Document how to use Twitter as an OAuth 2.0 provider. (#14778)
This also alphabetizes the documentation for the various OpenID providers.
This commit is contained in:
parent
630d0aeaf6
commit
44b476b26e
|
@ -0,0 +1 @@
|
||||||
|
Document using Twitter as a OAuth 2.0 authentication provider.
|
736
docs/openid.md
736
docs/openid.md
|
@ -88,98 +88,41 @@ oidc_providers:
|
||||||
display_name_template: "{{ user.name }}"
|
display_name_template: "{{ user.name }}"
|
||||||
```
|
```
|
||||||
|
|
||||||
### Dex
|
### Apple
|
||||||
|
|
||||||
[Dex][dex-idp] is a simple, open-source OpenID Connect Provider.
|
Configuring "Sign in with Apple" (SiWA) requires an Apple Developer account.
|
||||||
Although it is designed to help building a full-blown provider with an
|
|
||||||
external database, it can be configured with static passwords in a config file.
|
|
||||||
|
|
||||||
Follow the [Getting Started guide](https://dexidp.io/docs/getting-started/)
|
You will need to create a new "Services ID" for SiWA, and create and download a
|
||||||
to install Dex.
|
private key with "SiWA" enabled.
|
||||||
|
|
||||||
Edit `examples/config-dev.yaml` config file from the Dex repo to add a client:
|
As well as the private key file, you will need:
|
||||||
|
* Client ID: the "identifier" you gave the "Services ID"
|
||||||
|
* Team ID: a 10-character ID associated with your developer account.
|
||||||
|
* Key ID: the 10-character identifier for the key.
|
||||||
|
|
||||||
|
[Apple's developer documentation](https://help.apple.com/developer-account/?lang=en#/dev77c875b7e)
|
||||||
|
has more information on setting up SiWA.
|
||||||
|
|
||||||
|
The synapse config will look like this:
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
staticClients:
|
- idp_id: apple
|
||||||
- id: synapse
|
idp_name: Apple
|
||||||
secret: secret
|
issuer: "https://appleid.apple.com"
|
||||||
redirectURIs:
|
client_id: "your-client-id" # Set to the "identifier" for your "ServicesID"
|
||||||
- '[synapse public baseurl]/_synapse/client/oidc/callback'
|
client_auth_method: "client_secret_post"
|
||||||
name: 'Synapse'
|
client_secret_jwt_key:
|
||||||
```
|
key_file: "/path/to/AuthKey_KEYIDCODE.p8" # point to your key file
|
||||||
|
jwt_header:
|
||||||
Run with `dex serve examples/config-dev.yaml`.
|
alg: ES256
|
||||||
|
kid: "KEYIDCODE" # Set to the 10-char Key ID
|
||||||
Synapse config:
|
jwt_payload:
|
||||||
|
iss: TEAMIDCODE # Set to the 10-char Team ID
|
||||||
```yaml
|
scopes: ["name", "email", "openid"]
|
||||||
oidc_providers:
|
authorization_endpoint: https://appleid.apple.com/auth/authorize?response_mode=form_post
|
||||||
- idp_id: dex
|
|
||||||
idp_name: "My Dex server"
|
|
||||||
skip_verification: true # This is needed as Dex is served on an insecure endpoint
|
|
||||||
issuer: "http://127.0.0.1:5556/dex"
|
|
||||||
client_id: "synapse"
|
|
||||||
client_secret: "secret"
|
|
||||||
scopes: ["openid", "profile"]
|
|
||||||
user_mapping_provider:
|
user_mapping_provider:
|
||||||
config:
|
config:
|
||||||
localpart_template: "{{ user.name }}"
|
email_template: "{{ user.email }}"
|
||||||
display_name_template: "{{ user.name|capitalize }}"
|
|
||||||
```
|
|
||||||
### Keycloak
|
|
||||||
|
|
||||||
[Keycloak][keycloak-idp] is an opensource IdP maintained by Red Hat.
|
|
||||||
|
|
||||||
Keycloak supports OIDC Back-Channel Logout, which sends logout notification to Synapse, so that Synapse users get logged out when they log out from Keycloak.
|
|
||||||
This can be optionally enabled by setting `backchannel_logout_enabled` to `true` in the Synapse configuration, and by setting the "Backchannel Logout URL" in Keycloak.
|
|
||||||
|
|
||||||
Follow the [Getting Started Guide](https://www.keycloak.org/getting-started) to install Keycloak and set up a realm.
