diff --git a/changelog.d/14778.doc b/changelog.d/14778.doc
new file mode 100644
index 000000000000..677f999f8da0
--- /dev/null
+++ b/changelog.d/14778.doc
@@ -0,0 +1 @@
+Document using Twitter as a OAuth 2.0 authentication provider.
diff --git a/docs/openid.md b/docs/openid.md
index e4ad45f306d6..45aa24dd24ae 100644
--- a/docs/openid.md
+++ b/docs/openid.md
@@ -88,98 +88,41 @@ oidc_providers:
display_name_template: "{{ user.name }}"
```
-### Dex
-
-[Dex][dex-idp] is a simple, open-source OpenID Connect Provider.
-Although it is designed to help building a full-blown provider with an
-external database, it can be configured with static passwords in a config file.
-
-Follow the [Getting Started guide](https://dexidp.io/docs/getting-started/)
-to install Dex.
-
-Edit `examples/config-dev.yaml` config file from the Dex repo to add a client:
-
-```yaml
-staticClients:
-- id: synapse
- secret: secret
- redirectURIs:
- - '[synapse public baseurl]/_synapse/client/oidc/callback'
- name: 'Synapse'
-```
-
-Run with `dex serve examples/config-dev.yaml`.
-
-Synapse config:
-
-```yaml
-oidc_providers:
- - idp_id: dex
- idp_name: "My Dex server"
- skip_verification: true # This is needed as Dex is served on an insecure endpoint
- issuer: "http://127.0.0.1:5556/dex"
- client_id: "synapse"
- client_secret: "secret"
- scopes: ["openid", "profile"]
- user_mapping_provider:
- config:
- localpart_template: "{{ user.name }}"
- display_name_template: "{{ user.name|capitalize }}"
-```
-### Keycloak
-
-[Keycloak][keycloak-idp] is an opensource IdP maintained by Red Hat.
-
-Keycloak supports OIDC Back-Channel Logout, which sends logout notification to Synapse, so that Synapse users get logged out when they log out from Keycloak.
-This can be optionally enabled by setting `backchannel_logout_enabled` to `true` in the Synapse configuration, and by setting the "Backchannel Logout URL" in Keycloak.
-
-Follow the [Getting Started Guide](https://www.keycloak.org/getting-started) to install Keycloak and set up a realm.
-
-1. Click `Clients` in the sidebar and click `Create`
-
-2. Fill in the fields as below:
-
-| Field | Value |
-|-----------|-----------|
-| Client ID | `synapse` |
-| Client Protocol | `openid-connect` |
+### Apple
-3. Click `Save`
-4. Fill in the fields as below:
+Configuring "Sign in with Apple" (SiWA) requires an Apple Developer account.
-| Field | Value |
-|-----------|-----------|
-| Client ID | `synapse` |
-| Enabled | `On` |
-| Client Protocol | `openid-connect` |
-| Access Type | `confidential` |
-| Valid Redirect URIs | `[synapse public baseurl]/_synapse/client/oidc/callback` |
-| Backchannel Logout URL (optional) | `[synapse public baseurl]/_synapse/client/oidc/backchannel_logout` |
-| Backchannel Logout Session Required (optional) | `On` |
+You will need to create a new "Services ID" for SiWA, and create and download a
+private key with "SiWA" enabled.
-5. Click `Save`
-6. On the Credentials tab, update the fields:
+As well as the private key file, you will need:
+ * Client ID: the "identifier" you gave the "Services ID"
+ * Team ID: a 10-character ID associated with your developer account.
+ * Key ID: the 10-character identifier for the key.
-| Field | Value |
-|-------|-------|
-| Client Authenticator | `Client ID and Secret` |
+[Apple's developer documentation](https://help.apple.com/developer-account/?lang=en#/dev77c875b7e)
+has more information on setting up SiWA.
