mirror of
https://git.anonymousland.org/anonymousland/synapse-product.git
synced 2024-10-01 08:25:44 -04:00
Add 'brand' field to MSC2858 response (#9242)
We've decided to add a 'brand' field to help clients decide how to style the buttons. Also, fix up the allowed characters for idp_id, while I'm in the area.
This commit is contained in:
parent
869667760f
commit
a083aea396
@ -1 +1 @@
|
|||||||
Add experimental support for allowing clients to pick an SSO Identity Provider ([MSC2858](https://github.com/matrix-org/matrix-doc/pull/2858).
|
Add experimental support for allowing clients to pick an SSO Identity Provider ([MSC2858](https://github.com/matrix-org/matrix-doc/pull/2858)).
|
||||||
|
1
changelog.d/9242.feature
Normal file
1
changelog.d/9242.feature
Normal file
@ -0,0 +1 @@
|
|||||||
|
Add experimental support for allowing clients to pick an SSO Identity Provider ([MSC2858](https://github.com/matrix-org/matrix-doc/pull/2858)).
|
@ -225,6 +225,7 @@ Synapse config:
|
|||||||
oidc_providers:
|
oidc_providers:
|
||||||
- idp_id: github
|
- idp_id: github
|
||||||
idp_name: Github
|
idp_name: Github
|
||||||
|
idp_brand: "org.matrix.github" # optional: styling hint for clients
|
||||||
discover: false
|
discover: false
|
||||||
issuer: "https://github.com/"
|
issuer: "https://github.com/"
|
||||||
client_id: "your-client-id" # TO BE FILLED
|
client_id: "your-client-id" # TO BE FILLED
|
||||||
@ -250,6 +251,7 @@ oidc_providers:
|
|||||||
oidc_providers:
|
oidc_providers:
|
||||||
- idp_id: google
|
- idp_id: google
|
||||||
idp_name: Google
|
idp_name: Google
|
||||||
|
idp_brand: "org.matrix.google" # optional: styling hint for clients
|
||||||
issuer: "https://accounts.google.com/"
|
issuer: "https://accounts.google.com/"
|
||||||
client_id: "your-client-id" # TO BE FILLED
|
client_id: "your-client-id" # TO BE FILLED
|
||||||
client_secret: "your-client-secret" # TO BE FILLED
|
client_secret: "your-client-secret" # TO BE FILLED
|
||||||
@ -296,6 +298,7 @@ Synapse config:
|
|||||||
oidc_providers:
|
oidc_providers:
|
||||||
- idp_id: gitlab
|
- idp_id: gitlab
|
||||||
idp_name: Gitlab
|
idp_name: Gitlab
|
||||||
|
idp_brand: "org.matrix.gitlab" # optional: styling hint for clients
|
||||||
issuer: "https://gitlab.com/"
|
issuer: "https://gitlab.com/"
|
||||||
client_id: "your-client-id" # TO BE FILLED
|
client_id: "your-client-id" # TO BE FILLED
|
||||||
client_secret: "your-client-secret" # TO BE FILLED
|
client_secret: "your-client-secret" # TO BE FILLED
|
||||||
|
@ -1727,10 +1727,14 @@ saml2_config:
