Add initial support for a "pick your IdP" page (#9017)

During login, if there are multiple IdPs enabled, offer the user a choice of
IdPs.
This commit is contained in:
Richard van der Hoff 2021-01-05 11:25:28 +00:00 committed by GitHub
parent d2c616a413
commit 111b673fc1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
11 changed files with 194 additions and 3 deletions

1
changelog.d/9017.feature Normal file
View File

@ -0,0 +1 @@
Add support for multiple SSO Identity Providers.

View File

@ -1909,6 +1909,31 @@ sso:
# #
# Synapse will look for the following templates in this directory: # Synapse will look for the following templates in this directory:
# #
# * HTML page to prompt the user to choose an Identity Provider during
# login: 'sso_login_idp_picker.html'.
#
# This is only used if multiple SSO Identity Providers are configured.
#
# When rendering, this template is given the following variables:
# * redirect_url: the URL that the user will be redirected to after
# login. Needs manual escaping (see
# https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping).
#
# * server_name: the homeserver's name.
#
# * providers: a list of available Identity Providers. Each element is
# an object with the following attributes:
# * idp_id: unique identifier for the IdP
# * idp_name: user-facing name for the IdP
#
# The rendered HTML page should contain a form which submits its results
# back as a GET request, with the following query parameters:
#
# * redirectUrl: the client redirect URI (ie, the `redirect_url` passed
# to the template)
#
# * idp: the 'idp_id' of the chosen IDP.
#
# * HTML page for a confirmation step before redirecting back to the client # * HTML page for a confirmation step before redirecting back to the client
# with the login token: 'sso_redirect_confirm.html'. # with the login token: 'sso_redirect_confirm.html'.
# #

View File

@ -63,6 +63,7 @@ from synapse.rest import ClientRestResource
from synapse.rest.admin import AdminRestResource from synapse.rest.admin import AdminRestResource
from synapse.rest.health import HealthResource from synapse.rest.health import HealthResource
from synapse.rest.key.v2 import KeyApiV2Resource from synapse.rest.key.v2 import KeyApiV2Resource
from synapse.rest.synapse.client.pick_idp import PickIdpResource
from synapse.rest.synapse.client.pick_username import pick_username_resource from synapse.rest.synapse.client.pick_username import pick_username_resource
from synapse.rest.well_known import WellKnownResource from synapse.rest.well_known import WellKnownResource
from synapse.server import HomeServer from synapse.server import HomeServer
@ -194,6 +195,7 @@ class SynapseHomeServer(HomeServer):
"/.well-known/matrix/client": WellKnownResource(self), "/.well-known/matrix/client": WellKnownResource(self),
"/_synapse/admin": AdminRestResource(self), "/_synapse/admin": AdminRestResource(self),
"/_synapse/client/pick_username": pick_username_resource(self), "/_synapse/client/pick_username": pick_username_resource(self),
"/_synapse/client/pick_idp": PickIdpResource(self),
} }
) )

