mirror of
https://git.anonymousland.org/anonymousland/synapse-product.git
synced 2025-08-04 02:04:12 -04:00
UI Auth via SSO: redirect the user to an appropriate SSO. (#9081)
If we have integrations with multiple identity providers, when the user does a UI Auth, we need to redirect them to the right one. There are a few steps to this. First of all we actually need to store the userid of the user we are trying to validate in the UIA session, since the /auth/sso/fallback/web request is unauthenticated. Then, once we get the /auth/sso/fallback/web request, we can fish the user id out of the session, and use it to look up the external id mappings, and hence pick an SSO provider for them.
This commit is contained in:
parent
723b19748a
commit
789d9ebad3
7 changed files with 133 additions and 60 deletions
|
@ -20,9 +20,6 @@ from http import HTTPStatus
|
|||
from typing import TYPE_CHECKING
|
||||
from urllib.parse import urlparse
|
||||
|
||||
if TYPE_CHECKING:
|
||||
from synapse.app.homeserver import HomeServer
|
||||
|
||||
from synapse.api.constants import LoginType
|
||||
from synapse.api.errors import (
|
||||
Codes,
|
||||
|
@ -31,6 +28,7 @@ from synapse.api.errors import (
|
|||
ThreepidValidationError,
|
||||
)
|
||||
from synapse.config.emailconfig import ThreepidBehaviour
|
||||
from synapse.handlers.ui_auth import UIAuthSessionDataConstants
|
||||
from synapse.http.server import finish_request, respond_with_html
|
||||
from synapse.http.servlet import (
|
||||
RestServlet,
|
||||
|
@ -46,6 +44,10 @@ from synapse.util.threepids import canonicalise_email, check_3pid_allowed
|
|||
|
||||
from ._base import client_patterns, interactive_auth_handler
|
||||
|
||||
if TYPE_CHECKING:
|
||||
from synapse.app.homeserver import HomeServer
|
||||
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
|
@ -200,7 +202,9 @@ class PasswordRestServlet(RestServlet):
|
|||
if new_password:
|
||||
password_hash = await self.auth_handler.hash(new_password)
|
||||
await self.auth_handler.set_session_data(
|
||||
e.session_id, "password_hash", password_hash
|
||||
e.session_id,
|
||||
UIAuthSessionDataConstants.PASSWORD_HASH,
|
||||
password_hash,
|
||||
)
|
||||
raise
|
||||
user_id = requester.user.to_string()
|
||||
|
@ -222,7 +226,9 @@ class PasswordRestServlet(RestServlet):
|
|||
if new_password:
|
||||
password_hash = await self.auth_handler.hash(new_password)
|
||||
await self.auth_handler.set_session_data(
|
||||
e.session_id, "password_hash", password_hash
|
||||
e.session_id,
|
||||
UIAuthSessionDataConstants.PASSWORD_HASH,
|
||||
password_hash,
|
||||
)
|
||||
raise
|
||||
|
||||
|
@ -255,7 +261,7 @@ class PasswordRestServlet(RestServlet):
|
|||
password_hash = await self.auth_handler.hash(new_password)
|
||||
elif session_id is not None:
|
||||
password_hash = await self.auth_handler.get_session_data(
|
||||
session_id, "password_hash", None
|
||||
session_id, UIAuthSessionDataConstants.PASSWORD_HASH, None
|
||||
)
|
||||
else:
|
||||
# UI validation was skipped, but the request did not include a new
|
||||
|
|
|
@ -19,7 +19,6 @@ from typing import TYPE_CHECKING
|
|||
from synapse.api.constants import LoginType
|
||||
from synapse.api.errors import SynapseError
|
||||
from synapse.api.urls import CLIENT_API_PREFIX
|
||||
from synapse.handlers.sso import SsoIdentityProvider
|
||||
from synapse.http.server import respond_with_html
|
||||
from synapse.http.servlet import RestServlet, parse_string
|
||||
|
||||
|
@ -46,22 +45,6 @@ class AuthRestServlet(RestServlet):
|
|||
self.auth = hs.get_auth()
|
||||
self.auth_handler = hs.get_auth_handler()
|
||||
self.registration_handler = hs.get_registration_handler()
