Implement config option sso.update_profile_information (#10108)

Implemented config option sso.update_profile_information to keep user's display name in sync with the SSO displayname. Signed-off-by: Johannes Kanefendt <johannes.kanefendt@krzn.de>
2024-06-14 00:28:25 +02:00 · 2021-06-22 00:48:57 +02:00 · 2021-06-22 00:48:57 +02:00 · 756fd513df
parent a5cd05beee
commit 756fd513df
4 changed files with 51 additions and 1 deletions
--- a/changelog.d/10108.feature
+++ b/changelog.d/10108.feature
@ -0,0 +1 @@
+Implement config option `sso.update_profile_information` to sync SSO users' profile information with the identity provider each time they login. Currently only displayname is supported.
--- a/docs/sample_config.yaml
+++ b/docs/sample_config.yaml
@ -1975,6 +1975,17 @@ sso:
    #  - https://riot.im/develop
    #  - https://my.custom.client/

+    # Uncomment to keep a user's profile fields in sync with information from
+    # the identity provider. Currently only syncing the displayname is
+    # supported. Fields are checked on every SSO login, and are updated
+    # if necessary.
+    #
+    # Note that enabling this option will override user profile information,
+    # regardless of whether users have opted-out of syncing that
+    # information when first signing in. Defaults to false.
+    #
+    #update_profile_information: true
+
    # Directory in which Synapse will try to find the template files below.
    # If not set, or the files named below are not found within the template
    # directory, default templates from within the Synapse package will be used.
--- a/synapse/config/sso.py
+++ b/synapse/config/sso.py
@ -74,6 +74,10 @@ class SSOConfig(Config):

        self.sso_client_whitelist = sso_config.get("client_whitelist") or []

+        self.sso_update_profile_information = (
+            sso_config.get("update_profile_information") or False
+        )
+
        # Attempt to also whitelist the server's login fallback, since that fallback sets
        # the redirect URL to itself (so it can process the login token then return
        # gracefully to the client). This would make it pointless to ask the user for
@ -111,6 +115,17 @@ class SSOConfig(Config):
            #  - https://riot.im/develop
            #  - https://my.custom.client/

+            # Uncomment to keep a user's profile fields in sync with information from
+            # the identity provider. Currently only syncing the displayname is
+            # supported. Fields are checked on every SSO login, and are updated
+            # if necessary.
+            #
+            # Note that enabling this option will override user profile information,
+            # regardless of whether users have opted-out of syncing that
+            # information when first signing in. Defaults to false.
+            #
+            #update_profile_information: true
+
            # Directory in which Synapse will try to find the template files below.
            # If not set, or the files named below are not found within the template
            # directory, default templates from within the Synapse package will be used.
--- a/synapse/handlers/sso.py
+++ b/synapse/handlers/sso.py
@ -41,7 +41,12 @@ from synapse.handlers.ui_auth import UIAuthSessionDataConstants
 from synapse.http import get_request_user_agent
 from synapse.http.server import respond_with_html, respond_with_redirect
 from synapse.http.site import SynapseRequest
-from synapse.types import JsonDict, UserID, contains_invalid_mxid_characters
+from synapse.types import (
+    JsonDict,
+    UserID,
+    contains_invalid_mxid_characters,
+    create_requester,
+)
 from synapse.util.async_helpers import Linearizer
 from synapse.util.stringutils import random_string

@ -185,11 +190,14 @@ class SsoHandler:
        self._auth_handler = hs.get_auth_handler()
        self._error_template = hs.config.sso_error_template
        self._bad_user_template = hs.config.sso_auth_bad_user_template
+        self._profile_handler = hs.get_profile_handler()

        # The following template is shown after a successful user interactive
        # authentication session. It tells the user they can close the window.
        self._sso_auth_success_template = hs.config.sso_auth_success_template

+        self._sso_update_profile_information = hs.config.sso_update_profile_information
+
        # a lock on the mappings
        self._mapping_lock = Linearizer(name="sso_user_mapping", clock=hs.get_clock())

@ -458,6 +466,21 @@ class SsoHandler:
                    request.getClientIP(),
                )
                new_user = True
+            elif self._sso_update_profile_information:
+                attributes = await self._call_attribute_mapper(sso_to_matrix_id_mapper)
+                if attributes.display_name:
+                    user_id_obj = UserID.from_string(user_id)
+                    profile_display_name = await self._profile_handler.get_displayname(
+                        user_id_obj
+                    )
+                    if profile_display_name != attributes.display_name:
+                        requester = create_requester(
+                            user_id,
+                            authenticated_entity=user_id,
+                        )
+                        await self._profile_handler.set_displayname(
+                            user_id_obj, requester, attributes.display_name, True
+                        )

        await self._auth_handler.complete_sso_login(
            user_id,
				`@ -0,0 +1 @@`
				Implement config option `sso.update_profile_information` to sync SSO users' profile information with the identity provider each time they login. Currently only displayname is supported.