-7. Click `Regenerate Secret`
-8. Copy Secret
+The synapse config will look like this:
```yaml
-oidc_providers:
- - idp_id: keycloak
- idp_name: "My KeyCloak server"
- issuer: "https://127.0.0.1:8443/realms/{realm_name}"
- client_id: "synapse"
- client_secret: "copy secret generated from above"
- scopes: ["openid", "profile"]
+ - idp_id: apple
+ idp_name: Apple
+ issuer: "https://appleid.apple.com"
+ client_id: "your-client-id" # Set to the "identifier" for your "ServicesID"
+ client_auth_method: "client_secret_post"
+ client_secret_jwt_key:
+ key_file: "/path/to/AuthKey_KEYIDCODE.p8" # point to your key file
+ jwt_header:
+ alg: ES256
+ kid: "KEYIDCODE" # Set to the 10-char Key ID
+ jwt_payload:
+ iss: TEAMIDCODE # Set to the 10-char Team ID
+ scopes: ["name", "email", "openid"]
+ authorization_endpoint: https://appleid.apple.com/auth/authorize?response_mode=form_post
user_mapping_provider:
config:
- localpart_template: "{{ user.preferred_username }}"
- display_name_template: "{{ user.name }}"
- backchannel_logout_enabled: true # Optional
+ email_template: "{{ user.email }}"
```
### Auth0
@@ -262,123 +205,169 @@ oidc_providers:
display_name_template: "{{ user.preferred_username|capitalize }}" # TO BE FILLED: If your users have names in Authentik and you want those in Synapse, this should be replaced with user.name|capitalize.
```
-### LemonLDAP
+### Dex
-[LemonLDAP::NG][lemonldap] is an open-source IdP solution.
+[Dex][dex-idp] is a simple, open-source OpenID Connect Provider.
+Although it is designed to help building a full-blown provider with an
+external database, it can be configured with static passwords in a config file.
-1. Create an OpenID Connect Relying Parties in LemonLDAP::NG
-2. The parameters are:
-- Client ID under the basic menu of the new Relying Parties (`Options > Basic >
- Client ID`)
-- Client secret (`Options > Basic > Client secret`)
-- JWT Algorithm: RS256 within the security menu of the new Relying Parties
- (`Options > Security > ID Token signature algorithm` and `Options > Security >
- Access Token signature algorithm`)
-- Scopes: OpenID, Email and Profile
-- Allowed redirection addresses for login (`Options > Basic > Allowed
- redirection addresses for login` ) :
- `[synapse public baseurl]/_synapse/client/oidc/callback`
+Follow the [Getting Started guide](https://dexidp.io/docs/getting-started/)
+to install Dex.
+
+Edit `examples/config-dev.yaml` config file from the Dex repo to add a client:
+
+```yaml
+staticClients:
+- id: synapse
+ secret: secret
+ redirectURIs:
+ - '[synapse public baseurl]/_synapse/client/oidc/callback'
+ name: 'Synapse'
+```
+
+Run with `dex serve examples/config-dev.yaml`.
Synapse config:
+
```yaml
oidc_providers:
- - idp_id: lemonldap
- idp_name: lemonldap
- discover: true
- issuer: "https://auth.example.org/" # TO BE FILLED: replace with your domain
- client_id: "your client id" # TO BE FILLED
- client_secret: "your client secret" # TO BE FILLED
- scopes:
- - "openid"
- - "profile"
- - "email"
+ - idp_id: dex
+ idp_name: "My Dex server"
+ skip_verification: true # This is needed as Dex is served on an insecure endpoint
+ issuer: "http://127.0.0.1:5556/dex"
+ client_id: "synapse"
+ client_secret: "secret"
+ scopes: ["openid", "profile"]
user_mapping_provider:
config:
- localpart_template: "{{ user.preferred_username }}}"
- # TO BE FILLED: If your users have names in LemonLDAP::NG and you want those in Synapse, this should be replaced with user.name|capitalize or any valid filter.
- display_name_template: "{{ user.preferred_username|capitalize }}"
+ localpart_template: "{{ user.name }}"
+ display_name_template: "{{ user.name|capitalize }}"
```
-### GitHub
+### Django OAuth Toolkit
-[GitHub][github-idp] is a bit special as it is not an OpenID Connect compliant provider, but
-just a regular OAuth2 provider.
+[django-oauth-toolkit](https://github.com/jazzband/django-oauth-toolkit) is a
+Django application providing out of the box all the endpoints, data and logic
+needed to add OAuth2 capabilities to your Django projects. It supports
+[OpenID Connect too](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html).
-The [`/user` API endpoint](https://developer.github.com/v3/users/#get-the-authenticated-user)
-can be used to retrieve information on the authenticated user. As the Synapse
-login mechanism needs an attribute to uniquely identify users, and that endpoint
-does not return a `sub` property, an alternative `subject_claim` has to be set.