|
|
||||||
|
|
||||||
1. Click `Clients` in the sidebar and click `Create`
|
|
||||||
|
|
||||||
2. Fill in the fields as below:
|
|
||||||
|
|
||||||
| Field | Value |
|
|
||||||
|-----------|-----------|
|
|
||||||
| Client ID | `synapse` |
|
|
||||||
| Client Protocol | `openid-connect` |
|
|
||||||
|
|
||||||
3. Click `Save`
|
|
||||||
4. Fill in the fields as below:
|
|
||||||
|
|
||||||
| Field | Value |
|
|
||||||
|-----------|-----------|
|
|
||||||
| Client ID | `synapse` |
|
|
||||||
| Enabled | `On` |
|
|
||||||
| Client Protocol | `openid-connect` |
|
|
||||||
| Access Type | `confidential` |
|
|
||||||
| Valid Redirect URIs | `[synapse public baseurl]/_synapse/client/oidc/callback` |
|
|
||||||
| Backchannel Logout URL (optional) | `[synapse public baseurl]/_synapse/client/oidc/backchannel_logout` |
|
|
||||||
| Backchannel Logout Session Required (optional) | `On` |
|
|
||||||
|
|
||||||
5. Click `Save`
|
|
||||||
6. On the Credentials tab, update the fields:
|
|
||||||
|
|
||||||
| Field | Value |
|
|
||||||
|-------|-------|
|
|
||||||
| Client Authenticator | `Client ID and Secret` |
|
|
||||||
|
|
||||||
7. Click `Regenerate Secret`
|
|
||||||
8. Copy Secret
|
|
||||||
|
|
||||||
```yaml
|
|
||||||
oidc_providers:
|
|
||||||
- idp_id: keycloak
|
|
||||||
idp_name: "My KeyCloak server"
|
|
||||||
issuer: "https://127.0.0.1:8443/realms/{realm_name}"
|
|
||||||
client_id: "synapse"
|
|
||||||
client_secret: "copy secret generated from above"
|
|
||||||
scopes: ["openid", "profile"]
|
|
||||||
user_mapping_provider:
|
|
||||||
config:
|
|
||||||
localpart_template: "{{ user.preferred_username }}"
|
|
||||||
display_name_template: "{{ user.name }}"
|
|
||||||
backchannel_logout_enabled: true # Optional
|
|
||||||
```
|
```
|
||||||
|
|
||||||
### Auth0
|
### Auth0
|
||||||
|
@ -262,285 +205,43 @@ oidc_providers:
|
||||||
display_name_template: "{{ user.preferred_username|capitalize }}" # TO BE FILLED: If your users have names in Authentik and you want those in Synapse, this should be replaced with user.name|capitalize.
|
display_name_template: "{{ user.preferred_username|capitalize }}" # TO BE FILLED: If your users have names in Authentik and you want those in Synapse, this should be replaced with user.name|capitalize.
|
||||||
```
|
```
|
||||||
|
|
||||||
### LemonLDAP
|
### Dex
|
||||||
|
|
||||||
[LemonLDAP::NG][lemonldap] is an open-source IdP solution.
|
[Dex][dex-idp] is a simple, open-source OpenID Connect Provider.
|
||||||
|
Although it is designed to help building a full-blown provider with an
|
||||||
|
external database, it can be configured with static passwords in a config file.
|
||||||
|
|
||||||
1. Create an OpenID Connect Relying Parties in LemonLDAP::NG
|
Follow the [Getting Started guide](https://dexidp.io/docs/getting-started/)
|
||||||
2. The parameters are:
|
to install Dex.
|
||||||
- Client ID under the basic menu of the new Relying Parties (`Options > Basic >
|
|
||||||
Client ID`)
|
Edit `examples/config-dev.yaml` config file from the Dex repo to add a client:
|
||||||
- Client secret (`Options > Basic > Client secret`)
|
|
||||||
- JWT Algorithm: RS256 within the security menu of the new Relying Parties
|
|
||||||
(`Options > Security > ID Token signature algorithm` and `Options > Security >
|
|
||||||
Access Token signature algorithm`)
|
|
||||||
- Scopes: OpenID, Email and Profile
|
|
||||||
- Allowed redirection addresses for login (`Options > Basic > Allowed
|
|
||||||
redirection addresses for login` ) :
|
|
||||||
`[synapse public baseurl]/_synapse/client/oidc/callback`
|
|
||||||
|
|
||||||
Synapse config:
|
|
||||||
```yaml
|
```yaml
|
||||||
oidc_providers:
|
staticClients:
|
||||||
- idp_id: lemonldap
|
- id: synapse
|
||||||
idp_name: lemonldap
|
secret: secret
|
||||||
discover: true
|
redirectURIs:
|
||||||
issuer: "https://auth.example.org/" # TO BE FILLED: replace with your domain
|
- '[synapse public baseurl]/_synapse/client/oidc/callback'
|
||||||
client_id: "your client id" # TO BE FILLED
|
name: 'Synapse'
|
||||||
client_secret: "your client secret" # TO BE FILLED
|
|
||||||
scopes:
|
|
||||||
- "openid"
|
|
||||||
- "profile"
|
|
||||||
- "email"
|
|
||||||
user_mapping_provider:
|
|
||||||
config:
|
|
||||||
localpart_template: "{{ user.preferred_username }}}"
|
|
||||||
# TO BE FILLED: If your users have names in LemonLDAP::NG and you want those in Synapse, this should be replaced with user.name|capitalize or any valid filter.
|
|
||||||
display_name_template: "{{ user.preferred_username|capitalize }}"
|
|
||||||
```
|
```
|
||||||
|
|
||||||
### GitHub
|
Run with `dex serve examples/config-dev.yaml`.
|
||||||
|
|
||||||
[GitHub][github-idp] is a bit special as it is not an OpenID Connect compliant provider, but
|
|
||||||
just a regular OAuth2 provider.
|
|
||||||
|
|
||||||
The [`/user` API endpoint](https://developer.github.com/v3/users/#get-the-authenticated-user)
|
|
||||||
can be used to retrieve information on the authenticated user. As the Synapse
|
|
||||||
login mechanism needs an attribute to uniquely identify users, and that endpoint
|
|
||||||
does not return a `sub` property, an alternative `subject_claim` has to be set.
|
|
||||||
|
|
||||||
1. Create a new OAuth application: [https://github.com/settings/applications/new](https://github.com/settings/applications/new).
