summary refs log tree commit diff
path: root/synapse/handlers/sso.py (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Rename blacklist/whitelist internally. (#15620)Patrick Cloke2023-05-191-1/+1
| | | | Avoid renaming configuration settings for now and rename internal code to use blocklist and allowlist instead.
* Implement MSC4009 to widen the allowed Matrix ID grammar (#15536)Patrick Cloke2023-05-051-2/+4
| | | | | Behind a configuration flag this adds + to the list of allowed characters in Matrix IDs. The main feature this enables is using full E.164 phone numbers as Matrix IDs.
* Factor out an `is_mine_server_name` method (#15542)Sean Quah2023-05-051-1/+2
| | | | | | | | | | | | Add an `is_mine_server_name` method, similar to `is_mine_id`. Ideally we would use this consistently, instead of sometimes comparing against `hs.hostname` and other times reaching into `hs.config.server.server_name`. Also fix a bug in the tests where `hs.hostname` would sometimes differ from `hs.config.server.server_name`. Signed-off-by: Sean Quah <seanq@matrix.org>
* Add the ability to enable/disable registrations when in the OIDC flow (#14978)Warren Bailey2023-03-301-2/+15
| | | Signed-off-by: Warren Bailey <warren@warrenbailey.net>
* Use StrCollection in place of Collection[str] in (most) handlers code. (#14922)Patrick Cloke2023-01-261-4/+5
| | | | Due to the increased safety of StrCollection over Collection[str] and Sequence[str].
* Add support for handling avatar with SSO login (#13917)Ashish Kumar2022-11-251-0/+111
| | | | | | | | This commit adds support for handling a provided avatar picture URL when logging in via SSO. Signed-off-by: Ashish Kumar <ashfame@users.noreply.github.com> Fixes #9357.
* Add a type hint for `get_device_handler()` and fix incorrect types. (#14055)Patrick Cloke2022-11-221-0/+9
| | | | | This was the last untyped handler from the HomeServer object. Since it was being treated as Any (and thus unchecked) it was being used incorrectly in a few places.
* Support OIDC backchannel logouts (#11414)Quentin Gliech2022-10-311-0/+71
| | | | | | | If configured an OIDC IdP can log a user's session out of Synapse when they log out of the identity provider. The IdP sends a request directly to Synapse (and must be configured with an endpoint) when a user logs out.
* Implementation of HTTP 307 response for MSC3886 POST endpoint (#14018)Hugh Nimmo-Smith2022-10-181-1/+1
| | | | Co-authored-by: reivilibre <olivier@librepush.net> Co-authored-by: Andrew Morgan <andrewm@element.io>
* Carry IdP Session IDs through user-mapping sessions. (#13839)Quentin Gliech2022-09-271-0/+9
| | | Since #11482, we're saving sessions IDs from upstream IdPs, but we've been losing them when the user goes through a user mapping session on account registration.
* Correct documentation for map_user_attributes of OpenID Mapping Providers ↵Peter Scheu2022-09-211-0/+3
| | | | | (#13836) Co-authored-by: David Robertson <davidr@element.io>
* Use `getClientAddress` instead of `getClientIP`. (#12599)Patrick Cloke2022-05-041-2/+2
| | | | | getClientIP was deprecated in Twisted 18.4.0, which also added getClientAddress. The Synapse minimum version for Twisted is currently 18.9.0, so all supported versions have the new API.