+Configuration on Django's side:
-1. Create a new OAuth application: [https://github.com/settings/applications/new](https://github.com/settings/applications/new).
-2. Set the callback URL to `[synapse public baseurl]/_synapse/client/oidc/callback`.
+1. Add an application: `https://example.com/admin/oauth2_provider/application/add/` and choose parameters like this:
+* `Redirect uris`: `https://synapse.example.com/_synapse/client/oidc/callback`
+* `Client type`: `Confidential`
+* `Authorization grant type`: `Authorization code`
+* `Algorithm`: `HMAC with SHA-2 256`
+2. You can [customize the claims](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html#customizing-the-oidc-responses) Django gives to synapse (optional):
+
+ Code sample
-Synapse config:
+ ```python
+ class CustomOAuth2Validator(OAuth2Validator):
+
+ def get_additional_claims(self, request):
+ return {
+ "sub": request.user.email,
+ "email": request.user.email,
+ "first_name": request.user.first_name,
+ "last_name": request.user.last_name,
+ }
+ ```
+
+Your synapse config is then:
```yaml
oidc_providers:
- - idp_id: github
- idp_name: Github
- idp_brand: "github" # optional: styling hint for clients
+ - idp_id: django_example
+ idp_name: "Django Example"
+ issuer: "https://example.com/o/"
+ client_id: "your-client-id" # CHANGE ME
+ client_secret: "your-client-secret" # CHANGE ME
+ scopes: ["openid"]
+ user_profile_method: "userinfo_endpoint" # needed because oauth-toolkit does not include user information in the authorization response
+ user_mapping_provider:
+ config:
+ localpart_template: "{{ user.email.split('@')[0] }}"
+ display_name_template: "{{ user.first_name }} {{ user.last_name }}"
+ email_template: "{{ user.email }}"
+```
+
+### Facebook
+
+0. You will need a Facebook developer account. You can register for one
+ [here](https://developers.facebook.com/async/registration/).
+1. On the [apps](https://developers.facebook.com/apps/) page of the developer
+ console, "Create App", and choose "Build Connected Experiences".
+2. Once the app is created, add "Facebook Login" and choose "Web". You don't
+ need to go through the whole form here.
+3. In the left-hand menu, open "Products"/"Facebook Login"/"Settings".
+ * Add `[synapse public baseurl]/_synapse/client/oidc/callback` as an OAuth Redirect
+ URL.
+4. In the left-hand menu, open "Settings/Basic". Here you can copy the "App ID"
+ and "App Secret" for use below.
+
+Synapse config:
+
+```yaml
+ - idp_id: facebook
+ idp_name: Facebook
+ idp_brand: "facebook" # optional: styling hint for clients
discover: false
- issuer: "https://github.com/"
+ issuer: "https://www.facebook.com"
client_id: "your-client-id" # TO BE FILLED
client_secret: "your-client-secret" # TO BE FILLED
- authorization_endpoint: "https://github.com/login/oauth/authorize"
- token_endpoint: "https://github.com/login/oauth/access_token"
- userinfo_endpoint: "https://api.github.com/user"
- scopes: ["read:user"]
+ scopes: ["openid", "email"]
+ authorization_endpoint: "https://facebook.com/dialog/oauth"
+ token_endpoint: "https://graph.facebook.com/v9.0/oauth/access_token"
+ jwks_uri: "https://www.facebook.com/.well-known/oauth/openid/jwks/"
user_mapping_provider:
config:
- subject_claim: "id"
- localpart_template: "{{ user.login }}"
display_name_template: "{{ user.name }}"
+ email_template: "{{ user.email }}"
```
-### Google
-
-[Google][google-idp] is an OpenID certified authentication and authorisation provider.
-
-1. Set up a project in the Google API Console (see
- [documentation](https://developers.google.com/identity/protocols/oauth2/openid-connect#appsetup)).
-3. Add an "OAuth Client ID" for a Web Application under "Credentials".