|
|
||||||
2. Set the callback URL to `[synapse public baseurl]/_synapse/client/oidc/callback`.
|
|
||||||
|
|
||||||
Synapse config:
|
Synapse config:
|
||||||
|
|
||||||
```yaml
|
```yaml
|
||||||
oidc_providers:
|
oidc_providers:
|
||||||
- idp_id: github
|
- idp_id: dex
|
||||||
idp_name: Github
|
idp_name: "My Dex server"
|
||||||
idp_brand: "github" # optional: styling hint for clients
|
skip_verification: true # This is needed as Dex is served on an insecure endpoint
|
||||||
discover: false
|
issuer: "http://127.0.0.1:5556/dex"
|
||||||
issuer: "https://github.com/"
|
client_id: "synapse"
|
||||||
client_id: "your-client-id" # TO BE FILLED
|
client_secret: "secret"
|
||||||
client_secret: "your-client-secret" # TO BE FILLED
|
|
||||||
authorization_endpoint: "https://github.com/login/oauth/authorize"
|
|
||||||
token_endpoint: "https://github.com/login/oauth/access_token"
|
|
||||||
userinfo_endpoint: "https://api.github.com/user"
|
|
||||||
scopes: ["read:user"]
|
|
||||||
user_mapping_provider:
|
|
||||||
config:
|
|
||||||
subject_claim: "id"
|
|
||||||
localpart_template: "{{ user.login }}"
|
|
||||||
display_name_template: "{{ user.name }}"
|
|
||||||
```
|
|
||||||
|
|
||||||
### Google
|
|
||||||
|
|
||||||
[Google][google-idp] is an OpenID certified authentication and authorisation provider.
|
|
||||||
|
|
||||||
1. Set up a project in the Google API Console (see
|
|
||||||
[documentation](https://developers.google.com/identity/protocols/oauth2/openid-connect#appsetup)).
|
|
||||||
3. Add an "OAuth Client ID" for a Web Application under "Credentials".
|
|
||||||
4. Copy the Client ID and Client Secret, and add the following to your synapse config:
|
|
||||||
```yaml
|
|
||||||
oidc_providers:
|
|
||||||
- idp_id: google
|
|
||||||
idp_name: Google
|
|
||||||
idp_brand: "google" # optional: styling hint for clients
|
|
||||||
issuer: "https://accounts.google.com/"
|
|
||||||
client_id: "your-client-id" # TO BE FILLED
|
|
||||||
client_secret: "your-client-secret" # TO BE FILLED
|
|
||||||
scopes: ["openid", "profile", "email"] # email is optional, read below
|
|
||||||
user_mapping_provider:
|
|
||||||
config:
|
|
||||||
localpart_template: "{{ user.given_name|lower }}"
|
|
||||||
display_name_template: "{{ user.name }}"
|
|
||||||
email_template: "{{ user.email }}" # needs "email" in scopes above
|
|
||||||
```
|
|
||||||
4. Back in the Google console, add this Authorized redirect URI: `[synapse
|
|
||||||
public baseurl]/_synapse/client/oidc/callback`.
|
|
||||||
|
|
||||||
### Twitch
|
|
||||||
|
|
||||||
1. Setup a developer account on [Twitch](https://dev.twitch.tv/)
|
|
||||||
2. Obtain the OAuth 2.0 credentials by [creating an app](https://dev.twitch.tv/console/apps/)
|
|
||||||
3. Add this OAuth Redirect URL: `[synapse public baseurl]/_synapse/client/oidc/callback`
|
|
||||||
|
|
||||||
Synapse config:
|
|
||||||
|
|
||||||
```yaml
|
|
||||||
oidc_providers:
|
|
||||||
- idp_id: twitch
|
|
||||||
idp_name: Twitch
|
|
||||||
issuer: "https://id.twitch.tv/oauth2/"
|
|
||||||
client_id: "your-client-id" # TO BE FILLED
|
|
||||||
client_secret: "your-client-secret" # TO BE FILLED
|
|
||||||
client_auth_method: "client_secret_post"
|
|
||||||
user_mapping_provider:
|
|
||||||
config:
|
|
||||||
localpart_template: "{{ user.preferred_username }}"
|
|
||||||
display_name_template: "{{ user.name }}"
|
|
||||||
```
|
|
||||||
|
|
||||||
### GitLab
|
|
||||||
|
|
||||||
1. Create a [new application](https://gitlab.com/profile/applications).
|
|
||||||
2. Add the `read_user` and `openid` scopes.
|
|
||||||
3. Add this Callback URL: `[synapse public baseurl]/_synapse/client/oidc/callback`
|
|
||||||
|
|
||||||
Synapse config:
|
|
||||||
|
|
||||||
```yaml
|
|
||||||
oidc_providers:
|
|
||||||
- idp_id: gitlab
|
|
||||||
idp_name: Gitlab
|
|
||||||
idp_brand: "gitlab" # optional: styling hint for clients
|
|
||||||
issuer: "https://gitlab.com/"
|
|
||||||
client_id: "your-client-id" # TO BE FILLED
|
|
||||||
client_secret: "your-client-secret" # TO BE FILLED
|
|
||||||
client_auth_method: "client_secret_post"
|
|
||||||
scopes: ["openid", "read_user"]
|
|
||||||
user_profile_method: "userinfo_endpoint"
|
|
||||||
user_mapping_provider:
|
|
||||||
config:
|
|
||||||
localpart_template: '{{ user.nickname }}'
|
|
||||||
display_name_template: '{{ user.name }}'
|
|
||||||
```
|
|
||||||
|
|
||||||
### Facebook
|
|
||||||
|
|
||||||
0. You will need a Facebook developer account. You can register for one
|
|
||||||
[here](https://developers.facebook.com/async/registration/).
