which isn't really its intention (its purpose is to override render, finished and connectionLost to set up the LoggingContext and write the right entries to the request log). Putting utility functions inside SynapseRequest means that lots of our code ends up requiring a SynapseRequest when there is nothing synapse-specific about the Request at all, and any old twisted.web.iweb.IRequest will do. This increases code coupling and makes testing more difficult. In short: move get_user_agent out to a utility function.
* Add initial support for a "pick your IdP" page (#9017)Richard van der Hoff2021-01-051-3/+15
| | | | | During login, if there are multiple IdPs enabled, offer the user a choice of IdPs.
* Combine the SSO Redirect Servlets (#9015)Richard van der Hoff2021-01-041-2/+84
| | | | | | | | | | | | | | | | | | | | | | | | | | | * Implement CasHandler.handle_redirect_request ... to make it match OidcHandler and SamlHandler * Clean up interface for OidcHandler.handle_redirect_request Make it accept `client_redirect_url=None`. * Clean up interface for `SamlHandler.handle_redirect_request` ... bring it into line with CAS and OIDC by making it take a Request parameter, move the magic for `client_redirect_url` for UIA into the handler, and fix the return type to be a `str` rather than a `bytes`. * Define a common protocol for SSO auth provider impls * Give SsoIdentityProvider an ID and register them * Combine the SSO Redirect servlets Now that the SsoHandler knows about the identity providers, we can combine the various *RedirectServlets into a single implementation which delegates to the right IdP. * changelog
* Use the SSO handler helpers for CAS registration/login. (#8856)Patrick Cloke2021-01-031-2/+2
|
* Refactor the CAS handler in prep for using the abstracted SSO code. (#8958)Patrick Cloke2020-12-181-2/+7
| | | | | | This makes the CAS handler look more like the SAML/OIDC handlers: * Render errors to users instead of throwing JSON errors. * Internal reorganization.
* Implement a username picker for synapse (#8942)Richard van der Hoff2020-12-181-8/+246
| | | | | | | | | | | | | | The final part (for now) of my work to implement a username picker in synapse itself. The idea is that we allow `UsernameMappingProvider`s to return `localpart=None`, in which case, rather than redirecting the browser back to the client, we redirect to a username-picker resource, which allows the user to enter a username. We *then* complete the SSO flow (including doing the client permission checks). The static resources for the username picker itself (in https://github.com/matrix-org/synapse/tree/rav/username_picker/synapse/res/username_picker) are essentially lifted wholesale from https://github.com/matrix-org/matrix-synapse-saml-mozilla/tree/master/matrix_synapse_saml_mozilla/res. As the comment says, we might want to think about making them customisable, but that can be a follow-up. Fixes #8876.
* Push login completion down into SsoHandler (#8941)Richard van der Hoff2020-12-161-22/+36
| | | This is another part of my work towards fixing #8876. It moves some of the logic currently in the SAML and OIDC handlers - in particular the call to `AuthHandler.complete_sso_login` down into the `SsoHandler`.
* Refactor `SsoHandler.get_mxid_from_sso` (#8900)Richard van der Hoff2020-12-101-15/+42
| | | | | | | * Factor out _call_attribute_mapper and _register_mapped_user This is mostly an attempt to simplify `get_mxid_from_sso`. * Move mapping_lock down into SsoHandler.
* Simplify the flow for SSO UIA (#8881)Richard van der Hoff2020-12-081-8/+51
| | | | | | | | | * SsoHandler: remove inheritance from BaseHandler * Simplify the flow for SSO UIA We don't need to do all the magic for mapping users when we are doing UIA, so let's factor that out.
* Fix a regression that mapping providers should be able to redirect users. ↵Patrick Cloke2020-12-041-5/+22
| | | | | (#8878) This was broken in #8801.
* Fix a regression when grandfathering SAML users. (#8855)Patrick Cloke2020-12-021-41/+19
| | | | | | This was broken in #8801 when abstracting code shared with OIDC. After this change both SAML and OIDC have a concept of grandfathering users, but with different implementations.
* Support trying multiple localparts for OpenID Connect. (#8801)Patrick Cloke2020-11-251-1/+154
| | | | Abstracts the SAML and OpenID Connect code which attempts to regenerate the localpart of a matrix ID if it is already in use.
* Improve logging of the mapping from SSO IDs to Matrix IDs. (#8773)Andrew Morgan2020-11-231-3/+9
|
* Abstract shared SSO code. (#8765)Patrick Cloke2020-11-171-0/+90
De-duplicates code between the SAML and OIDC implementations.