|
||||
|
||||
# SSO configuration.
|
||||
self._cas_enabled = hs.config.cas_enabled
|
||||
if self._cas_enabled:
|
||||
self._cas_handler = hs.get_cas_handler()
|
||||
self._cas_server_url = hs.config.cas_server_url
|
||||
self._cas_service_url = hs.config.cas_service_url
|
||||
self._saml_enabled = hs.config.saml2_enabled
|
||||
if self._saml_enabled:
|
||||
self._saml_handler = hs.get_saml_handler()
|
||||
self._oidc_enabled = hs.config.oidc_enabled
|
||||
if self._oidc_enabled:
|
||||
self._oidc_handler = hs.get_oidc_handler()
|
||||
self._cas_server_url = hs.config.cas_server_url
|
||||
self._cas_service_url = hs.config.cas_service_url
|
||||
|
||||
self.recaptcha_template = hs.config.recaptcha_template
|
||||
self.terms_template = hs.config.terms_template
|
||||
self.success_template = hs.config.fallback_success_template
|
||||
|
@ -90,21 +73,7 @@ class AuthRestServlet(RestServlet):
|
|||
elif stagetype == LoginType.SSO:
|
||||
# Display a confirmation page which prompts the user to
|
||||
# re-authenticate with their SSO provider.
|
||||
|
||||
if self._cas_enabled:
|
||||
sso_auth_provider = self._cas_handler # type: SsoIdentityProvider
|
||||
elif self._saml_enabled:
|
||||
sso_auth_provider = self._saml_handler
|
||||
elif self._oidc_enabled:
|
||||
sso_auth_provider = self._oidc_handler
|
||||
else:
|
||||
raise SynapseError(400, "Homeserver not configured for SSO.")
|
||||
|
||||
sso_redirect_url = await sso_auth_provider.handle_redirect_request(
|
||||
request, None, session
|
||||
)
|
||||
|
||||
html = await self.auth_handler.start_sso_ui_auth(sso_redirect_url, session)
|
||||
html = await self.auth_handler.start_sso_ui_auth(request, session)
|
||||
|
||||
else:
|
||||
raise SynapseError(404, "Unknown auth stage type")
|
||||
|
|
|
@ -38,6 +38,7 @@ from synapse.config.ratelimiting import FederationRateLimitConfig
|
|||
from synapse.config.registration import RegistrationConfig
|
||||
from synapse.config.server import is_threepid_reserved
|
||||
from synapse.handlers.auth import AuthHandler
|
||||
from synapse.handlers.ui_auth import UIAuthSessionDataConstants
|
||||
from synapse.http.server import finish_request, respond_with_html
|
||||
from synapse.http.servlet import (
|
||||
RestServlet,
|
||||
|
@ -494,11 +495,11 @@ class RegisterRestServlet(RestServlet):
|
|||
# user here. We carry on and go through the auth checks though,
|
||||
# for paranoia.
|
||||
registered_user_id = await self.auth_handler.get_session_data(
|
||||
session_id, "registered_user_id", None
|
||||
session_id, UIAuthSessionDataConstants.REGISTERED_USER_ID, None
|
||||
)
|
||||
# Extract the previously-hashed password from the session.
|
||||
password_hash = await self.auth_handler.get_session_data(
|
||||
session_id, "password_hash", None
|
||||
session_id, UIAuthSessionDataConstants.PASSWORD_HASH, None
|
||||
)
|
||||
|
||||
# Ensure that the username is valid.
|
||||
|
@ -528,7 +529,9 @@ class RegisterRestServlet(RestServlet):
|
|||
if not password_hash and password:
|
||||
password_hash = await self.auth_handler.hash(password)
|
||||
await self.auth_handler.set_session_data(
|
||||
e.session_id, "password_hash", password_hash
|
||||
e.session_id,
|
||||
UIAuthSessionDataConstants.PASSWORD_HASH,
|
||||
password_hash,
|
||||
)
|
||||
raise
|
||||
|
||||
|
@ -629,7 +632,9 @@ class RegisterRestServlet(RestServlet):
|
|||
# Remember that the user account has been registered (and the user
|
||||
# ID it was registered with, since it might not have been specified).
|
||||
await self.auth_handler.set_session_data(
|
||||
session_id, "registered_user_id", registered_user_id
|
||||
session_id,
|
||||
UIAuthSessionDataConstants.REGISTERED_USER_ID,
|
||||
registered_user_id,
|
||||
)
|
||||
|
||||
registered = True
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue