forked from MirrorHub/synapse
Add initial support for a "pick your IdP" page (#9017)
During login, if there are multiple IdPs enabled, offer the user a choice of IdPs.
This commit is contained in:
parent
d2c616a413
commit
111b673fc1
11 changed files with 194 additions and 3 deletions
1
changelog.d/9017.feature
Normal file
1
changelog.d/9017.feature
Normal file
|
@ -0,0 +1 @@
|
|||
Add support for multiple SSO Identity Providers.
|
|
@ -1909,6 +1909,31 @@ sso:
|
|||
#
|
||||
# Synapse will look for the following templates in this directory:
|
||||
#
|
||||
# * HTML page to prompt the user to choose an Identity Provider during
|
||||
# login: 'sso_login_idp_picker.html'.
|
||||
#
|
||||
# This is only used if multiple SSO Identity Providers are configured.
|
||||
#
|
||||
# When rendering, this template is given the following variables:
|
||||
# * redirect_url: the URL that the user will be redirected to after
|
||||
# login. Needs manual escaping (see
|
||||
# https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping).
|
||||
#
|
||||
# * server_name: the homeserver's name.
|
||||
#
|
||||
# * providers: a list of available Identity Providers. Each element is
|
||||
# an object with the following attributes:
|
||||
# * idp_id: unique identifier for the IdP
|
||||
# * idp_name: user-facing name for the IdP
|
||||
#
|
||||
# The rendered HTML page should contain a form which submits its results
|
||||
# back as a GET request, with the following query parameters:
|
||||
#
|
||||
# * redirectUrl: the client redirect URI (ie, the `redirect_url` passed
|
||||
# to the template)
|
||||
#
|
||||
# * idp: the 'idp_id' of the chosen IDP.
|
||||
#
|
||||
# * HTML page for a confirmation step before redirecting back to the client
|
||||
# with the login token: 'sso_redirect_confirm.html'.
|
||||
#
|
||||
|
|
|
@ -63,6 +63,7 @@ from synapse.rest import ClientRestResource
|
|||
from synapse.rest.admin import AdminRestResource
|
||||
from synapse.rest.health import HealthResource
|
||||
from synapse.rest.key.v2 import KeyApiV2Resource
|
||||
from synapse.rest.synapse.client.pick_idp import PickIdpResource
|
||||
from synapse.rest.synapse.client.pick_username import pick_username_resource
|
||||
from synapse.rest.well_known import WellKnownResource
|
||||
from synapse.server import HomeServer
|
||||
|
@ -194,6 +195,7 @@ class SynapseHomeServer(HomeServer):
|
|||
"/.well-known/matrix/client": WellKnownResource(self),
|
||||
"/_synapse/admin": AdminRestResource(self),
|
||||
"/_synapse/client/pick_username": pick_username_resource(self),
|
||||
"/_synapse/client/pick_idp": PickIdpResource(self),
|
||||
}
|
||||
)
|
||||
|
||||
|
|
|
@ -31,6 +31,7 @@ class SSOConfig(Config):
|
|||
|
||||
# Read templates from disk
|
||||
(
|
||||
self.sso_login_idp_picker_template,
|
||||
self.sso_redirect_confirm_template,
|
||||
self.sso_auth_confirm_template,
|
||||
self.sso_error_template,
|
||||
|
@ -38,6 +39,7 @@ class SSOConfig(Config):
|
|||
sso_auth_success_template,
|
||||
) = self.read_templates(
|
||||
[
|
||||
"sso_login_idp_picker.html",
|
||||
"sso_redirect_confirm.html",
|
||||
"sso_auth_confirm.html",
|
||||
"sso_error.html",
|
||||
|
@ -98,6 +100,31 @@ class SSOConfig(Config):
