add open id connect configuration to synapse template

5 лет назад · f298e00deb
--- a/roles/matrix-synapse/defaults/main.yml
+++ b/roles/matrix-synapse/defaults/main.yml
@@ -426,3 +426,43 @@ matrix_synapse_configuration_extension: "{{ matrix_synapse_configuration_extensi
 # Holds the final Synapse configuration (a combination of the default and its extension).
 # You most likely don't need to touch this variable. Instead, see `matrix_synapse_configuration_yaml`.
 matrix_synapse_configuration: "{{ matrix_synapse_configuration_yaml|from_yaml|combine(matrix_synapse_configuration_extension, recursive=True) }}"


 # oidc / sso

 # Set to false if you need only SSO auth
 matrix_synapse_password_config_enabled: true


 # Configure open id connect
 matrix_synapse_oidc_enabled: false
 matrix_synapse_oidc_issuer: ""
 matrix_synapse_oidc_client_id: ""
 matrix_synapse_oidc_client_secret: ""
 matrix_synapse_oidc_scopes: ["openid"]
 matrix_synapse_oidc_allow_existing_users: false
 matrix_synapse_oidc_client_auth_method: client_secret_basic
 matrix_synapse_oidc_subject_claim: "sub"
 matrix_synapse_oidc_localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}"
 matrix_synapse_oidc_display_name_template: "{% raw %}{{ user.name }}{% endraw %}"


 # see https://github.com/matrix-org/synapse/blob/develop/docs/openid.md
 matrix_synapse_oidc_config:
  enabled: "{{ matrix_synapse_oidc_enabled }}"
  issuer: "{{ matrix_synapse_oidc_issuer }}"
  client_id: "{{ matrix_synapse_oidc_client_id }}"
  client_secret: "{{ matrix_synapse_oidc_client_secret }}"
  scopes: "{{ matrix_synapse_oidc_scopes }}"
  allow_existing_users: "{{ matrix_synapse_oidc_allow_existing_users }}"
  client_auth_method: "{{ matrix_synapse_oidc_client_auth_method }}"
  user_mapping_provider:
    config:
      subject_claim: "{{ matrix_synapse_oidc_subject_claim }}"
      localpart_template: "{{ matrix_synapse_oidc_localpart_template }}"
      display_name_template: "{{ matrix_synapse_oidc_display_name_template }}"

 # Set trusted SSO resources, e.g. [ "https://element.matrix.domain" ]
 matrix_synapse_sso:
  client_whitelist: ["{{https://element.matrix.domain}}"]

--- a/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/matrix-synapse/templates/synapse/homeserver.yaml.j2
@@ -1660,6 +1660,7 @@ saml2_config:
  #idp_entityid: 'https://our_idp/entityid'


 {% if not matrix_synapse_oidc_config.enabled %}
 # Enable OpenID Connect (OIDC) / OAuth 2.0 for registration and login.
 #
 # See https://github.com/matrix-org/synapse/blob/master/docs/openid.md
@@ -1793,8 +1794,10 @@ oidc_config:
      #
      #extra_attributes:
        #birthdate: "{% raw %}{{ user.birthdate }}{% endraw %}"


 {% endif %}
 {% if matrix_synapse_oidc_config.enabled %}
 oidc_config: {{ matrix_synapse_oidc_config }}
 {% endif %}

 # Enable Central Authentication Service (CAS) for registration and login.
 #
@@ -1849,7 +1852,7 @@ sso:
    #
    # By default, this list is empty.
    #
    #client_whitelist:
    client_whitelist: {{ matrix_synapse_sso.client_whitelist|to_json }}
    #  - https://riot.im/develop
    #  - https://my.custom.client/

@@ -1974,7 +1977,7 @@ sso:
 password_config:
   # Uncomment to disable password login
   #
   #enabled: false
   enabled: {{ matrix_synapse_password_config_enabled|to_json }}

   # Uncomment to disable authentication against the local password
   # database. This is ignored if `enabled` is false, and is only useful