Adjust Synapse OIDC variable wiring and docs
Auto-enabling the OIDC APIs is convenient for people using the new `matrix_synapse_oidc_*` variables.
This commit is contained in:
parent
bdc573d1b1
commit
aff57d67c0
@ -46,7 +46,7 @@ Certain Synapse administration tasks (managing users and rooms, etc.) can be per
|
|||||||
|
|
||||||
## Synapse + OpenID Connect for Single-Sign-On
|
## Synapse + OpenID Connect for Single-Sign-On
|
||||||
|
|
||||||
If you'd like to use OpenID Connect authentication with Synapse, you'll need some additional reverse-proxy configuration (see [our nginx reverse-proxy doc page](configuring-playbook-nginx.md#synapse-openid-connect-for-single-sign-on)).
|
If you'd like to use OpenID Connect authentication with Synapse, you'll need some additional configuration.
|
||||||
|
|
||||||
This example configuration is for [keycloak](https://www.keycloak.org/), an opensource Identity Provider maintained by Red Hat.
|
This example configuration is for [keycloak](https://www.keycloak.org/), an opensource Identity Provider maintained by Red Hat.
|
||||||
|
|
||||||
@ -54,23 +54,26 @@ For more detailed documentation on available options and how to setup keycloak,
|
|||||||
|
|
||||||
In case you encounter errors regarding the parsing of the variables, you can try to add `{% raw %}` and `{% endraw %}` blocks around them. For example ;
|
In case you encounter errors regarding the parsing of the variables, you can try to add `{% raw %}` and `{% endraw %}` blocks around them. For example ;
|
||||||
|
|
||||||
|
```yml
|
||||||
|
matrix_synapse_oidc_enabled: true
|
||||||
|
|
||||||
|
matrix_synapse_oidc_providers:
|
||||||
|
- idp_id: keycloak
|
||||||
|
idp_name: "My KeyCloak server"
|
||||||
|
issuer: "https://url.ix/auth/realms/{realm_name}"
|
||||||
|
client_id: "matrix"
|
||||||
|
client_secret: "{{ vault_synapse_keycloak }}"
|
||||||
|
scopes: ["openid", "profile"]
|
||||||
|
user_mapping_provider:
|
||||||
|
config:
|
||||||
|
localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}"
|
||||||
|
display_name_template: "{% raw %}{{ user.name }}{% endraw %}"
|
||||||
|
email_template: "{% raw %}{{ user.email }}{% endraw %}"
|
||||||
|
allow_existing_users: true # Optional
|
||||||
|
backchannel_logout_enabled: true # Optional
|
||||||
```
|
```
|
||||||
matrix_synapse_configuration_extension_yaml: |
|
|
||||||
oidc_providers:
|
**NOTE**: if you inject the OIDC configuration using `matrix_synapse_configuration_extension_yaml` (instead of `matrix_synapse_oidc_enabled: true` + `matrix_synapse_oidc_providers`), then the OIDC routes (`/_synapse/oidc`) will not be publicly exposed automatically. In such a case, you'd need to expose them manually by toggling: `matrix_synapse_container_labels_public_client_synapse_oidc_api_enabled: true`.
|
||||||
- idp_id: keycloak
|
|
||||||
idp_name: "My KeyCloak server"
|
|
||||||
issuer: "https://url.ix/auth/realms/{realm_name}"
|
|
||||||
client_id: "matrix"
|
|
||||||
client_secret: "{{ vault_synapse_keycloak }}"
|
|
||||||
scopes: ["openid", "profile"]
|
|
||||||
user_mapping_provider:
|
|
||||||
config:
|
|
||||||
localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}"
|
|
||||||
display_name_template: "{% raw %}{{ user.name }}{% endraw %}"
|
|
||||||
email_template: "{% raw %}{{ user.email }}{% endraw %}"
|
|
||||||
allow_existing_users: true # Optional
|
|
||||||
backchannel_logout_enabled: true # Optional
|
|
||||||
```
|
|
||||||
|
|
||||||
|
|
||||||
## Customizing templates
|
## Customizing templates
|
||||||
|
@ -228,7 +228,7 @@ matrix_synapse_container_labels_public_client_synapse_client_api_traefik_tls_cer