|
|
||||||
1. On the [apps](https://developers.facebook.com/apps/) page of the developer
|
|
||||||
console, "Create App", and choose "Build Connected Experiences".
|
|
||||||
2. Once the app is created, add "Facebook Login" and choose "Web". You don't
|
|
||||||
need to go through the whole form here.
|
|
||||||
3. In the left-hand menu, open "Products"/"Facebook Login"/"Settings".
|
|
||||||
* Add `[synapse public baseurl]/_synapse/client/oidc/callback` as an OAuth Redirect
|
|
||||||
URL.
|
|
||||||
4. In the left-hand menu, open "Settings/Basic". Here you can copy the "App ID"
|
|
||||||
and "App Secret" for use below.
|
|
||||||
|
|
||||||
Synapse config:
|
|
||||||
|
|
||||||
```yaml
|
|
||||||
- idp_id: facebook
|
|
||||||
idp_name: Facebook
|
|
||||||
idp_brand: "facebook" # optional: styling hint for clients
|
|
||||||
discover: false
|
|
||||||
issuer: "https://www.facebook.com"
|
|
||||||
client_id: "your-client-id" # TO BE FILLED
|
|
||||||
client_secret: "your-client-secret" # TO BE FILLED
|
|
||||||
scopes: ["openid", "email"]
|
|
||||||
authorization_endpoint: "https://facebook.com/dialog/oauth"
|
|
||||||
token_endpoint: "https://graph.facebook.com/v9.0/oauth/access_token"
|
|
||||||
jwks_uri: "https://www.facebook.com/.well-known/oauth/openid/jwks/"
|
|
||||||
user_mapping_provider:
|
|
||||||
config:
|
|
||||||
display_name_template: "{{ user.name }}"
|
|
||||||
email_template: "{{ user.email }}"
|
|
||||||
```
|
|
||||||
|
|
||||||
Relevant documents:
|
|
||||||
* [Manually Build a Login Flow](https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow)
|
|
||||||
* [Using Facebook's Graph API](https://developers.facebook.com/docs/graph-api/using-graph-api/)
|
|
||||||
* [Reference to the User endpoint](https://developers.facebook.com/docs/graph-api/reference/user)
|
|
||||||
|
|
||||||
Facebook do have an [OIDC discovery endpoint](https://www.facebook.com/.well-known/openid-configuration),
|
|
||||||
but it has a `response_types_supported` which excludes "code" (which we rely on, and
|
|
||||||
is even mentioned in their [documentation](https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#login)),
|
|
||||||
so we have to disable discovery and configure the URIs manually.
|
|
||||||
|
|
||||||
### Gitea
|
|
||||||
|
|
||||||
Gitea is, like Github, not an OpenID provider, but just an OAuth2 provider.
|
|
||||||
|
|
||||||
The [`/user` API endpoint](https://try.gitea.io/api/swagger#/user/userGetCurrent)
|
|
||||||
can be used to retrieve information on the authenticated user. As the Synapse
|
|
||||||
login mechanism needs an attribute to uniquely identify users, and that endpoint
|
|
||||||
does not return a `sub` property, an alternative `subject_claim` has to be set.
|
|
||||||
|
|
||||||
1. Create a new application.
|
|
||||||
2. Add this Callback URL: `[synapse public baseurl]/_synapse/client/oidc/callback`
|
|
||||||
|
|
||||||
Synapse config:
|
|
||||||
|
|
||||||
```yaml
|
|
||||||
oidc_providers:
|
|
||||||
- idp_id: gitea
|
|
||||||
idp_name: Gitea
|
|
||||||
discover: false
|
|
||||||
issuer: "https://your-gitea.com/"
|
|
||||||
client_id: "your-client-id" # TO BE FILLED
|
|
||||||
client_secret: "your-client-secret" # TO BE FILLED
|
|
||||||
client_auth_method: client_secret_post
|
|
||||||
scopes: [] # Gitea doesn't support Scopes
|
|
||||||
authorization_endpoint: "https://your-gitea.com/login/oauth/authorize"
|
|
||||||
token_endpoint: "https://your-gitea.com/login/oauth/access_token"
|
|
||||||
userinfo_endpoint: "https://your-gitea.com/api/v1/user"
|
|
||||||
user_mapping_provider:
|
|
||||||
config:
|
|
||||||
subject_claim: "id"
|
|
||||||
localpart_template: "{{ user.login }}"
|
|
||||||
display_name_template: "{{ user.full_name }}"
|
|
||||||
```
|
|
||||||
|
|
||||||
### XWiki
|
|
||||||
|
|
||||||
Install [OpenID Connect Provider](https://extensions.xwiki.org/xwiki/bin/view/Extension/OpenID%20Connect/OpenID%20Connect%20Provider/) extension in your [XWiki](https://www.xwiki.org) instance.
|
|
||||||
|
|
||||||
Synapse config:
|
|
||||||
|
|
||||||
```yaml
|
|
||||||
oidc_providers:
|
|
||||||
- idp_id: xwiki
|
|
||||||
idp_name: "XWiki"
|
|
||||||
issuer: "https://myxwikihost/xwiki/oidc/"
|
|
||||||
client_id: "your-client-id" # TO BE FILLED
|
|
||||||
client_auth_method: none
|
|
||||||
scopes: ["openid", "profile"]
|
scopes: ["openid", "profile"]
|
||||||
user_profile_method: "userinfo_endpoint"
|
|
||||||
user_mapping_provider:
|
user_mapping_provider:
|
||||||
config:
|
config:
|
||||||
localpart_template: "{{ user.preferred_username }}"
|
localpart_template: "{{ user.name }}"
|
||||||
display_name_template: "{{ user.name }}"
|
display_name_template: "{{ user.name|capitalize }}"
|
||||||
```
|
|
||||||
|
|
||||||
### Apple
|
|
||||||
|
|
||||||
Configuring "Sign in with Apple" (SiWA) requires an Apple Developer account.
