Eric Eastwood 6a909aade2 Consolidate SSO redirects through /_matrix/client/v3/login/sso/redirect(/{idpId}) (#17972) ... Consolidate SSO redirects through `/_matrix/client/v3/login/sso/redirect(/{idpId})` Spawning from https://github.com/element-hq/sbg/pull/421#discussion_r1859497330 where we have a proxy that intercepts responses to `/_matrix/client/v3/login/sso/redirect(/{idpId})` in order to upgrade them to use OAuth 2.0 Pushed Authorization Requests (PAR). Instead of needing to intercept multiple endpoints that redirect to the authorization endpoint, it seems better to just have Synapse consolidate to a single flow. ### Testing strategy 1. Create a new OAuth application. I'll be using GitHub for example but there are [many options](be65a8ec01/docs/openid.md). Visit https://github.com/settings/developers -> **New OAuth App** - Application name: `Synapse local testing` - Homepage URL: `http://localhost:8008` - Authorization callback URL: `http://localhost:8008/_synapse/client/oidc/callback` 1. Update your Synapse `homeserver.yaml` ```yaml server_name: "my.synapse.server" public_baseurl: http://localhost:8008/ listeners: - port: 8008 bind_addresses: [ #'::1', '127.0.0.1' ] tls: false type: http x_forwarded: true resources: - names: [client, federation, metrics] compress: false # SSO login testing oidc_providers: - idp_id: github idp_name: Github idp_brand: "github" # optional: styling hint for clients discover: false issuer: "https://github.com/" client_id: "xxx" # TO BE FILLED client_secret: "xxx" # TO BE FILLED authorization_endpoint: "https://github.com/login/oauth/authorize" token_endpoint: "https://github.com/login/oauth/access_token" userinfo_endpoint: "https://api.github.com/user" scopes: ["read:user"] user_mapping_provider: config: subject_claim: "id" localpart_template: "{{ user.login }}" display_name_template: "{{ user.name }}" ``` 1. Start Synapse: `poetry run synapse_homeserver --config-path homeserver.yaml` 1. Visit `http://localhost:8008/_synapse/client/pick_idp?redirectUrl=http%3A%2F%2Fexample.com` 1. Choose GitHub 1. Notice that you're redirected to GitHub to sign in (`https://github.com/login/oauth/authorize?...`) Tested locally and works: 1. `http://localhost:8008/_synapse/client/pick_idp?idp=oidc-github&redirectUrl=http%3A//example.com` -> 1. `http://localhost:8008/_matrix/client/v3/login/sso/redirect/oidc-github?redirectUrl=http://example.com` -> 1. `https://github.com/login/oauth/authorize?response_type=code&client_id=xxx&redirect_uri=http%3A%2F%2Flocalhost%3A8008%2F_synapse%2Fclient%2Foidc%2Fcallback&scope=read%3Auser&state=xxx&nonce=xxx`		2024-11-29 11:26:37 -06:00
..
.gitignore
17253.misc	MSC4108: Add a Content-Type header on the PUT response (#17253)	2024-11-26 19:43:26 +01:00
17872.doc	Add Forgejo oidc provider config example (#17872)	2024-11-20 16:06:08 -06:00
17933.bugfix	Fix up logic for delaying sending read receipts over federation. (#17933)	2024-11-25 18:12:33 +00:00
17936.misc	Fix incorrect comment in new schema delta (#17936)	2024-11-20 17:12:17 +00:00
17944.misc	Raise setuptools_rust version cap to 1.10.2 (#17944)	2024-11-20 16:49:21 +00:00
17945.misc	Add encrypted appservice extensions to Complement test image. (#17945)	2024-11-20 16:35:43 +00:00
17952.misc	Return suspended status when querying user account (#17952)	2024-11-22 12:37:19 +00:00
17953.doc	link to element-docker-demo from contrib/docker* (#17953)	2024-11-22 12:35:03 +00:00
17962.misc	Fix new scheduled tasks jumping the queue (#17962)	2024-11-28 18:06:19 +00:00
17966.misc	Bump pyo3 to v0.23.2 (#17966)	2024-11-27 10:46:00 +00:00
17969.misc	Update setuptools-rust and fix building abi3 wheels (#17969)	2024-11-27 13:31:43 +00:00
17972.misc	Consolidate SSO redirects through /_matrix/client/v3/login/sso/redirect(/{idpId}) (#17972)	2024-11-29 11:26:37 -06:00