-4. Copy the Client ID and Client Secret, and add the following to your synapse config:
- ```yaml
- oidc_providers:
- - idp_id: google
- idp_name: Google
- idp_brand: "google" # optional: styling hint for clients
- issuer: "https://accounts.google.com/"
- client_id: "your-client-id" # TO BE FILLED
- client_secret: "your-client-secret" # TO BE FILLED
- scopes: ["openid", "profile", "email"] # email is optional, read below
- user_mapping_provider:
- config:
- localpart_template: "{{ user.given_name|lower }}"
- display_name_template: "{{ user.name }}"
- email_template: "{{ user.email }}" # needs "email" in scopes above
- ```
-4. Back in the Google console, add this Authorized redirect URI: `[synapse
- public baseurl]/_synapse/client/oidc/callback`.
+Relevant documents:
+ * [Manually Build a Login Flow](https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow)
+ * [Using Facebook's Graph API](https://developers.facebook.com/docs/graph-api/using-graph-api/)
+ * [Reference to the User endpoint](https://developers.facebook.com/docs/graph-api/reference/user)
-### Twitch
+Facebook do have an [OIDC discovery endpoint](https://www.facebook.com/.well-known/openid-configuration),
+but it has a `response_types_supported` which excludes "code" (which we rely on, and
+is even mentioned in their [documentation](https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#login)),
+so we have to disable discovery and configure the URIs manually.
-1. Setup a developer account on [Twitch](https://dev.twitch.tv/)
-2. Obtain the OAuth 2.0 credentials by [creating an app](https://dev.twitch.tv/console/apps/)
-3. Add this OAuth Redirect URL: `[synapse public baseurl]/_synapse/client/oidc/callback`
+### GitHub
+
+[GitHub][github-idp] is a bit special as it is not an OpenID Connect compliant provider, but
+just a regular OAuth2 provider.
+
+The [`/user` API endpoint](https://developer.github.com/v3/users/#get-the-authenticated-user)
+can be used to retrieve information on the authenticated user. As the Synapse
+login mechanism needs an attribute to uniquely identify users, and that endpoint
+does not return a `sub` property, an alternative `subject_claim` has to be set.
+
+1. Create a new OAuth application: [https://github.com/settings/applications/new](https://github.com/settings/applications/new).
+2. Set the callback URL to `[synapse public baseurl]/_synapse/client/oidc/callback`.
Synapse config:
```yaml
oidc_providers:
- - idp_id: twitch
- idp_name: Twitch
- issuer: "https://id.twitch.tv/oauth2/"
+ - idp_id: github
+ idp_name: Github
+ idp_brand: "github" # optional: styling hint for clients
+ discover: false
+ issuer: "https://github.com/"
client_id: "your-client-id" # TO BE FILLED
client_secret: "your-client-secret" # TO BE FILLED
- client_auth_method: "client_secret_post"
+ authorization_endpoint: "https://github.com/login/oauth/authorize"
+ token_endpoint: "https://github.com/login/oauth/access_token"
+ userinfo_endpoint: "https://api.github.com/user"
+ scopes: ["read:user"]
user_mapping_provider:
config:
- localpart_template: "{{ user.preferred_username }}"
+ subject_claim: "id"
+ localpart_template: "{{ user.login }}"
display_name_template: "{{ user.name }}"
```
@@ -407,50 +396,6 @@ oidc_providers:
display_name_template: '{{ user.name }}'
```
-### Facebook
-
-0. You will need a Facebook developer account. You can register for one
- [here](https://developers.facebook.com/async/registration/).
-1. On the [apps](https://developers.facebook.com/apps/) page of the developer
- console, "Create App", and choose "Build Connected Experiences".
-2. Once the app is created, add "Facebook Login" and choose "Web". You don't
- need to go through the whole form here.
-3. In the left-hand menu, open "Products"/"Facebook Login"/"Settings".
- * Add `[synapse public baseurl]/_synapse/client/oidc/callback` as an OAuth Redirect
- URL.
-4. In the left-hand menu, open "Settings/Basic". Here you can copy the "App ID"
- and "App Secret" for use below.
