From aff57d67c040cd475c816a0b3c7ed16b73d86f57 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Sun, 14 Jan 2024 12:31:24 +0200 Subject: [PATCH] Adjust Synapse OIDC variable wiring and docs Auto-enabling the OIDC APIs is convenient for people using the new `matrix_synapse_oidc_*` variables. --- docs/configuring-playbook-synapse.md | 37 ++++++++++--------- roles/custom/matrix-synapse/defaults/main.yml | 4 +- .../tasks/validate_config.yml | 2 +- 3 files changed, 23 insertions(+), 20 deletions(-) diff --git a/docs/configuring-playbook-synapse.md b/docs/configuring-playbook-synapse.md index 50a048d5d..e9413f22c 100644 --- a/docs/configuring-playbook-synapse.md +++ b/docs/configuring-playbook-synapse.md @@ -46,7 +46,7 @@ Certain Synapse administration tasks (managing users and rooms, etc.) can be per ## Synapse + OpenID Connect for Single-Sign-On -If you'd like to use OpenID Connect authentication with Synapse, you'll need some additional reverse-proxy configuration (see [our nginx reverse-proxy doc page](configuring-playbook-nginx.md#synapse-openid-connect-for-single-sign-on)). +If you'd like to use OpenID Connect authentication with Synapse, you'll need some additional configuration. This example configuration is for [keycloak](https://www.keycloak.org/), an opensource Identity Provider maintained by Red Hat. @@ -54,23 +54,26 @@ For more detailed documentation on available options and how to setup keycloak, In case you encounter errors regarding the parsing of the variables, you can try to add `{% raw %}` and `{% endraw %}` blocks around them. For example ; +```yml +matrix_synapse_oidc_enabled: true + +matrix_synapse_oidc_providers: + - idp_id: keycloak + idp_name: "My KeyCloak server" + issuer: "https://url.ix/auth/realms/{realm_name}" + client_id: "matrix" + client_secret: "{{ vault_synapse_keycloak }}" + scopes: ["openid", "profile"] + user_mapping_provider: + config: + localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}" + display_name_template: "{% raw %}{{ user.name }}{% endraw %}" + email_template: "{% raw %}{{ user.email }}{% endraw %}" + allow_existing_users: true # Optional + backchannel_logout_enabled: true # Optional ``` -matrix_synapse_configuration_extension_yaml: | - oidc_providers: - - idp_id: keycloak - idp_name: "My KeyCloak server" - issuer: "https://url.ix/auth/realms/{realm_name}" - client_id: "matrix" - client_secret: "{{ vault_synapse_keycloak }}" - scopes: ["openid", "profile"] - user_mapping_provider: - config: - localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}" - display_name_template: "{% raw %}{{ user.name }}{% endraw %}" - email_template: "{% raw %}{{ user.email }}{% endraw %}" - allow_existing_users: true # Optional - backchannel_logout_enabled: true # Optional -``` + +**NOTE**: if you inject the OIDC configuration using `matrix_synapse_configuration_extension_yaml` (instead of `matrix_synapse_oidc_enabled: true` + `matrix_synapse_oidc_providers`), then the OIDC routes (`/_synapse/oidc`) will not be publicly exposed automatically. In such a case, you'd need to expose them manually by toggling: `matrix_synapse_container_labels_public_client_synapse_oidc_api_enabled: true`. ## Customizing templates diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 256cb24e4..4c0133e2a 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -228,7 +228,7 @@ matrix_synapse_container_labels_public_client_synapse_client_api_traefik_tls_cer # Enable this if you need OpenID Connect authentication support. # Regardless of whether this is enabled, it may or may not take effect due to the value of other variables. # See `matrix_synapse_container_labels_traefik_enabled` or `matrix_synapse_container_labels_matrix_related_labels_enabled` -matrix_synapse_container_labels_public_client_synapse_oidc_api_enabled: false +matrix_synapse_container_labels_public_client_synapse_oidc_api_enabled: "{{ matrix_synapse_oidc_enabled }}" matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_hostname: "{{ matrix_synapse_container_labels_traefik_hostname }}" matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_path_prefix: /_synapse/oidc matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_rule: "Host(`{{ matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_container_labels_public_client_synapse_oidc_api_traefik_path_prefix }}`)" @@ -253,7 +253,7 @@ matrix_synapse_container_labels_public_client_synapse_admin_api_traefik_tls_cert # Controls whether labels will be added that expose the Server-Server API (Federation API). # Regardless of whether this is enabled, it may or may not take effect due to the value of other variables. # See `matrix_synapse_container_labels_traefik_enabled` or `matrix_synapse_container_labels_matrix_related_labels_enabled` -matrix_synapse_container_labels_public_federation_api_enabled: "{{ matrix_synapse_federation_enabled and not matrix_synapse_workers_enabled }}" +matrix_synapse_container_labels_public_federation_api_enabled: "{{ matrix_synapse_federation_enabled and matrix_synapse_federation_port_enabled and not matrix_synapse_workers_enabled }}" matrix_synapse_container_labels_public_federation_api_traefik_hostname: "{{ matrix_synapse_container_labels_traefik_hostname }}" matrix_synapse_container_labels_public_federation_api_traefik_path_prefix: /_matrix matrix_synapse_container_labels_public_federation_api_traefik_rule: "Host(`{{ matrix_synapse_container_labels_public_federation_api_traefik_hostname }}`) && PathPrefix(`{{ matrix_synapse_container_labels_public_federation_api_traefik_path_prefix }}`)" diff --git a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml index 79c2b3901..9df6e134d 100644 --- a/roles/custom/matrix_playbook_migration/tasks/validate_config.yml +++ b/roles/custom/matrix_playbook_migration/tasks/validate_config.yml @@ -92,7 +92,7 @@ - {'old': 'matrix_nginx_proxy_proxy_riot_compat_redirect_hostname', 'new': ''} - {'old': 'matrix_nginx_proxy_proxy_matrix_client_redirect_root_uri_to_domain', 'new': ''} - {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_client_api_enabled', 'new': 'matrix_synapse_container_labels_public_client_synapse_client_api_enabled'} - - {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled', 'new': 'matrix_synapse_container_labels_public_client_synapse_oidc_api_enabled'} + - {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_oidc_api_enabled', 'new': ''} - {'old': 'matrix_nginx_proxy_proxy_matrix_client_api_forwarded_location_synapse_admin_api_enabled', 'new': 'matrix_synapse_container_labels_public_client_synapse_admin_api_enabled'} - {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_enabled', 'new': ''} - {'old': 'matrix_nginx_proxy_proxy_matrix_identity_api_addr_with_container', 'new': ''}