summary refs log tree commit diff
path: root/synapse/handlers/sso.py (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Implement MSC2858 support (#9183)Richard van der Hoff2021-01-271-5/+18
| | | Fixes #8928.
* Support icons for Identity Providers (#9154)Richard van der Hoff2021-01-201-0/+5
|
* Move `complete_sso_ui_auth` into SSOHandlerRichard van der Hoff2021-01-131-3/+13
| | | | | since we're hacking on this code anyway, may as well move it out of the cluttered AuthHandler.
* Give the user a better error when they present bad SSO credsRichard van der Hoff2021-01-131-5/+28
| | | | | | | | | If a user tries to do UI Auth via SSO, but uses the wrong account on the SSO IdP, try to give them a better error. Previously, the UIA would claim to be successful, but then the operation in question would simply fail with "auth fail". Instead, serve up an error page which explains the failure.
* UI Auth via SSO: redirect the user to an appropriate SSO. (#9081)Richard van der Hoff2021-01-121-0/+31
| | | | | | | If we have integrations with multiple identity providers, when the user does a UI Auth, we need to redirect them to the right one. There are a few steps to this. First of all we actually need to store the userid of the user we are trying to validate in the UIA session, since the /auth/sso/fallback/web request is unauthenticated. Then, once we get the /auth/sso/fallback/web request, we can fish the user id out of the session, and use it to look up the external id mappings, and hence pick an SSO provider for them.
* Remove SynapseRequest.get_user_agent (#9069)Richard van der Hoff2021-01-121-2/+3
| | | | | | | | | | | SynapseRequest is in danger of becoming a bit of a dumping-ground for "useful stuff relating to Requests", which isn't really its intention (its purpose is to override render, finished and connectionLost to set up the LoggingContext and write the right entries to the request log). Putting utility functions inside SynapseRequest means that lots of our code ends up requiring a SynapseRequest when there is nothing synapse-specific about the Request at all, and any old twisted.web.iweb.IRequest will do. This increases code coupling and makes testing more difficult. In short: move get_user_agent out to a utility function.
* Add initial support for a "pick your IdP" page (#9017)Richard van der Hoff2021-01-051-3/+15
| | | | | During login, if there are multiple IdPs enabled, offer the user a choice of IdPs.
* Combine the SSO Redirect Servlets (#9015)Richard van der Hoff2021-01-041-2/+84
| | | | | | | | | | | | | | | | | | | | | | | | | | | * Implement CasHandler.handle_redirect_request ... to make it match OidcHandler and SamlHandler * Clean up interface for OidcHandler.handle_redirect_request Make it accept `client_redirect_url=None`. * Clean up interface for `SamlHandler.handle_redirect_request` ... bring it into line with CAS and OIDC by making it take a Request parameter, move the magic for `client_redirect_url` for UIA into the handler, and fix the return type to be a `str` rather than a `bytes`. * Define a common protocol for SSO auth provider impls * Give SsoIdentityProvider an ID and register them * Combine the SSO Redirect servlets Now that the SsoHandler knows about the identity providers, we can combine the various *RedirectServlets into a single implementation which delegates to the right IdP. * changelog
* Use the SSO handler helpers for CAS registration/login. (#8856)Patrick Cloke2021-01-031-2/+2
|
* Refactor the CAS handler in prep for using the abstracted SSO code. (#8958)Patrick Cloke2020-12-181-2/+7
| | | | | | This makes the CAS handler look more like the SAML/OIDC handlers: * Render errors to users instead of throwing JSON errors. * Internal reorganization.
* Implement a username picker for synapse (#8942)Richard van der Hoff2020-12-181-8/+246
| | | | | | | | | | | | | | The final part (for now) of my work to implement a username picker in synapse itself. The idea is that we allow `UsernameMappingProvider`s to return `localpart=None`, in which case, rather than redirecting the browser back to the client, we redirect to a username-picker resource, which allows the user to enter a username. We *then* complete the SSO flow (including doing the client permission checks). The static resources for the username picker itself (in https://github.com/matrix-org/synapse/tree/rav/username_picker/synapse/res/username_picker) are essentially lifted wholesale from https://github.com/matrix-org/matrix-synapse-saml-mozilla/tree/master/matrix_synapse_saml_mozilla/res. As the comment says, we might want to think about making them customisable, but that can be a follow-up. Fixes #8876.
* Push login completion down into SsoHandler (#8941)Richard van der Hoff2020-12-161-22/+36
| | | This is another part of my work towards fixing #8876. It moves some of the logic currently in the SAML and OIDC handlers - in particular the call to `AuthHandler.complete_sso_login` down into the `SsoHandler`.
* Refactor `SsoHandler.get_mxid_from_sso` (#8900)Richard van der Hoff2020-12-101-15/+42
| | | | | | | * Factor out _call_attribute_mapper and _register_mapped_user This is mostly an attempt to simplify `get_mxid_from_sso`. * Move mapping_lock down into SsoHandler.
* Simplify the flow for SSO UIA (#8881)Richard van der Hoff2020-12-081-8/+51
| | | | | | | | | * SsoHandler: remove inheritance from BaseHandler * Simplify the flow for SSO UIA We don't need to do all the magic for mapping users when we are doing UIA, so let's factor that out.
* Fix a regression that mapping providers should be able to redirect users. ↵Patrick Cloke2020-12-041-5/+22
| | | | | (#8878) This was broken in #8801.
* Fix a regression when grandfathering SAML users. (#8855)Patrick Cloke2020-12-021-41/+19
| | | | | | This was broken in #8801 when abstracting code shared with OIDC. After this change both SAML and OIDC have a concept of grandfathering users, but with different implementations.
* Support trying multiple localparts for OpenID Connect. (#8801)Patrick Cloke2020-11-251-1/+154
| | | | Abstracts the SAML and OpenID Connect code which attempts to regenerate the localpart of a matrix ID if it is already in use.
* Improve logging of the mapping from SSO IDs to Matrix IDs. (#8773)Andrew Morgan2020-11-231-3/+9
|
* Abstract shared SSO code. (#8765)Patrick Cloke2020-11-171-0/+90
De-duplicates code between the SAML and OIDC implementations.