Mirrors
/
synapse
mirror of https://github.com/element-hq/synapse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update documentation for configuring facebook login (#11755) 

... and a minor thinko fix in the sample config.
This commit is contained in:
Richard van der Hoff 2022-01-17 12:35:00 +00:00 committed by GitHub
parent 6a78ede569
commit b0352f9c08
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 26 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
changelog.d/11755.doc Normal file
View File

@ -0,0 +1 @@
Update documentation for configuring login with facebook.

25
docs/openid.md
View File

@ -390,9 +390,6 @@ oidc_providers:
### Facebook ### Facebook
Like Github, Facebook provide a custom OAuth2 API rather than an OIDC-compliant
one so requires a little more configuration.
0. You will need a Facebook developer account. You can register for one 0. You will need a Facebook developer account. You can register for one
[here](https://developers.facebook.com/async/registration/). [here](https://developers.facebook.com/async/registration/).
1. On the [apps](https://developers.facebook.com/apps/) page of the developer 1. On the [apps](https://developers.facebook.com/apps/) page of the developer
@ -412,24 +409,28 @@ Synapse config:
idp_name: Facebook idp_name: Facebook
idp_brand: "facebook" # optional: styling hint for clients idp_brand: "facebook" # optional: styling hint for clients
discover: false discover: false
issuer: "https://facebook.com" issuer: "https://www.facebook.com"
client_id: "your-client-id" # TO BE FILLED client_id: "your-client-id" # TO BE FILLED
client_secret: "your-client-secret" # TO BE FILLED client_secret: "your-client-secret" # TO BE FILLED
scopes: ["openid", "email"] scopes: ["openid", "email"]
authorization_endpoint: https://facebook.com/dialog/oauth authorization_endpoint: "https://facebook.com/dialog/oauth"
token_endpoint: https://graph.facebook.com/v9.0/oauth/access_token token_endpoint: "https://graph.facebook.com/v9.0/oauth/access_token"
user_profile_method: "userinfo_endpoint" jwks_uri: "https://www.facebook.com/.well-known/oauth/openid/jwks/"
userinfo_endpoint: "https://graph.facebook.com/v9.0/me?fields=id,name,email,picture"
user_mapping_provider: user_mapping_provider:
config: config:
subject_claim: "id"
display_name_template: "{{ user.name }}" display_name_template: "{{ user.name }}"
email_template: "{{ '{{ user.email }}' }}"
``` ```
Relevant documents: Relevant documents:
* https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow * [Manually Build a Login Flow](https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow)
* Using Facebook's Graph API: https://developers.facebook.com/docs/graph-api/using-graph-api/ * [Using Facebook's Graph API](https://developers.facebook.com/docs/graph-api/using-graph-api/)
* Reference to the User endpoint: https://developers.facebook.com/docs/graph-api/reference/user * [Reference to the User endpoint](https://developers.facebook.com/docs/graph-api/reference/user)
Facebook do have an [OIDC discovery endpoint](https://www.facebook.com/.well-known/openid-configuration),
but it has a `response_types_supported` which excludes "code" (which we rely on, and
is even mentioned in their [documentation](https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#login)),
so we have to disable discovery and configure the URIs manually.
### Gitea ### Gitea

9
docs/sample_config.yaml
View File

@ -1877,10 +1877,13 @@ saml2_config:
# Defaults to false. Avoid this in production. # Defaults to false. Avoid this in production.
# #
# user_profile_method: Whether to fetch the user profile from the userinfo # user_profile_method: Whether to fetch the user profile from the userinfo
# endpoint. Valid values are: 'auto' or 'userinfo_endpoint'. # endpoint, or to rely on the data returned in the id_token from the
# token_endpoint.
# #
# Defaults to 'auto', which fetches the userinfo endpoint if 'openid' is # Valid values are: 'auto' or 'userinfo_endpoint'.
# included in 'scopes'. Set to 'userinfo_endpoint' to always fetch the #
# Defaults to 'auto', which uses the userinfo endpoint if 'openid' is
# not included in 'scopes'. Set to 'userinfo_endpoint' to always use the
# userinfo endpoint. # userinfo endpoint.
# #
# allow_existing_users: set to 'true' to allow a user logging in via OIDC to # allow_existing_users: set to 'true' to allow a user logging in via OIDC to

9
synapse/config/oidc.py
View File

@ -148,10 +148,13 @@ class OIDCConfig(Config):
# Defaults to false. Avoid this in production. # Defaults to false. Avoid this in production.
# #
# user_profile_method: Whether to fetch the user profile from the userinfo # user_profile_method: Whether to fetch the user profile from the userinfo
# endpoint. Valid values are: 'auto' or 'userinfo_endpoint'. # endpoint, or to rely on the data returned in the id_token from the
# token_endpoint.
# #
# Defaults to 'auto', which fetches the userinfo endpoint if 'openid' is # Valid values are: 'auto' or 'userinfo_endpoint'.
# included in 'scopes'. Set to 'userinfo_endpoint' to always fetch the #
# Defaults to 'auto', which uses the userinfo endpoint if 'openid' is
# not included in 'scopes'. Set to 'userinfo_endpoint' to always use the
# userinfo endpoint. # userinfo endpoint.
# #
# allow_existing_users: set to 'true' to allow a user logging in via OIDC to # allow_existing_users: set to 'true' to allow a user logging in via OIDC to