* Refactor and convert `Linearizer` to async (#12357)Sean Quah2022-04-051-1/+1
| | | | | | | | | | | Refactor and convert `Linearizer` to async. This makes a `Linearizer` cancellation bug easier to fix. Also refactor to use an async context manager, which eliminates an unlikely footgun where code that doesn't immediately use the context manager could forget to release the lock. Signed-off-by: Sean Quah <seanq@element.io>
* Update the SSO username picker template to comply with SIWA guidelines (#12210)Brendan Abolivier2022-03-111-3/+5
| | | Fixes https://github.com/matrix-org/synapse/issues/12205
* Remove `HomeServer.get_datastore()` (#12031)Richard van der Hoff2022-02-231-1/+1
| | | | | | | The presence of this method was confusing, and mostly present for backwards compatibility. Let's get rid of it. Part of #11733
* Use auto_attribs/native type hints for attrs classes. (#11692)Patrick Cloke2022-01-131-16/+16
|
* Save the OIDC session ID (sid) with the device on login (#11482)Quentin Gliech2021-12-061-0/+4
| | | As a step towards allowing back-channel logout for OIDC.
* Use direct references for configuration variables (part 5). (#10897)Patrick Cloke2021-09-241-4/+6
|
* Require type hints in the handlers module. (#10831)Patrick Cloke2021-09-201-3/+3
| | | | | | | Adds missing type hints to methods in the synapse.handlers module and requires all methods to have type hints there. This also removes the unused construct_auth_difference method from the FederationHandler.
* Ask consent on SSO registration with default mxid (#10733)AndrewFerr2021-09-101-21/+60
| | | | | | Fixes #10732: consent flow skipped during SSO user registration if username is left at default Signed-off-by: Andrew Ferrazzutti fair@miscworks.net
* Remove unstable MSC2858 API, including `experimental.msc2858_enabled` config ↵Sean2021-09-091-5/+0
| | | | | option (#10693) Signed-off-by: Sean Quah <seanq@element.io>
* Correctly initialise the `synapse_user_logins` metric. (#10677)Richard van der Hoff2021-08-241-0/+2
| | | | | Fix a bug where the prometheus metrics for SSO logins wouldn't be initialised until the first user logged in with a given auth provider.
* Use inline type hints in `handlers/` and `rest/`. (#10382)Jonathan de Jong2021-07-161-6/+6
|
* Implement config option `sso.update_profile_information` (#10108)jkanefendt2021-06-211-1/+24
| | | | | | Implemented config option sso.update_profile_information to keep user's display name in sync with the SSO displayname. Signed-off-by: Johannes Kanefendt <johannes.kanefendt@krzn.de>
* Remove `synapse.types.Collection` (#9856)Richard van der Hoff2021-04-221-1/+2
| | | This is no longer required, since we have dropped support for Python 3.5.
* Remove redundant "coding: utf-8" lines (#9786)Jonathan de Jong2021-04-141-1/+0
| | | | | | | Part of #9744 Removes all redundant `# -*- coding: utf-8 -*-` lines from files, as python 3 automatically reads source code as utf-8 now. `Signed-off-by: Jonathan de Jong <jonathan@automatia.nl>`
* Add support for stable MSC2858 API (#9617)Richard van der Hoff2021-03-161-0/+5
| | | | | The stable format uses different brand identifiers, so we need to support two identifiers for each IdP.
* Prometheus metrics for logins and registrations (#9511)Richard van der Hoff2021-03-041-0/+1
| | | Add prom metrics for number of users successfully registering and logging in, by SSO provider.
* Record the SSO Auth Provider in the login token (#9510)Richard van der Hoff2021-03-041-0/+2
| | | This great big stack of commits is a a whole load of hoop-jumping to make it easier to store additional values in login tokens, and then to actually store the SSO Identity Provider in the login token. (Making use of that data will follow in a subsequent PR.)
* Use the proper Request in type hints. (#9515)Patrick Cloke2021-03-011-1/+1
| | | | This also pins the Twisted version in the mypy job for CI until proper type hints are fixed throughout Synapse.