|
|
||||||
|
|
||||||
You will need to create a new "Services ID" for SiWA, and create and download a
|
|
||||||
private key with "SiWA" enabled.
|
|
||||||
|
|
||||||
As well as the private key file, you will need:
|
|
||||||
* Client ID: the "identifier" you gave the "Services ID"
|
|
||||||
* Team ID: a 10-character ID associated with your developer account.
|
|
||||||
* Key ID: the 10-character identifier for the key.
|
|
||||||
|
|
||||||
[Apple's developer documentation](https://help.apple.com/developer-account/?lang=en#/dev77c875b7e)
|
|
||||||
has more information on setting up SiWA.
|
|
||||||
|
|
||||||
The synapse config will look like this:
|
|
||||||
|
|
||||||
```yaml
|
|
||||||
- idp_id: apple
|
|
||||||
idp_name: Apple
|
|
||||||
issuer: "https://appleid.apple.com"
|
|
||||||
client_id: "your-client-id" # Set to the "identifier" for your "ServicesID"
|
|
||||||
client_auth_method: "client_secret_post"
|
|
||||||
client_secret_jwt_key:
|
|
||||||
key_file: "/path/to/AuthKey_KEYIDCODE.p8" # point to your key file
|
|
||||||
jwt_header:
|
|
||||||
alg: ES256
|
|
||||||
kid: "KEYIDCODE" # Set to the 10-char Key ID
|
|
||||||
jwt_payload:
|
|
||||||
iss: TEAMIDCODE # Set to the 10-char Team ID
|
|
||||||
scopes: ["name", "email", "openid"]
|
|
||||||
authorization_endpoint: https://appleid.apple.com/auth/authorize?response_mode=form_post
|
|
||||||
user_mapping_provider:
|
|
||||||
config:
|
|
||||||
email_template: "{{ user.email }}"
|
|
||||||
```
|
```
|
||||||
|
|
||||||
### Django OAuth Toolkit
|
### Django OAuth Toolkit
|
||||||
|
@ -591,6 +292,263 @@ oidc_providers:
|
||||||
email_template: "{{ user.email }}"
|
email_template: "{{ user.email }}"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### Facebook
|
||||||
|
|
||||||
|
0. You will need a Facebook developer account. You can register for one
|
||||||
|
[here](https://developers.facebook.com/async/registration/).
|
||||||
|
1. On the [apps](https://developers.facebook.com/apps/) page of the developer
|
||||||
|
console, "Create App", and choose "Build Connected Experiences".
|
||||||
|
2. Once the app is created, add "Facebook Login" and choose "Web". You don't
|
||||||
|
need to go through the whole form here.
|
||||||
|
3. In the left-hand menu, open "Products"/"Facebook Login"/"Settings".
|
||||||
|
* Add `[synapse public baseurl]/_synapse/client/oidc/callback` as an OAuth Redirect
|
||||||
|
URL.
|
||||||
|
4. In the left-hand menu, open "Settings/Basic". Here you can copy the "App ID"
|
||||||
|
and "App Secret" for use below.
|
||||||
|
|
||||||
|
Synapse config:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
- idp_id: facebook
|
||||||
|
idp_name: Facebook
|
||||||
|
idp_brand: "facebook" # optional: styling hint for clients
|
||||||
|
discover: false
|
||||||
|
issuer: "https://www.facebook.com"
|
||||||
|
client_id: "your-client-id" # TO BE FILLED
|
||||||
|
client_secret: "your-client-secret" # TO BE FILLED
|
||||||
|
scopes: ["openid", "email"]
|
||||||
|
authorization_endpoint: "https://facebook.com/dialog/oauth"
|
||||||
|
token_endpoint: "https://graph.facebook.com/v9.0/oauth/access_token"
|
||||||
|
jwks_uri: "https://www.facebook.com/.well-known/oauth/openid/jwks/"
|
||||||
|
user_mapping_provider:
|
||||||
|
config:
|
||||||
|
display_name_template: "{{ user.name }}"
|
||||||
|
email_template: "{{ user.email }}"
|
||||||
|
```
|
||||||
|
|
||||||
|
Relevant documents:
|
||||||
|
* [Manually Build a Login Flow](https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow)
|
||||||
|
* [Using Facebook's Graph API](https://developers.facebook.com/docs/graph-api/using-graph-api/)
|
||||||
|
* [Reference to the User endpoint](https://developers.facebook.com/docs/graph-api/reference/user)
|
||||||
|
|
||||||
|
Facebook do have an [OIDC discovery endpoint](https://www.facebook.com/.well-known/openid-configuration),
|
||||||
|
but it has a `response_types_supported` which excludes "code" (which we rely on, and
|
||||||
|
is even mentioned in their [documentation](https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#login)),
|
||||||
|
so we have to disable discovery and configure the URIs manually.
|
||||||
|
|
||||||
|
### GitHub
|
||||||
|
|
||||||
|
[GitHub][github-idp] is a bit special as it is not an OpenID Connect compliant provider, but
|
||||||
|
just a regular OAuth2 provider.