|
|||||||
# offer the user a choice of login mechanisms.
|
# offer the user a choice of login mechanisms.
|
||||||
#
|
#
|
||||||
# idp_icon: An optional icon for this identity provider, which is presented
|
# idp_icon: An optional icon for this identity provider, which is presented
|
||||||
# by identity picker pages. If given, must be an MXC URI of the format
|
# by clients and Synapse's own IdP picker page. If given, must be an
|
||||||
# mxc://<server-name>/<media-id>. (An easy way to obtain such an MXC URI
|
# MXC URI of the format mxc://<server-name>/<media-id>. (An easy way to
|
||||||
# is to upload an image to an (unencrypted) room and then copy the "url"
|
# obtain such an MXC URI is to upload an image to an (unencrypted) room
|
||||||
# from the source of the event.)
|
# and then copy the "url" from the source of the event.)
|
||||||
|
#
|
||||||
|
# idp_brand: An optional brand for this identity provider, allowing clients
|
||||||
|
# to style the login flow according to the identity provider in question.
|
||||||
|
# See the spec for possible options here.
|
||||||
#
|
#
|
||||||
# discover: set to 'false' to disable the use of the OIDC discovery mechanism
|
# discover: set to 'false' to disable the use of the OIDC discovery mechanism
|
||||||
# to discover endpoints. Defaults to true.
|
# to discover endpoints. Defaults to true.
|
||||||
@ -1860,6 +1864,7 @@ oidc_providers:
|
|||||||
#
|
#
|
||||||
#- idp_id: github
|
#- idp_id: github
|
||||||
# idp_name: Github
|
# idp_name: Github
|
||||||
|
# idp_brand: org.matrix.github
|
||||||
# discover: false
|
# discover: false
|
||||||
# issuer: "https://github.com/"
|
# issuer: "https://github.com/"
|
||||||
# client_id: "your-client-id" # TO BE FILLED
|
# client_id: "your-client-id" # TO BE FILLED
|
||||||
|
@ -14,7 +14,6 @@
|
|||||||
# See the License for the specific language governing permissions and
|
# See the License for the specific language governing permissions and
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
import string
|
|
||||||
from collections import Counter
|
from collections import Counter
|
||||||
from typing import Iterable, Optional, Tuple, Type
|
from typing import Iterable, Optional, Tuple, Type
|
||||||
|
|
||||||
@ -79,10 +78,14 @@ class OIDCConfig(Config):