* Update black, and run auto formatting over the codebase (#9381)Eric Eastwood2021-02-161-7/+15
| | | | | | | - Update black version to the latest - Run black auto formatting over the codebase - Run autoformatting according to [`docs/code_style.md `](https://github.com/matrix-org/synapse/blob/80d6dc9783aa80886a133756028984dbf8920168/docs/code_style.md) - Update `code_style.md` docs around installing black to use the correct version
* Combine the CAS & SAML implementations for required attributes. (#9326)Patrick Cloke2021-02-111-0/+71
|
* Fix formatting for "bad session" error during sso registration flow (#9296)Richard van der Hoff2021-02-031-3/+16
|
* Collect terms consent from the user during SSO registration (#9276)Richard van der Hoff2021-02-011-0/+44
|
* Make importing display name and email optional (#9277)Richard van der Hoff2021-02-011-8/+44
|
* Replace username picker with a template (#9275)Richard van der Hoff2021-02-011-1/+1
| | | | | There's some prelimiary work here to pull out the construction of a jinja environment to a separate function. I wanted to load the template at display time rather than load time, so that it's easy to update on the fly. Honestly, I think we should do this with all our templates: the risk of ending up with malformed templates is far outweighed by the improved turnaround time for an admin trying to update them.
* Improve styling and wording of SSO redirect confirm template (#9272)Richard van der Hoff2021-02-011-1/+9
|
* Split out a separate endpoint to complete SSO registration (#9262)Richard van der Hoff2021-02-011-15/+66
| | | There are going to be a couple of paths to get to the final step of SSO reg, and I want the URL in the browser to consistent. So, let's move the final step onto a separate path, which we redirect to.
* Add 'brand' field to MSC2858 response (#9242)Richard van der Hoff2021-01-271-0/+5
| | | | | | We've decided to add a 'brand' field to help clients decide how to style the buttons. Also, fix up the allowed characters for idp_id, while I'm in the area.
* Implement MSC2858 support (#9183)Richard van der Hoff2021-01-271-5/+18
| | | Fixes #8928.
* Support icons for Identity Providers (#9154)Richard van der Hoff2021-01-201-0/+5
|
* Move `complete_sso_ui_auth` into SSOHandlerRichard van der Hoff2021-01-131-3/+13
| | | | | since we're hacking on this code anyway, may as well move it out of the cluttered AuthHandler.
* Give the user a better error when they present bad SSO credsRichard van der Hoff2021-01-131-5/+28
| | | | | | | | | If a user tries to do UI Auth via SSO, but uses the wrong account on the SSO IdP, try to give them a better error. Previously, the UIA would claim to be successful, but then the operation in question would simply fail with "auth fail". Instead, serve up an error page which explains the failure.
* UI Auth via SSO: redirect the user to an appropriate SSO. (#9081)Richard van der Hoff2021-01-121-0/+31
| | | | | | | If we have integrations with multiple identity providers, when the user does a UI Auth, we need to redirect them to the right one. There are a few steps to this. First of all we actually need to store the userid of the user we are trying to validate in the UIA session, since the /auth/sso/fallback/web request is unauthenticated. Then, once we get the /auth/sso/fallback/web request, we can fish the user id out of the session, and use it to look up the external id mappings, and hence pick an SSO provider for them.
* Remove SynapseRequest.get_user_agent (#9069)Richard van der Hoff2021-01-121-2/+3
| | | | | | | | | | | SynapseRequest is in danger of becoming a bit of a dumping-ground for "useful stuff relating to Requests", which isn't really its intention (its purpose is to override render, finished and connectionLost to set up the LoggingContext and write the right entries to the request log). Putting utility functions inside SynapseRequest means that lots of our code ends up requiring a SynapseRequest when there is nothing synapse-specific about the Request at all, and any old twisted.web.iweb.IRequest will do. This increases code coupling and makes testing more difficult. In short: move get_user_agent out to a utility function.
* Add initial support for a "pick your IdP" page (#9017)Richard van der Hoff2021-01-051-3/+15
| | | | | During login, if there are multiple IdPs enabled, offer the user a choice of IdPs.