|
|||
#
|
||||
# Synapse will look for the following templates in this directory:
|
||||
#
|
||||
# * HTML page to prompt the user to choose an Identity Provider during
|
||||
# login: 'sso_login_idp_picker.html'.
|
||||
#
|
||||
# This is only used if multiple SSO Identity Providers are configured.
|
||||
#
|
||||
# When rendering, this template is given the following variables:
|
||||
# * redirect_url: the URL that the user will be redirected to after
|
||||
# login. Needs manual escaping (see
|
||||
# https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping).
|
||||
#
|
||||
# * server_name: the homeserver's name.
|
||||
#
|
||||
# * providers: a list of available Identity Providers. Each element is
|
||||
# an object with the following attributes:
|
||||
# * idp_id: unique identifier for the IdP
|
||||
# * idp_name: user-facing name for the IdP
|
||||
#
|
||||
# The rendered HTML page should contain a form which submits its results
|
||||
# back as a GET request, with the following query parameters:
|
||||
#
|
||||
# * redirectUrl: the client redirect URI (ie, the `redirect_url` passed
|
||||
# to the template)
|
||||
#
|
||||
# * idp: the 'idp_id' of the chosen IDP.
|
||||
#
|
||||
# * HTML page for a confirmation step before redirecting back to the client
|
||||
# with the login token: 'sso_redirect_confirm.html'.
|
||||
#
|
||||
|
|
|
@ -77,6 +77,9 @@ class CasHandler:
|
|||
# identifier for the external_ids table
|
||||
self.idp_id = "cas"
|
||||
|
||||
# user-facing name of this auth provider
|
||||
self.idp_name = "CAS"
|
||||
|
||||
self._sso_handler = hs.get_sso_handler()
|
||||
|
||||
self._sso_handler.register_identity_provider(self)
|
||||
|
|
|
@ -121,6 +121,9 @@ class OidcHandler(BaseHandler):
|
|||
# identifier for the external_ids table
|
||||
self.idp_id = "oidc"
|
||||
|
||||
# user-facing name of this auth provider
|
||||
self.idp_name = "OIDC"
|
||||
|
||||
self._sso_handler = hs.get_sso_handler()
|
||||
|
||||
self._sso_handler.register_identity_provider(self)
|
||||
|
|
|
@ -75,6 +75,9 @@ class SamlHandler(BaseHandler):
|
|||
# identifier for the external_ids table
|
||||
self.idp_id = "saml"
|
||||
|
||||
# user-facing name of this auth provider
|
||||
self.idp_name = "SAML"
|
||||
|
||||
# a map from saml session id to Saml2SessionData object
|
||||
self._outstanding_requests_dict = {} # type: Dict[str, Saml2SessionData]
|
||||
|
||||
|
|
|
@ -14,7 +14,8 @@
|
|||
# limitations under the License.
|
||||
import abc
|
||||
import logging
|
||||
from typing import TYPE_CHECKING, Awaitable, Callable, Dict, List, Optional
|
||||
from typing import TYPE_CHECKING, Awaitable, Callable, Dict, List, Mapping, Optional
|
||||
from urllib.parse import urlencode
|
||||
|
||||
import attr
|
||||
from typing_extensions import NoReturn, Protocol
|
||||
|
@ -66,6 +67,11 @@ class SsoIdentityProvider(Protocol):
|
|||
Eg, "saml", "cas", "github"
|
||||
"""
|
||||
|
||||
@property
|
||||
@abc.abstractmethod
|
||||
def idp_name(self) -> str:
|
||||
"""User-facing name for this provider"""
|
||||
|
||||
@abc.abstractmethod
|
||||
async def handle_redirect_request(
|
||||
self,
|
||||
|
@ -156,6 +162,10 @@ class SsoHandler:
|
|||
assert p_id not in self._identity_providers
|
||||
self._identity_providers[p_id] = p
|
||||
|
||||
def get_identity_providers(self) -> Mapping[str, SsoIdentityProvider]:
|
||||
"""Get the configured identity providers"""
|
||||
return self._identity_providers
|
||||
|
||||
def render_error(
|
||||
self,
|
||||
request: Request,
|
||||
|
@ -203,8 +213,10 @@ class SsoHandler:
|
|||
ap = next(iter(self._identity_providers.values()))
|
||||
return await ap.handle_redirect_request(request, client_redirect_url)
|
||||
|
||||
# otherwise, we have a configuration error
|
||||
raise Exception("Multiple SSO identity providers have been configured!")