|
|||||||
# offer the user a choice of login mechanisms.
|
# offer the user a choice of login mechanisms.
|
||||||
#
|
#
|
||||||
# idp_icon: An optional icon for this identity provider, which is presented
|
# idp_icon: An optional icon for this identity provider, which is presented
|
||||||
# by identity picker pages. If given, must be an MXC URI of the format
|
# by clients and Synapse's own IdP picker page. If given, must be an
|
||||||
# mxc://<server-name>/<media-id>. (An easy way to obtain such an MXC URI
|
# MXC URI of the format mxc://<server-name>/<media-id>. (An easy way to
|
||||||
# is to upload an image to an (unencrypted) room and then copy the "url"
|
# obtain such an MXC URI is to upload an image to an (unencrypted) room
|
||||||
# from the source of the event.)
|
# and then copy the "url" from the source of the event.)
|
||||||
|
#
|
||||||
|
# idp_brand: An optional brand for this identity provider, allowing clients
|
||||||
|
# to style the login flow according to the identity provider in question.
|
||||||
|
# See the spec for possible options here.
|
||||||
#
|
#
|
||||||
# discover: set to 'false' to disable the use of the OIDC discovery mechanism
|
# discover: set to 'false' to disable the use of the OIDC discovery mechanism
|
||||||
# to discover endpoints. Defaults to true.
|
# to discover endpoints. Defaults to true.
|
||||||
@ -212,6 +215,7 @@ class OIDCConfig(Config):
|
|||||||
#
|
#
|
||||||
#- idp_id: github
|
#- idp_id: github
|
||||||
# idp_name: Github
|
# idp_name: Github
|
||||||
|
# idp_brand: org.matrix.github
|
||||||
# discover: false
|
# discover: false
|
||||||
# issuer: "https://github.com/"
|
# issuer: "https://github.com/"
|
||||||
# client_id: "your-client-id" # TO BE FILLED
|
# client_id: "your-client-id" # TO BE FILLED
|
||||||
@ -235,11 +239,22 @@ OIDC_PROVIDER_CONFIG_SCHEMA = {
|
|||||||
"type": "object",
|
"type": "object",
|
||||||
"required": ["issuer", "client_id", "client_secret"],
|
"required": ["issuer", "client_id", "client_secret"],
|
||||||
"properties": {
|
"properties": {
|
||||||
# TODO: fix the maxLength here depending on what MSC2528 decides
|
"idp_id": {
|
||||||
# remember that we prefix the ID given here with `oidc-`
|
"type": "string",
|
||||||
"idp_id": {"type": "string", "minLength": 1, "maxLength": 128},
|
"minLength": 1,
|
||||||
|
# MSC2858 allows a maxlen of 255, but we prefix with "oidc-"
|
||||||
|
"maxLength": 250,
|
||||||
|
"pattern": "^[A-Za-z0-9._~-]+$",
|
||||||
|
},
|
||||||
"idp_name": {"type": "string"},
|
"idp_name": {"type": "string"},
|
||||||
"idp_icon": {"type": "string"},
|
"idp_icon": {"type": "string"},
|
||||||
|
"idp_brand": {
|
||||||
|
"type": "string",
|
||||||
|
# MSC2758-style namespaced identifier
|
||||||
|
"minLength": 1,
|
||||||
|
"maxLength": 255,
|
||||||
|
"pattern": "^[a-z][a-z0-9_.-]*$",
|
||||||
|
},
|
||||||
"discover": {"type": "boolean"},
|
"discover": {"type": "boolean"},
|
||||||
"issuer": {"type": "string"},
|
"issuer": {"type": "string"},
|
||||||
"client_id": {"type": "string"},
|
"client_id": {"type": "string"},
|
||||||
@ -358,25 +373,8 @@ def _parse_oidc_config_dict(
|
|||||||
config_path + ("user_mapping_provider", "module"),
|
config_path + ("user_mapping_provider", "module"),
|
||||||
)
|
)
|
||||||
|
|
||||||
# MSC2858 will apply certain limits in what can be used as an IdP id, so let's
|
|
||||||
# enforce those limits now.
|
|
||||||
# TODO: factor out this stuff to a generic function
|
|
||||||
idp_id = oidc_config.get("idp_id", "oidc")
|
idp_id = oidc_config.get("idp_id", "oidc")
|
||||||
|
|
||||||
# TODO: update this validity check based on what MSC2858 decides.
|
|
||||||
valid_idp_chars = set(string.ascii_lowercase + string.digits + "-._")
|
|
||||||
|
|
||||||
if any(c not in valid_idp_chars for c in idp_id):
|
|
||||||
raise ConfigError(
|
|
||||||
'idp_id may only contain a-z, 0-9, "-", ".", "_"',
|
|
||||||
config_path + ("idp_id",),
|
|
||||||
)
|
|
||||||
|
|
||||||
if idp_id[0] not in string.ascii_lowercase:
|
|
||||||
raise ConfigError(
|
|
||||||
"idp_id must start with a-z", config_path + ("idp_id",),
|
|
||||||
)
|
|
||||||
|
|
||||||
# prefix the given IDP with a prefix specific to the SSO mechanism, to avoid
|
# prefix the given IDP with a prefix specific to the SSO mechanism, to avoid
|
||||||
# clashes with other mechs (such as SAML, CAS).
|
# clashes with other mechs (such as SAML, CAS).
|
||||||
#
|
#
|
||||||
@ -402,6 +400,7 @@ def _parse_oidc_config_dict(
|
|||||||
idp_id=idp_id,
|
idp_id=idp_id,
|
||||||
idp_name=oidc_config.get("idp_name", "OIDC"),
|
idp_name=oidc_config.get("idp_name", "OIDC"),
|
||||||
idp_icon=idp_icon,
|
idp_icon=idp_icon,
|
||||||
|
idp_brand=oidc_config.get("idp_brand"),
|
||||||
discover=oidc_config.get("discover", True),
|
discover=oidc_config.get("discover", True),
|
||||||
issuer=oidc_config["issuer"],
|
issuer=oidc_config["issuer"],
|
||||||
client_id=oidc_config["client_id"],
|
client_id=oidc_config["client_id"],
|
||||||
@ -432,6 +431,9 @@ class OidcProviderConfig:
|
|||||||
# Optional MXC URI for icon for this IdP.
|
# Optional MXC URI for icon for this IdP.
|
||||||
idp_icon = attr.ib(type=Optional[str])
|
idp_icon = attr.ib(type=Optional[str])