View File

@ -31,6 +31,7 @@ class SSOConfig(Config):
# Read templates from disk # Read templates from disk
( (
self.sso_login_idp_picker_template,
self.sso_redirect_confirm_template, self.sso_redirect_confirm_template,
self.sso_auth_confirm_template, self.sso_auth_confirm_template,
self.sso_error_template, self.sso_error_template,
@ -38,6 +39,7 @@ class SSOConfig(Config):
sso_auth_success_template, sso_auth_success_template,
) = self.read_templates( ) = self.read_templates(
[ [
"sso_login_idp_picker.html",
"sso_redirect_confirm.html", "sso_redirect_confirm.html",
"sso_auth_confirm.html", "sso_auth_confirm.html",
"sso_error.html", "sso_error.html",
@ -98,6 +100,31 @@ class SSOConfig(Config):
# #
# Synapse will look for the following templates in this directory: # Synapse will look for the following templates in this directory:
# #
# * HTML page to prompt the user to choose an Identity Provider during
# login: 'sso_login_idp_picker.html'.
#
# This is only used if multiple SSO Identity Providers are configured.
#
# When rendering, this template is given the following variables:
# * redirect_url: the URL that the user will be redirected to after
# login. Needs manual escaping (see
# https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping).
#
# * server_name: the homeserver's name.
#
# * providers: a list of available Identity Providers. Each element is
# an object with the following attributes:
# * idp_id: unique identifier for the IdP
# * idp_name: user-facing name for the IdP
#
# The rendered HTML page should contain a form which submits its results
# back as a GET request, with the following query parameters:
#
# * redirectUrl: the client redirect URI (ie, the `redirect_url` passed
# to the template)
#
# * idp: the 'idp_id' of the chosen IDP.
#
# * HTML page for a confirmation step before redirecting back to the client # * HTML page for a confirmation step before redirecting back to the client
# with the login token: 'sso_redirect_confirm.html'. # with the login token: 'sso_redirect_confirm.html'.
# #

View File

@ -77,6 +77,9 @@ class CasHandler:
# identifier for the external_ids table # identifier for the external_ids table
self.idp_id = "cas" self.idp_id = "cas"
# user-facing name of this auth provider
self.idp_name = "CAS"
self._sso_handler = hs.get_sso_handler() self._sso_handler = hs.get_sso_handler()
self._sso_handler.register_identity_provider(self) self._sso_handler.register_identity_provider(self)

View File

@ -121,6 +121,9 @@ class OidcHandler(BaseHandler):
# identifier for the external_ids table # identifier for the external_ids table
self.idp_id = "oidc" self.idp_id = "oidc"
# user-facing name of this auth provider
self.idp_name = "OIDC"
self._sso_handler = hs.get_sso_handler() self._sso_handler = hs.get_sso_handler()
self._sso_handler.register_identity_provider(self) self._sso_handler.register_identity_provider(self)

View File

@ -75,6 +75,9 @@ class SamlHandler(BaseHandler):
# identifier for the external_ids table # identifier for the external_ids table
self.idp_id = "saml" self.idp_id = "saml"
# user-facing name of this auth provider
self.idp_name = "SAML"
# a map from saml session id to Saml2SessionData object # a map from saml session id to Saml2SessionData object
self._outstanding_requests_dict = {} # type: Dict[str, Saml2SessionData] self._outstanding_requests_dict = {} # type: Dict[str, Saml2SessionData]

View File

@ -14,7 +14,8 @@
# limitations under the License. # limitations under the License.
import abc import abc
import logging import logging
from typing import TYPE_CHECKING, Awaitable, Callable, Dict, List, Optional from typing import TYPE_CHECKING, Awaitable, Callable, Dict, List, Mapping, Optional
from urllib.parse import urlencode
import attr import attr
from typing_extensions import NoReturn, Protocol from typing_extensions import NoReturn, Protocol
@ -66,6 +67,11 @@ class SsoIdentityProvider(Protocol):
Eg, "saml", "cas", "github" Eg, "saml", "cas", "github"
""" """
@property
@abc.abstractmethod
def idp_name(self) -> str:
"""User-facing name for this provider"""
@abc.abstractmethod @abc.abstractmethod
async def handle_redirect_request( async def handle_redirect_request(
self, self,
@ -156,6 +162,10 @@ class SsoHandler:
assert p_id not in self._identity_providers assert p_id not in self._identity_providers
self._identity_providers[p_id] = p self._identity_providers[p_id] = p
def get_identity_providers(self) -> Mapping[str, SsoIdentityProvider]:
"""Get the configured identity providers"""
return self._identity_providers
def render_error( def render_error(
self, self,
request: Request, request: Request,
@ -203,8 +213,10 @@ class SsoHandler:
ap = next(iter(self._identity_providers.values())) ap = next(iter(self._identity_providers.values()))
return await ap.handle_redirect_request(request, client_redirect_url) return await ap.handle_redirect_request(request, client_redirect_url)
# otherwise, we have a configuration error # otherwise, redirect to the IDP picker
raise Exception("Multiple SSO identity providers have been configured!") return "/_synapse/client/pick_idp?" + urlencode(
(("redirectUrl", client_redirect_url),)
)
async def get_sso_user_by_remote_user_id( async def get_sso_user_by_remote_user_id(
self, auth_provider_id: str, remote_user_id: str self, auth_provider_id: str, remote_user_id: str