|
||||||
|
|
||||||
|
The [`/user` API endpoint](https://developer.github.com/v3/users/#get-the-authenticated-user)
|
||||||
|
can be used to retrieve information on the authenticated user. As the Synapse
|
||||||
|
login mechanism needs an attribute to uniquely identify users, and that endpoint
|
||||||
|
does not return a `sub` property, an alternative `subject_claim` has to be set.
|
||||||
|
|
||||||
|
1. Create a new OAuth application: [https://github.com/settings/applications/new](https://github.com/settings/applications/new).
|
||||||
|
2. Set the callback URL to `[synapse public baseurl]/_synapse/client/oidc/callback`.
|
||||||
|
|
||||||
|
Synapse config:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
oidc_providers:
|
||||||
|
- idp_id: github
|
||||||
|
idp_name: Github
|
||||||
|
idp_brand: "github" # optional: styling hint for clients
|
||||||
|
discover: false
|
||||||
|
issuer: "https://github.com/"
|
||||||
|
client_id: "your-client-id" # TO BE FILLED
|
||||||
|
client_secret: "your-client-secret" # TO BE FILLED
|
||||||
|
authorization_endpoint: "https://github.com/login/oauth/authorize"
|
||||||
|
token_endpoint: "https://github.com/login/oauth/access_token"
|
||||||
|
userinfo_endpoint: "https://api.github.com/user"
|
||||||
|
scopes: ["read:user"]
|
||||||
|
user_mapping_provider:
|
||||||
|
config:
|
||||||
|
subject_claim: "id"
|
||||||
|
localpart_template: "{{ user.login }}"
|
||||||
|
display_name_template: "{{ user.name }}"
|
||||||
|
```
|
||||||
|
|
||||||
|
### GitLab
|
||||||
|
|
||||||
|
1. Create a [new application](https://gitlab.com/profile/applications).
|
||||||
|
2. Add the `read_user` and `openid` scopes.
|
||||||
|
3. Add this Callback URL: `[synapse public baseurl]/_synapse/client/oidc/callback`
|
||||||
|
|
||||||
|
Synapse config:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
oidc_providers:
|
||||||
|
- idp_id: gitlab
|
||||||
|
idp_name: Gitlab
|
||||||
|
idp_brand: "gitlab" # optional: styling hint for clients
|
||||||
|
issuer: "https://gitlab.com/"
|
||||||
|
client_id: "your-client-id" # TO BE FILLED
|
||||||
|
client_secret: "your-client-secret" # TO BE FILLED
|
||||||
|
client_auth_method: "client_secret_post"
|
||||||
|
scopes: ["openid", "read_user"]
|
||||||
|
user_profile_method: "userinfo_endpoint"
|
||||||
|
user_mapping_provider:
|
||||||
|
config:
|
||||||
|
localpart_template: '{{ user.nickname }}'
|
||||||
|
display_name_template: '{{ user.name }}'
|
||||||
|
```
|
||||||
|
|
||||||
|
### Gitea
|
||||||
|
|
||||||
|
Gitea is, like Github, not an OpenID provider, but just an OAuth2 provider.
|
||||||
|
|
||||||
|
The [`/user` API endpoint](https://try.gitea.io/api/swagger#/user/userGetCurrent)
|
||||||
|
can be used to retrieve information on the authenticated user. As the Synapse
|
||||||
|
login mechanism needs an attribute to uniquely identify users, and that endpoint
|
||||||
|
does not return a `sub` property, an alternative `subject_claim` has to be set.
|
||||||
|
|
||||||
|
1. Create a new application.
|
||||||
|
2. Add this Callback URL: `[synapse public baseurl]/_synapse/client/oidc/callback`
|
||||||
|
|
||||||
|
Synapse config:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
oidc_providers:
|
||||||
|
- idp_id: gitea
|
||||||
|
idp_name: Gitea
|
||||||
|
discover: false
|
||||||
|
issuer: "https://your-gitea.com/"
|
||||||
|
client_id: "your-client-id" # TO BE FILLED
|
||||||
|
client_secret: "your-client-secret" # TO BE FILLED
|
||||||
|
client_auth_method: client_secret_post
|
||||||
|
scopes: [] # Gitea doesn't support Scopes
|
||||||
|
authorization_endpoint: "https://your-gitea.com/login/oauth/authorize"
|
||||||
|
token_endpoint: "https://your-gitea.com/login/oauth/access_token"
|
||||||
|
userinfo_endpoint: "https://your-gitea.com/api/v1/user"
|
||||||
|
user_mapping_provider:
|
||||||
|
config:
|
||||||
|
subject_claim: "id"
|
||||||
|
localpart_template: "{{ user.login }}"
|
||||||
|
display_name_template: "{{ user.full_name }}"
|
||||||
|
```
|
||||||
|
|
||||||
|
### Google
|
||||||
|
|
||||||
|
[Google][google-idp] is an OpenID certified authentication and authorisation provider.
|
||||||
|
|
||||||
|
1. Set up a project in the Google API Console (see
|
||||||
|
[documentation](https://developers.google.com/identity/protocols/oauth2/openid-connect#appsetup)).
