From 9167a7734e34d20f077376fdba99f3ed50493070 Mon Sep 17 00:00:00 2001 From: Aine Date: Mon, 2 Oct 2023 18:40:15 +0300 Subject: [PATCH 1/2] add matrix_synapse_oidc_enabled and matrix_synapse_oidc_providers vars --- roles/custom/matrix-synapse/defaults/main.yml | 5 +++++ .../matrix-synapse/templates/synapse/homeserver.yaml.j2 | 7 +++++-- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml index 97c5d48a..32ae30f4 100644 --- a/roles/custom/matrix-synapse/defaults/main.yml +++ b/roles/custom/matrix-synapse/defaults/main.yml @@ -425,6 +425,11 @@ matrix_synapse_federation_port_openid_resource_required: false # result, it's better to accomplish it by changing `matrix_synapse_federation_enabled`. matrix_synapse_federation_domain_whitelist: ~ +# Enable/disable OpenID Connect +matrix_synapse_oidc_enabled: false +# List of OpenID Connect providers, ref: https://matrix-org.github.io/synapse/latest/openid.html#sample-configs +matrix_synapse_oidc_providers: [] + # A list of additional "volumes" to mount in the container. # This list gets populated dynamically based on Synapse extensions that have been enabled. # Contains definition objects like this: `{"src": "/outside", "dst": "/inside", "options": "rw|ro|slave|.."} diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index dd4e6325..9c2c9bd8 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2090,9 +2090,9 @@ saml2_config: # use 'oidc' for the idp_id to ensure that existing users continue to be # recognised.) # -oidc_providers: +{% if matrix_synapse_oidc_enabled %} # Generic example - # + #matrix_synapse_oidc_providers: #- idp_id: my_idp # idp_name: "My OpenID provider" # idp_icon: "mxc://example.com/mediaid" @@ -2116,6 +2116,9 @@ oidc_providers: # attribute_requirements: # - attribute: userGroup # value: "synapseUsers" +oidc_providers: + {{ matrix_synapse_oidc_providers|to_nice_yaml(indent=2, width=999999) }} +{% endif %} # Enable Central Authentication Service (CAS) for registration and login. From c0e56ac1c46b75c6d538d1cf46da1ccc2dc52078 Mon Sep 17 00:00:00 2001 From: Slavi Pantaleev Date: Mon, 2 Oct 2023 19:32:09 +0300 Subject: [PATCH 2/2] Make OIDC providers if check safer --- .../custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 index 9c2c9bd8..b3a4aa79 100644 --- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 +++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 @@ -2090,7 +2090,7 @@ saml2_config: # use 'oidc' for the idp_id to ensure that existing users continue to be # recognised.) # -{% if matrix_synapse_oidc_enabled %} +{% if matrix_synapse_oidc_enabled and matrix_synapse_oidc_providers | length > 0 %} # Generic example #matrix_synapse_oidc_providers: #- idp_id: my_idp