|
|||||||
# Enable this if you need OpenID Connect authentication support.
|
# Enable this if you need OpenID Connect authentication support.
|
||||||
# Regardless of whether this is enabled, it may or may not take effect due to the value of other variables.
|
# Regardless of whether this is enabled, it may or may not take effect due to the value of other variables.
|
||||||
# See `matrix_synapse_container_labels_traefik_enabled` or `matrix_synapse_container_labels_matrix_related_labels_enabled`
|
# See `matrix_synapse_container_labels_traefik_enabled` or `matrix_synapse_container_labels_matrix_related_labels_enabled`
|
||||||
matrix_synapse_container_labels_public_client_synapse_oidc_api_enabled: false
|
matrix_synapse_container_labels_public_client_synapse_oidc_api_enabled: "{{ matrix_synapse_oidc_enabled }}"
|
||||||
matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_hostname: "{{ matrix_synapse_container_labels_traefik_hostname }}"
|
matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_hostname: "{{ matrix_synapse_container_labels_traefik_hostname }}"
|
||||||
matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_path_prefix: /_synapse/oidc
|
matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_path_prefix: /_synapse/oidc
|
||||||
matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_rule: "Host(`{{ matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_path_prefix }}`)"
|
matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_rule: "Host(`{{ matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_path_prefix }}`)"
|
||||||
@ -253,7 +253,7 @@ matrix_synapse_container_labels_public_client_synapse_admin_api_traefik_tls_cert
|
|||||||
# Controls whether labels will be added that expose the Server-Server API (Federation API).
|
# Controls whether labels will be added that expose the Server-Server API (Federation API).
|
||||||
# Regardless of whether this is enabled, it may or may not take effect due to the value of other variables.
|
# Regardless of whether this is enabled, it may or may not take effect due to the value of other variables.
|
||||||
# See `matrix_synapse_container_labels_traefik_enabled` or `matrix_synapse_container_labels_matrix_related_labels_enabled`
|
# See `matrix_synapse_container_labels_traefik_enabled` or `matrix_synapse_container_labels_matrix_related_labels_enabled`
|
||||||
matrix_synapse_container_labels_public_federation_api_enabled: "{{ matrix_synapse_federation_enabled and not matrix_synapse_workers_enabled }}"
|
matrix_synapse_container_labels_public_federation_api_enabled: "{{ matrix_synapse_federation_enabled and matrix_synapse_federation_port_enabled and not matrix_synapse_workers_enabled }}"
|
||||||
matrix_synapse_container_labels_public_federation_api_traefik_hostname: "{{ matrix_synapse_container_labels_traefik_hostname }}"
|
matrix_synapse_container_labels_public_federation_api_traefik_hostname: "{{ matrix_synapse_container_labels_traefik_hostname }}"
|
||||||
matrix_synapse_container_labels_public_federation_api_traefik_path_prefix: /_matrix
|
matrix_synapse_container_labels_public_federation_api_traefik_path_prefix: /_matrix
|
||||||
matrix_synapse_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_synapse_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_container_labels_public_federation_api_traefik_path_prefix }}`)"
|
matrix_synapse_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_synapse_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_container_labels_public_federation_api_traefik_path_prefix }}`)"
|
||||||
|
@ -92,7 +92,7 @@
|
|||||||
- {'old': 'matrix_nginx_proxy_proxy_riot_compat_redirect_hostname', 'new': '<redirecting the riot domain to an element domain is no longer supported - you can implement it yourself using matrix_client_element_container_labels_additional_labels>'}
|
- {'old': 'matrix_nginx_proxy_proxy_riot_compat_redirect_hostname', 'new': '<redirecting the riot domain to an element domain is no longer supported - you can implement it yourself using matrix_client_element_container_labels_additional_labels>'}
|
||||||
- {'old': 'matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain', 'new': '<superseded by matrix_synapse_container_labels_public_client_root_redirection_* or other equivalent variables based on the homeserver implementation you use>'}
|
- {'old': 'matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain', 'new': '<superseded by matrix_synapse_container_labels_public_client_root_redirection_* or other equivalent variables based on the homeserver implementation you use>'}
|
||||||
- {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled', 'new': 'matrix_synapse_container_labels_public_client_synapse_client_api_enabled'}
|
- {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled', 'new': 'matrix_synapse_container_labels_public_client_synapse_client_api_enabled'}
|
||||||
- {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled', 'new': 'matrix_synapse_container_labels_public_client_synapse_oidc_api_enabled'}
|
- {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled', 'new': '<replaced by matrix_synapse_container_labels_public_client_synapse_oidc_api_enabled, but if you use matrix_synapse_oidc_enabled then it would be toggled automatically; see the new recommended OIDC example configuration in docs/configuring-playbook-synapse.md>'}
|
||||||
- {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled', 'new': 'matrix_synapse_container_labels_public_client_synapse_admin_api_enabled'}
|
- {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled', 'new': 'matrix_synapse_container_labels_public_client_synapse_admin_api_enabled'}
|
||||||
- {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_enabled', 'new': '<superseded by matrix_ma1sd_container_labels_traefik_enabled and matrix_ma1sd_container_labels_matrix_identity_enabled>'}
|
- {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_enabled', 'new': '<superseded by matrix_ma1sd_container_labels_traefik_enabled and matrix_ma1sd_container_labels_matrix_identity_enabled>'}
|
||||||
- {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container', 'new': '<removed>'}
|
- {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container', 'new': '<removed>'}
|
||||||
|
Loading…
Reference in New Issue
Block a user