|
||||||
|
3. Add an "OAuth Client ID" for a Web Application under "Credentials".
|
||||||
|
4. Copy the Client ID and Client Secret, and add the following to your synapse config:
|
||||||
|
```yaml
|
||||||
|
oidc_providers:
|
||||||
|
- idp_id: google
|
||||||
|
idp_name: Google
|
||||||
|
idp_brand: "google" # optional: styling hint for clients
|
||||||
|
issuer: "https://accounts.google.com/"
|
||||||
|
client_id: "your-client-id" # TO BE FILLED
|
||||||
|
client_secret: "your-client-secret" # TO BE FILLED
|
||||||
|
scopes: ["openid", "profile", "email"] # email is optional, read below
|
||||||
|
user_mapping_provider:
|
||||||
|
config:
|
||||||
|
localpart_template: "{{ user.given_name|lower }}"
|
||||||
|
display_name_template: "{{ user.name }}"
|
||||||
|
email_template: "{{ user.email }}" # needs "email" in scopes above
|
||||||
|
```
|
||||||
|
4. Back in the Google console, add this Authorized redirect URI: `[synapse
|
||||||
|
public baseurl]/_synapse/client/oidc/callback`.
|
||||||
|
|
||||||
|
### Keycloak
|
||||||
|
|
||||||
|
[Keycloak][keycloak-idp] is an opensource IdP maintained by Red Hat.
|
||||||
|
|
||||||
|
Keycloak supports OIDC Back-Channel Logout, which sends logout notification to Synapse, so that Synapse users get logged out when they log out from Keycloak.
|
||||||
|
This can be optionally enabled by setting `backchannel_logout_enabled` to `true` in the Synapse configuration, and by setting the "Backchannel Logout URL" in Keycloak.
|
||||||
|
|
||||||
|
Follow the [Getting Started Guide](https://www.keycloak.org/getting-started) to install Keycloak and set up a realm.
|
||||||
|
|
||||||
|
1. Click `Clients` in the sidebar and click `Create`
|
||||||
|
|
||||||
|
2. Fill in the fields as below:
|
||||||
|
|
||||||
|
| Field | Value |
|
||||||
|
|-----------|-----------|
|
||||||
|
| Client ID | `synapse` |
|
||||||
|
| Client Protocol | `openid-connect` |
|
||||||
|
|
||||||
|
3. Click `Save`
|
||||||
|
4. Fill in the fields as below:
|
||||||
|
|
||||||
|
| Field | Value |
|
||||||
|
|-----------|-----------|
|
||||||
|
| Client ID | `synapse` |
|
||||||
|
| Enabled | `On` |
|
||||||
|
| Client Protocol | `openid-connect` |
|
||||||
|
| Access Type | `confidential` |
|
||||||
|
| Valid Redirect URIs | `[synapse public baseurl]/_synapse/client/oidc/callback` |
|
||||||
|
| Backchannel Logout URL (optional) | `[synapse public baseurl]/_synapse/client/oidc/backchannel_logout` |
|
||||||
|
| Backchannel Logout Session Required (optional) | `On` |
|
||||||
|
|
||||||
|
5. Click `Save`
|
||||||
|
6. On the Credentials tab, update the fields:
|
||||||
|
|
||||||
|
| Field | Value |
|
||||||
|
|-------|-------|
|
||||||
|
| Client Authenticator | `Client ID and Secret` |
|
||||||
|
|
||||||
|
7. Click `Regenerate Secret`
|
||||||
|
8. Copy Secret
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
oidc_providers:
|
||||||
|
- idp_id: keycloak
|
||||||
|
idp_name: "My KeyCloak server"
|
||||||
|
issuer: "https://127.0.0.1:8443/realms/{realm_name}"
|
||||||
|
client_id: "synapse"
|
||||||
|
client_secret: "copy secret generated from above"
|
||||||
|
scopes: ["openid", "profile"]
|
||||||
|
user_mapping_provider:
|
||||||
|
config:
|
||||||
|
localpart_template: "{{ user.preferred_username }}"
|
||||||
|
display_name_template: "{{ user.name }}"
|
||||||
|
backchannel_logout_enabled: true # Optional
|
||||||
|
```
|
||||||
|
|
||||||
|
### LemonLDAP
|
||||||
|
|
||||||
|
[LemonLDAP::NG][lemonldap] is an open-source IdP solution.
|
||||||
|
|
||||||
|
1. Create an OpenID Connect Relying Parties in LemonLDAP::NG
|
||||||
|
2. The parameters are:
|
||||||
|
- Client ID under the basic menu of the new Relying Parties (`Options > Basic >
|
||||||
|
Client ID`)
|
||||||
|
- Client secret (`Options > Basic > Client secret`)
|
||||||
|
- JWT Algorithm: RS256 within the security menu of the new Relying Parties
|
||||||
|
(`Options > Security > ID Token signature algorithm` and `Options > Security >
|
||||||
|
Access Token signature algorithm`)
|
||||||
|
- Scopes: OpenID, Email and Profile
|
||||||
|
- Allowed redirection addresses for login (`Options > Basic > Allowed
|
||||||
|
redirection addresses for login` ) :
|
||||||
|
`[synapse public baseurl]/_synapse/client/oidc/callback`
|
||||||
|
|
||||||
|
Synapse config:
|
||||||
|
```yaml
|
||||||
|
oidc_providers:
|
||||||
|
- idp_id: lemonldap
|
||||||
|
idp_name: lemonldap
|
||||||
|
discover: true
|
||||||
|
issuer: "https://auth.example.org/" # TO BE FILLED: replace with your domain
|
||||||
|
client_id: "your client id" # TO BE FILLED
|
||||||
|
client_secret: "your client secret" # TO BE FILLED
|
||||||
|
scopes:
|
||||||
|
- "openid"
|
||||||
|
- "profile"
|
||||||
|
- "email"
|
||||||
|
user_mapping_provider:
|
||||||
|
config:
|
||||||
|
localpart_template: "{{ user.preferred_username }}}"
|
||||||
|
# TO BE FILLED: If your users have names in LemonLDAP::NG and you want those in Synapse, this should be replaced with user.name|capitalize or any valid filter.