-
-Synapse config:
-
-```yaml
- - idp_id: facebook
- idp_name: Facebook
- idp_brand: "facebook" # optional: styling hint for clients
- discover: false
- issuer: "https://www.facebook.com"
- client_id: "your-client-id" # TO BE FILLED
- client_secret: "your-client-secret" # TO BE FILLED
- scopes: ["openid", "email"]
- authorization_endpoint: "https://facebook.com/dialog/oauth"
- token_endpoint: "https://graph.facebook.com/v9.0/oauth/access_token"
- jwks_uri: "https://www.facebook.com/.well-known/oauth/openid/jwks/"
- user_mapping_provider:
- config:
- display_name_template: "{{ user.name }}"
- email_template: "{{ user.email }}"
-```
-
-Relevant documents:
- * [Manually Build a Login Flow](https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow)
- * [Using Facebook's Graph API](https://developers.facebook.com/docs/graph-api/using-graph-api/)
- * [Reference to the User endpoint](https://developers.facebook.com/docs/graph-api/reference/user)
-
-Facebook do have an [OIDC discovery endpoint](https://www.facebook.com/.well-known/openid-configuration),
-but it has a `response_types_supported` which excludes "code" (which we rely on, and
-is even mentioned in their [documentation](https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#login)),
-so we have to disable discovery and configure the URIs manually.
-
### Gitea
Gitea is, like Github, not an OpenID provider, but just an OAuth2 provider.
@@ -485,110 +430,123 @@ oidc_providers:
display_name_template: "{{ user.full_name }}"
```
-### XWiki
+### Google
-Install [OpenID Connect Provider](https://extensions.xwiki.org/xwiki/bin/view/Extension/OpenID%20Connect/OpenID%20Connect%20Provider/) extension in your [XWiki](https://www.xwiki.org) instance.
+[Google][google-idp] is an OpenID certified authentication and authorisation provider.
-Synapse config:
+1. Set up a project in the Google API Console (see
+ [documentation](https://developers.google.com/identity/protocols/oauth2/openid-connect#appsetup)).
+3. Add an "OAuth Client ID" for a Web Application under "Credentials".
+4. Copy the Client ID and Client Secret, and add the following to your synapse config:
+ ```yaml
+ oidc_providers:
+ - idp_id: google
+ idp_name: Google
+ idp_brand: "google" # optional: styling hint for clients
+ issuer: "https://accounts.google.com/"
+ client_id: "your-client-id" # TO BE FILLED
+ client_secret: "your-client-secret" # TO BE FILLED
+ scopes: ["openid", "profile", "email"] # email is optional, read below
+ user_mapping_provider:
+ config:
+ localpart_template: "{{ user.given_name|lower }}"
+ display_name_template: "{{ user.name }}"
+ email_template: "{{ user.email }}" # needs "email" in scopes above
+ ```
+4. Back in the Google console, add this Authorized redirect URI: `[synapse
+ public baseurl]/_synapse/client/oidc/callback`.
-```yaml
-oidc_providers:
- - idp_id: xwiki
- idp_name: "XWiki"
- issuer: "https://myxwikihost/xwiki/oidc/"
- client_id: "your-client-id" # TO BE FILLED
- client_auth_method: none
- scopes: ["openid", "profile"]
- user_profile_method: "userinfo_endpoint"
- user_mapping_provider:
- config:
- localpart_template: "{{ user.preferred_username }}"
- display_name_template: "{{ user.name }}"
-```
+### Keycloak
-### Apple
+[Keycloak][keycloak-idp] is an opensource IdP maintained by Red Hat.
-Configuring "Sign in with Apple" (SiWA) requires an Apple Developer account.
+Keycloak supports OIDC Back-Channel Logout, which sends logout notification to Synapse, so that Synapse users get logged out when they log out from Keycloak.
+This can be optionally enabled by setting `backchannel_logout_enabled` to `true` in the Synapse configuration, and by setting the "Backchannel Logout URL" in Keycloak.
-You will need to create a new "Services ID" for SiWA, and create and download a
-private key with "SiWA" enabled.
+Follow the [Getting Started Guide](https://www.keycloak.org/getting-started) to install Keycloak and set up a realm.
-As well as the private key file, you will need:
- * Client ID: the "identifier" you gave the "Services ID"
- * Team ID: a 10-character ID associated with your developer account.
- * Key ID: the 10-character identifier for the key.
+1. Click `Clients` in the sidebar and click `Create`
-[Apple's developer documentation](https://help.apple.com/developer-account/?lang=en#/dev77c875b7e)
-has more information on setting up SiWA.