|
||||
# otherwise, redirect to the IDP picker
|
||||
return "/_synapse/client/pick_idp?" + urlencode(
|
||||
(("redirectUrl", client_redirect_url),)
|
||||
)
|
||||
|
||||
async def get_sso_user_by_remote_user_id(
|
||||
self, auth_provider_id: str, remote_user_id: str
|
||||
|
|
28
synapse/res/templates/sso_login_idp_picker.html
Normal file
28
synapse/res/templates/sso_login_idp_picker.html
Normal file
|
@ -0,0 +1,28 @@
|
|||
<!DOCTYPE html>
|
||||
<html lang="en">
|
||||
<head>
|
||||
<meta charset="UTF-8">
|
||||
<link rel="stylesheet" href="/_matrix/static/client/login/style.css">
|
||||
<title>{{server_name | e}} Login</title>
|
||||
</head>
|
||||
<body>
|
||||
<div id="container">
|
||||
<h1 id="title">{{server_name | e}} Login</h1>
|
||||
<div class="login_flow">
|
||||
<p>Choose one of the following identity providers:</p>
|
||||
<form>
|
||||
<input type="hidden" name="redirectUrl" value="{{redirect_url | e}}">
|
||||
<ul class="radiobuttons">
|
||||
{% for p in providers %}
|
||||
<li>
|
||||
<input type="radio" name="idp" id="prov{{loop.index}}" value="{{p.idp_id}}">
|
||||
<label for="prov{{loop.index}}">{{p.idp_name | e}}</label>
|
||||
</li>
|
||||
{% endfor %}
|
||||
</ul>
|
||||
<input type="submit" class="button button--full-width" id="button-submit" value="Submit">
|
||||
</form>
|
||||
</div>
|
||||
</div>
|
||||
</body>
|
||||
</html>
|
82
synapse/rest/synapse/client/pick_idp.py
Normal file
82
synapse/rest/synapse/client/pick_idp.py
Normal file
|
@ -0,0 +1,82 @@
|
|||
# -*- coding: utf-8 -*-
|
||||
# Copyright 2021 The Matrix.org Foundation C.I.C.
|
||||
#
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
import logging
|
||||
from typing import TYPE_CHECKING
|
||||
|
||||
from synapse.http.server import (
|
||||
DirectServeHtmlResource,
|
||||
finish_request,
|
||||
respond_with_html,
|
||||
)
|
||||
from synapse.http.servlet import parse_string
|
||||
from synapse.http.site import SynapseRequest
|
||||
|
||||
if TYPE_CHECKING:
|
||||
from synapse.server import HomeServer
|
||||
|
||||
logger = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class PickIdpResource(DirectServeHtmlResource):
|
||||
"""IdP picker resource.
|
||||
|
||||
This resource gets mounted under /_synapse/client/pick_idp. It serves an HTML page
|
||||
which prompts the user to choose an Identity Provider from the list.
|
||||
"""
|
||||
|
||||
def __init__(self, hs: "HomeServer"):
|
||||
super().__init__()
|
||||
self._sso_handler = hs.get_sso_handler()
|
||||
self._sso_login_idp_picker_template = (
|
||||
hs.config.sso.sso_login_idp_picker_template
|
||||
)
|
||||
self._server_name = hs.hostname
|
||||
|
||||
async def _async_render_GET(self, request: SynapseRequest) -> None:
|
||||
client_redirect_url = parse_string(request, "redirectUrl", required=True)
|
||||
idp = parse_string(request, "idp", required=False)
|
||||
|
||||
# if we need to pick an IdP, do so
|
||||
if not idp:
|
||||
return await self._serve_id_picker(request, client_redirect_url)
|
||||
|
||||
# otherwise, redirect to the IdP's redirect URI
|
||||
providers = self._sso_handler.get_identity_providers()
|
||||
auth_provider = providers.get(idp)
|
||||
if not auth_provider:
|
||||
logger.info("Unknown idp %r", idp)
|
||||
self._sso_handler.render_error(
|
||||
request, "unknown_idp", "Unknown identity provider ID"
|
||||
)
|
||||
return
|
||||
|
||||
sso_url = await auth_provider.handle_redirect_request(
|
||||
request, client_redirect_url.encode("utf8")
|
||||
)
|
||||
logger.info("Redirecting to %s", sso_url)
|
||||
request.redirect(sso_url)
|
||||
finish_request(request)
|
||||
|
||||
async def _serve_id_picker(
|
||||
self, request: SynapseRequest, client_redirect_url: str
|
||||
) -> None:
|
||||
# otherwise, serve up the IdP picker
|
||||
providers = self._sso_handler.get_identity_providers()
|
||||
html = self._sso_login_idp_picker_template.render(
|
||||
redirect_url=client_redirect_url,
|
||||
server_name=self._server_name,
|
||||
providers=providers.values(),
|
||||
)
|
||||
respond_with_html(request, 200, html)
|
|
@ -31,6 +31,11 @@ form {
|
|||
margin: 10px 0 0 0;
|
||||
}
|
||||
|
||||
ul.radiobuttons {
|
||||
text-align: left;
|
||||
list-style: none;
|
||||
}
|
||||
|
||||
/*
|
||||
* Add some padding to the viewport.
|
||||
*/
|
||||
|
|
Loading…
Reference in a new issue