* Combine the SSO Redirect Servlets (#9015)Richard van der Hoff2021-01-041-2/+84
| | | | | | | | | | | | | | | | | | | | | | | | | | | * Implement CasHandler.handle_redirect_request ... to make it match OidcHandler and SamlHandler * Clean up interface for OidcHandler.handle_redirect_request Make it accept `client_redirect_url=None`. * Clean up interface for `SamlHandler.handle_redirect_request` ... bring it into line with CAS and OIDC by making it take a Request parameter, move the magic for `client_redirect_url` for UIA into the handler, and fix the return type to be a `str` rather than a `bytes`. * Define a common protocol for SSO auth provider impls * Give SsoIdentityProvider an ID and register them * Combine the SSO Redirect servlets Now that the SsoHandler knows about the identity providers, we can combine the various *RedirectServlets into a single implementation which delegates to the right IdP. * changelog
* Use the SSO handler helpers for CAS registration/login. (#8856)Patrick Cloke2021-01-031-2/+2
|
* Refactor the CAS handler in prep for using the abstracted SSO code. (#8958)Patrick Cloke2020-12-181-2/+7
| | | | | | This makes the CAS handler look more like the SAML/OIDC handlers: * Render errors to users instead of throwing JSON errors. * Internal reorganization.
* Implement a username picker for synapse (#8942)Richard van der Hoff2020-12-181-8/+246
| | | | | | | | | | | | | | The final part (for now) of my work to implement a username picker in synapse itself. The idea is that we allow `UsernameMappingProvider`s to return `localpart=None`, in which case, rather than redirecting the browser back to the client, we redirect to a username-picker resource, which allows the user to enter a username. We *then* complete the SSO flow (including doing the client permission checks). The static resources for the username picker itself (in https://github.com/matrix-org/synapse/tree/rav/username_picker/synapse/res/username_picker) are essentially lifted wholesale from https://github.com/matrix-org/matrix-synapse-saml-mozilla/tree/master/matrix_synapse_saml_mozilla/res. As the comment says, we might want to think about making them customisable, but that can be a follow-up. Fixes #8876.
* Push login completion down into SsoHandler (#8941)Richard van der Hoff2020-12-161-22/+36
| | | This is another part of my work towards fixing #8876. It moves some of the logic currently in the SAML and OIDC handlers - in particular the call to `AuthHandler.complete_sso_login` down into the `SsoHandler`.
* Refactor `SsoHandler.get_mxid_from_sso` (#8900)Richard van der Hoff2020-12-101-15/+42
| | | | | | | * Factor out _call_attribute_mapper and _register_mapped_user This is mostly an attempt to simplify `get_mxid_from_sso`. * Move mapping_lock down into SsoHandler.
* Simplify the flow for SSO UIA (#8881)Richard van der Hoff2020-12-081-8/+51
| | | | | | | | | * SsoHandler: remove inheritance from BaseHandler * Simplify the flow for SSO UIA We don't need to do all the magic for mapping users when we are doing UIA, so let's factor that out.
* Fix a regression that mapping providers should be able to redirect users. ↵Patrick Cloke2020-12-041-5/+22
| | | | | (#8878) This was broken in #8801.
* Fix a regression when grandfathering SAML users. (#8855)Patrick Cloke2020-12-021-41/+19
| | | | | | This was broken in #8801 when abstracting code shared with OIDC. After this change both SAML and OIDC have a concept of grandfathering users, but with different implementations.
* Support trying multiple localparts for OpenID Connect. (#8801)Patrick Cloke2020-11-251-1/+154
| | | | Abstracts the SAML and OpenID Connect code which attempts to regenerate the localpart of a matrix ID if it is already in use.
* Improve logging of the mapping from SSO IDs to Matrix IDs. (#8773)Andrew Morgan2020-11-231-3/+9
|
* Abstract shared SSO code. (#8765)Patrick Cloke2020-11-171-0/+90
De-duplicates code between the SAML and OIDC implementations.