+2. Fill in the fields as below:
-The synapse config will look like this:
+| Field | Value |
+|-----------|-----------|
+| Client ID | `synapse` |
+| Client Protocol | `openid-connect` |
+
+3. Click `Save`
+4. Fill in the fields as below:
+
+| Field | Value |
+|-----------|-----------|
+| Client ID | `synapse` |
+| Enabled | `On` |
+| Client Protocol | `openid-connect` |
+| Access Type | `confidential` |
+| Valid Redirect URIs | `[synapse public baseurl]/_synapse/client/oidc/callback` |
+| Backchannel Logout URL (optional) | `[synapse public baseurl]/_synapse/client/oidc/backchannel_logout` |
+| Backchannel Logout Session Required (optional) | `On` |
+
+5. Click `Save`
+6. On the Credentials tab, update the fields:
+
+| Field | Value |
+|-------|-------|
+| Client Authenticator | `Client ID and Secret` |
+
+7. Click `Regenerate Secret`
+8. Copy Secret
```yaml
- - idp_id: apple
- idp_name: Apple
- issuer: "https://appleid.apple.com"
- client_id: "your-client-id" # Set to the "identifier" for your "ServicesID"
- client_auth_method: "client_secret_post"
- client_secret_jwt_key:
- key_file: "/path/to/AuthKey_KEYIDCODE.p8" # point to your key file
- jwt_header:
- alg: ES256
- kid: "KEYIDCODE" # Set to the 10-char Key ID
- jwt_payload:
- iss: TEAMIDCODE # Set to the 10-char Team ID
- scopes: ["name", "email", "openid"]
- authorization_endpoint: https://appleid.apple.com/auth/authorize?response_mode=form_post
+oidc_providers:
+ - idp_id: keycloak
+ idp_name: "My KeyCloak server"
+ issuer: "https://127.0.0.1:8443/realms/{realm_name}"
+ client_id: "synapse"
+ client_secret: "copy secret generated from above"
+ scopes: ["openid", "profile"]
user_mapping_provider:
config:
- email_template: "{{ user.email }}"
+ localpart_template: "{{ user.preferred_username }}"
+ display_name_template: "{{ user.name }}"
+ backchannel_logout_enabled: true # Optional
```
-### Django OAuth Toolkit
-
-[django-oauth-toolkit](https://github.com/jazzband/django-oauth-toolkit) is a
-Django application providing out of the box all the endpoints, data and logic
-needed to add OAuth2 capabilities to your Django projects. It supports
-[OpenID Connect too](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html).
-
-Configuration on Django's side:
-
-1. Add an application: `https://example.com/admin/oauth2_provider/application/add/` and choose parameters like this:
-* `Redirect uris`: `https://synapse.example.com/_synapse/client/oidc/callback`
-* `Client type`: `Confidential`
-* `Authorization grant type`: `Authorization code`
-* `Algorithm`: `HMAC with SHA-2 256`
-2. You can [customize the claims](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html#customizing-the-oidc-responses) Django gives to synapse (optional):
-
- Code sample
+### LemonLDAP
- ```python
- class CustomOAuth2Validator(OAuth2Validator):
+[LemonLDAP::NG][lemonldap] is an open-source IdP solution.
- def get_additional_claims(self, request):
- return {
- "sub": request.user.email,
- "email": request.user.email,
- "first_name": request.user.first_name,
- "last_name": request.user.last_name,
- }
- ```
-
-Your synapse config is then:
+1. Create an OpenID Connect Relying Parties in LemonLDAP::NG
+2. The parameters are:
+- Client ID under the basic menu of the new Relying Parties (`Options > Basic >
+ Client ID`)
+- Client secret (`Options > Basic > Client secret`)
+- JWT Algorithm: RS256 within the security menu of the new Relying Parties
+ (`Options > Security > ID Token signature algorithm` and `Options > Security >
+ Access Token signature algorithm`)
+- Scopes: OpenID, Email and Profile
+- Allowed redirection addresses for login (`Options > Basic > Allowed
+ redirection addresses for login` ) :
+ `[synapse public baseurl]/_synapse/client/oidc/callback`
+Synapse config:
```yaml
oidc_providers:
- - idp_id: django_example
- idp_name: "Django Example"
- issuer: "https://example.com/o/"
- client_id: "your-client-id" # CHANGE ME
- client_secret: "your-client-secret" # CHANGE ME
- scopes: ["openid"]
- user_profile_method: "userinfo_endpoint" # needed because oauth-toolkit does not include user information in the authorization response
+ - idp_id: lemonldap
+ idp_name: lemonldap
+ discover: true
+ issuer: "https://auth.example.org/" # TO BE FILLED: replace with your domain
+ client_id: "your client id" # TO BE FILLED
+ client_secret: "your client secret" # TO BE FILLED
+ scopes:
+ - "openid"
+ - "profile"
+ - "email"
user_mapping_provider:
config:
- localpart_template: "{{ user.email.split('@')[0] }}"
- display_name_template: "{{ user.first_name }} {{ user.last_name }}"
- email_template: "{{ user.email }}"
+ localpart_template: "{{ user.preferred_username }}}"
+ # TO BE FILLED: If your users have names in LemonLDAP::NG and you want those in Synapse, this should be replaced with user.name|capitalize or any valid filter.