|
||||||
|
|
||||||
|
# Optional brand identifier for this IdP.
|
||||||
|
idp_brand = attr.ib(type=Optional[str])
|
||||||
|
|
||||||
# whether the OIDC discovery mechanism is used to discover endpoints
|
# whether the OIDC discovery mechanism is used to discover endpoints
|
||||||
discover = attr.ib(type=bool)
|
discover = attr.ib(type=bool)
|
||||||
|
|
||||||
|
@ -80,9 +80,10 @@ class CasHandler:
|
|||||||
# user-facing name of this auth provider
|
# user-facing name of this auth provider
|
||||||
self.idp_name = "CAS"
|
self.idp_name = "CAS"
|
||||||
|
|
||||||
# we do not currently support icons for CAS auth, but this is required by
|
# we do not currently support brands/icons for CAS auth, but this is required by
|
||||||
# the SsoIdentityProvider protocol type.
|
# the SsoIdentityProvider protocol type.
|
||||||
self.idp_icon = None
|
self.idp_icon = None
|
||||||
|
self.idp_brand = None
|
||||||
|
|
||||||
self._sso_handler = hs.get_sso_handler()
|
self._sso_handler = hs.get_sso_handler()
|
||||||
|
|
||||||
|
@ -274,6 +274,9 @@ class OidcProvider:
|
|||||||
# MXC URI for icon for this auth provider
|
# MXC URI for icon for this auth provider
|
||||||
self.idp_icon = provider.idp_icon
|
self.idp_icon = provider.idp_icon
|
||||||
|
|
||||||
|
# optional brand identifier for this auth provider
|
||||||
|
self.idp_brand = provider.idp_brand
|
||||||
|
|
||||||
self._sso_handler = hs.get_sso_handler()
|
self._sso_handler = hs.get_sso_handler()
|
||||||
|
|
||||||
self._sso_handler.register_identity_provider(self)
|
self._sso_handler.register_identity_provider(self)
|
||||||
|
@ -78,9 +78,10 @@ class SamlHandler(BaseHandler):
|
|||||||
# user-facing name of this auth provider
|
# user-facing name of this auth provider
|
||||||
self.idp_name = "SAML"
|
self.idp_name = "SAML"
|
||||||
|
|
||||||
# we do not currently support icons for SAML auth, but this is required by
|
# we do not currently support icons/brands for SAML auth, but this is required by
|
||||||
# the SsoIdentityProvider protocol type.
|
# the SsoIdentityProvider protocol type.
|
||||||
self.idp_icon = None
|
self.idp_icon = None
|
||||||
|
self.idp_brand = None
|
||||||
|
|
||||||
# a map from saml session id to Saml2SessionData object
|
# a map from saml session id to Saml2SessionData object
|
||||||
self._outstanding_requests_dict = {} # type: Dict[str, Saml2SessionData]
|
self._outstanding_requests_dict = {} # type: Dict[str, Saml2SessionData]
|
||||||
|
@ -80,6 +80,11 @@ class SsoIdentityProvider(Protocol):
|
|||||||
"""Optional MXC URI for user-facing icon"""
|
"""Optional MXC URI for user-facing icon"""
|
||||||
return None
|
return None
|
||||||
|
|
||||||
|
@property
|
||||||
|
def idp_brand(self) -> Optional[str]:
|
||||||
|
"""Optional branding identifier"""
|
||||||
|
return None
|
||||||
|
|
||||||
@abc.abstractmethod
|
@abc.abstractmethod
|
||||||
async def handle_redirect_request(
|
async def handle_redirect_request(
|
||||||
self,
|
self,
|
||||||
|
@ -333,6 +333,8 @@ def _get_auth_flow_dict_for_idp(idp: SsoIdentityProvider) -> JsonDict:
|
|||||||
e = {"id": idp.idp_id, "name": idp.idp_name} # type: JsonDict
|
e = {"id": idp.idp_id, "name": idp.idp_name} # type: JsonDict
|
||||||
if idp.idp_icon:
|
if idp.idp_icon:
|
||||||
e["icon"] = idp.idp_icon
|
e["icon"] = idp.idp_icon
|
||||||
|
if idp.idp_brand:
|
||||||
|
e["brand"] = idp.idp_brand
|
||||||
return e
|
return e
|
||||||
|
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user