View File

@ -0,0 +1,28 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<link rel="stylesheet" href="/_matrix/static/client/login/style.css">
<title>{{server_name | e}} Login</title>
</head>
<body>
<div id="container">
<h1 id="title">{{server_name | e}} Login</h1>
<div class="login_flow">
<p>Choose one of the following identity providers:</p>
<form>
<input type="hidden" name="redirectUrl" value="{{redirect_url | e}}">
<ul class="radiobuttons">
{% for p in providers %}
<li>
<input type="radio" name="idp" id="prov{{loop.index}}" value="{{p.idp_id}}">
<label for="prov{{loop.index}}">{{p.idp_name | e}}</label>
</li>
{% endfor %}
</ul>
<input type="submit" class="button button--full-width" id="button-submit" value="Submit">
</form>
</div>
</div>
</body>
</html>

View File

@ -0,0 +1,82 @@
# -*- coding: utf-8 -*-
# Copyright 2021 The Matrix.org Foundation C.I.C.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
import logging
from typing import TYPE_CHECKING
from synapse.http.server import (
DirectServeHtmlResource,
finish_request,
respond_with_html,
)
from synapse.http.servlet import parse_string
from synapse.http.site import SynapseRequest
if TYPE_CHECKING:
from synapse.server import HomeServer
logger = logging.getLogger(__name__)
class PickIdpResource(DirectServeHtmlResource):
"""IdP picker resource.
This resource gets mounted under /_synapse/client/pick_idp. It serves an HTML page
which prompts the user to choose an Identity Provider from the list.
"""
def __init__(self, hs: "HomeServer"):
super().__init__()
self._sso_handler = hs.get_sso_handler()
self._sso_login_idp_picker_template = (
hs.config.sso.sso_login_idp_picker_template
)
self._server_name = hs.hostname
async def _async_render_GET(self, request: SynapseRequest) -> None:
client_redirect_url = parse_string(request, "redirectUrl", required=True)
idp = parse_string(request, "idp", required=False)
# if we need to pick an IdP, do so
if not idp:
return await self._serve_id_picker(request, client_redirect_url)
# otherwise, redirect to the IdP's redirect URI
providers = self._sso_handler.get_identity_providers()
auth_provider = providers.get(idp)
if not auth_provider:
logger.info("Unknown idp %r", idp)
self._sso_handler.render_error(
request, "unknown_idp", "Unknown identity provider ID"
)
return
sso_url = await auth_provider.handle_redirect_request(
request, client_redirect_url.encode("utf8")
)
logger.info("Redirecting to %s", sso_url)
request.redirect(sso_url)
finish_request(request)
async def _serve_id_picker(
self, request: SynapseRequest, client_redirect_url: str
) -> None:
# otherwise, serve up the IdP picker
providers = self._sso_handler.get_identity_providers()
html = self._sso_login_idp_picker_template.render(
redirect_url=client_redirect_url,
server_name=self._server_name,
providers=providers.values(),
)
respond_with_html(request, 200, html)

View File

@ -31,6 +31,11 @@ form {
margin: 10px 0 0 0; margin: 10px 0 0 0;
} }
ul.radiobuttons {
text-align: left;
list-style: none;
}
/* /*
* Add some padding to the viewport. * Add some padding to the viewport.
*/ */