|
||||||
|
display_name_template: "{{ user.preferred_username|capitalize }}"
|
||||||
|
```
|
||||||
|
|
||||||
### Mastodon
|
### Mastodon
|
||||||
|
|
||||||
[Mastodon](https://docs.joinmastodon.org/) instances provide an [OAuth API](https://docs.joinmastodon.org/spec/oauth/), allowing those instances to be used as a single sign-on provider for Synapse.
|
[Mastodon](https://docs.joinmastodon.org/) instances provide an [OAuth API](https://docs.joinmastodon.org/spec/oauth/), allowing those instances to be used as a single sign-on provider for Synapse.
|
||||||
|
@ -631,3 +589,81 @@ oidc_providers:
|
||||||
```
|
```
|
||||||
|
|
||||||
Note that the fields `client_id` and `client_secret` are taken from the CURL response above.
|
Note that the fields `client_id` and `client_secret` are taken from the CURL response above.
|
||||||
|
|
||||||
|
### Twitch
|
||||||
|
|
||||||
|
1. Setup a developer account on [Twitch](https://dev.twitch.tv/)
|
||||||
|
2. Obtain the OAuth 2.0 credentials by [creating an app](https://dev.twitch.tv/console/apps/)
|
||||||
|
3. Add this OAuth Redirect URL: `[synapse public baseurl]/_synapse/client/oidc/callback`
|
||||||
|
|
||||||
|
Synapse config:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
oidc_providers:
|
||||||
|
- idp_id: twitch
|
||||||
|
idp_name: Twitch
|
||||||
|
issuer: "https://id.twitch.tv/oauth2/"
|
||||||
|
client_id: "your-client-id" # TO BE FILLED
|
||||||
|
client_secret: "your-client-secret" # TO BE FILLED
|
||||||
|
client_auth_method: "client_secret_post"
|
||||||
|
user_mapping_provider:
|
||||||
|
config:
|
||||||
|
localpart_template: "{{ user.preferred_username }}"
|
||||||
|
display_name_template: "{{ user.name }}"
|
||||||
|
```
|
||||||
|
|
||||||
|
### Twitter
|
||||||
|
|
||||||
|
*Using Twitter as an identity provider requires using Synapse 1.75.0 or later.*
|
||||||
|
|
||||||
|
1. Setup a developer account on [Twitter](https://developer.twitter.com/en/portal/dashboard)
|
||||||
|
2. Create a project & app.
|
||||||
|
3. Enable user authentication and under "Type of App" choose "Web App, Automated App or Bot".
|
||||||
|
4. Under "App info" set the callback URL to `[synapse public baseurl]/_synapse/client/oidc/callback`.
|
||||||
|
5. Obtain the OAuth 2.0 credentials under the "Keys and tokens" tab, copy the "OAuth 2.0 Client ID and Client Secret"
|
||||||
|
|
||||||
|
Synapse config:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
oidc_providers:
|
||||||
|
- idp_id: twitter
|
||||||
|
idp_name: Twitter
|
||||||
|
idp_brand: "twitter" # optional: styling hint for clients
|
||||||
|
discover: false # Twitter is not OpenID compliant.
|
||||||
|
issuer: "https://twitter.com/"
|
||||||
|
client_id: "your-client-id" # TO BE FILLED
|
||||||
|
client_secret: "your-client-secret" # TO BE FILLED
|
||||||
|
pkce_method: "always"
|
||||||
|
# offline.access providers refresh tokens, tweet.read and users.read needed for userinfo request.
|
||||||
|
scopes: ["offline.access", "tweet.read", "users.read"]
|
||||||
|
authorization_endpoint: https://twitter.com/i/oauth2/authorize
|
||||||
|
token_endpoint: https://api.twitter.com/2/oauth2/token
|
||||||
|
userinfo_endpoint: https://api.twitter.com/2/users/me?user.fields=profile_image_url
|
||||||
|
user_mapping_provider:
|
||||||
|
config:
|
||||||
|
subject_template: "{{ user.data.id }}"
|
||||||
|
localpart_template: "{{ user.data.username }}"
|
||||||
|
display_name_template: "{{ user.data.name }}"
|
||||||
|
picture_template: "{{ user.data.profile_image_url }}"
|
||||||
|
```
|
||||||
|
|
||||||
|
### XWiki
|
||||||
|
|
||||||
|
Install [OpenID Connect Provider](https://extensions.xwiki.org/xwiki/bin/view/Extension/OpenID%20Connect/OpenID%20Connect%20Provider/) extension in your [XWiki](https://www.xwiki.org) instance.
|
||||||
|
|
||||||
|
Synapse config:
|
||||||
|
|
||||||
|
```yaml
|
||||||
|
oidc_providers:
|
||||||
|
- idp_id: xwiki
|
||||||
|
idp_name: "XWiki"
|
||||||
|
issuer: "https://myxwikihost/xwiki/oidc/"
|
||||||
|
client_id: "your-client-id" # TO BE FILLED
|
||||||
|
client_auth_method: none
|
||||||
|
scopes: ["openid", "profile"]
|
||||||
|
user_profile_method: "userinfo_endpoint"
|
||||||
|
user_mapping_provider:
|
||||||
|
config:
|
||||||
|
localpart_template: "{{ user.preferred_username }}"
|
||||||
|
display_name_template: "{{ user.name }}"
|
||||||
|
```
|
||||||
|
|
Loading…
Reference in New Issue