+ display_name_template: "{{ user.preferred_username|capitalize }}"
```
### Mastodon
@@ -631,3 +589,81 @@ oidc_providers:
```
Note that the fields `client_id` and `client_secret` are taken from the CURL response above.
+
+### Twitch
+
+1. Setup a developer account on [Twitch](https://dev.twitch.tv/)
+2. Obtain the OAuth 2.0 credentials by [creating an app](https://dev.twitch.tv/console/apps/)
+3. Add this OAuth Redirect URL: `[synapse public baseurl]/_synapse/client/oidc/callback`
+
+Synapse config:
+
+```yaml
+oidc_providers:
+ - idp_id: twitch
+ idp_name: Twitch
+ issuer: "https://id.twitch.tv/oauth2/"
+ client_id: "your-client-id" # TO BE FILLED
+ client_secret: "your-client-secret" # TO BE FILLED
+ client_auth_method: "client_secret_post"
+ user_mapping_provider:
+ config:
+ localpart_template: "{{ user.preferred_username }}"
+ display_name_template: "{{ user.name }}"
+```
+
+### Twitter
+
+*Using Twitter as an identity provider requires using Synapse 1.75.0 or later.*
+
+1. Setup a developer account on [Twitter](https://developer.twitter.com/en/portal/dashboard)
+2. Create a project & app.
+3. Enable user authentication and under "Type of App" choose "Web App, Automated App or Bot".
+4. Under "App info" set the callback URL to `[synapse public baseurl]/_synapse/client/oidc/callback`.
+5. Obtain the OAuth 2.0 credentials under the "Keys and tokens" tab, copy the "OAuth 2.0 Client ID and Client Secret"
+
+Synapse config:
+
+```yaml
+oidc_providers:
+ - idp_id: twitter
+ idp_name: Twitter
+ idp_brand: "twitter" # optional: styling hint for clients
+ discover: false # Twitter is not OpenID compliant.
+ issuer: "https://twitter.com/"
+ client_id: "your-client-id" # TO BE FILLED
+ client_secret: "your-client-secret" # TO BE FILLED
+ pkce_method: "always"
+ # offline.access providers refresh tokens, tweet.read and users.read needed for userinfo request.
+ scopes: ["offline.access", "tweet.read", "users.read"]
+ authorization_endpoint: https://twitter.com/i/oauth2/authorize
+ token_endpoint: https://api.twitter.com/2/oauth2/token
+ userinfo_endpoint: https://api.twitter.com/2/users/me?user.fields=profile_image_url
+ user_mapping_provider:
+ config:
+ subject_template: "{{ user.data.id }}"
+ localpart_template: "{{ user.data.username }}"
+ display_name_template: "{{ user.data.name }}"
+ picture_template: "{{ user.data.profile_image_url }}"
+```
+
+### XWiki
+
+Install [OpenID Connect Provider](https://extensions.xwiki.org/xwiki/bin/view/Extension/OpenID%20Connect/OpenID%20Connect%20Provider/) extension in your [XWiki](https://www.xwiki.org) instance.
+
+Synapse config:
+
+```yaml
+oidc_providers:
+ - idp_id: xwiki
+ idp_name: "XWiki"
+ issuer: "https://myxwikihost/xwiki/oidc/"
+ client_id: "your-client-id" # TO BE FILLED
+ client_auth_method: none
+ scopes: ["openid", "profile"]
+ user_profile_method: "userinfo_endpoint"
+ user_mapping_provider:
+ config:
+ localpart_template: "{{ user.preferred_username }}"
+ display_name_template: "{{ user.name }}"
+```