-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
Add initial support for a "pick your IdP" page #9017
Conversation
During login, if there are multiple IdPs enabled, offer the user a choice of IdPs.
I'll add some tests for this in a separate PR. |
(as per #8966, the SSO stuff doesn't currently work when it's offloaded to workers, so I haven't really thought about that side of it yet. It should be easy enough to update.) |
# otherwise, redirect to the IDP picker | ||
return "/_synapse/client/pick_idp?" + urlencode( | ||
(("redirectUrl", client_redirect_url),) | ||
) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had a brief thought that we could just return the HTML template here instead of the redirect to avoid encoding the redirectURL, then decoding it, putting it into a template, then submitting it again back to the server...I think this implementation is OK, just seems to involve slightly more back and forth.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had a brief thought that we could just return the HTML template here
Yeah, we probably could. The main reason I didn't was because /_matrix/client/r0/login/sso/redirect
is served as a JsonResource
, so any errors get rendered as json objects, which is a bit silly. Of course, that doesn't mean we handle any errors which do happen during the /_matrix/client/r0/login/sso/redirect
request any more gracefully :/.
Co-authored-by: Patrick Cloke <clokep@users.noreply.github.com>
Synapse 1.26.0rc1 (2021-01-20) ============================== This release brings a new schema version for Synapse and rolling back to a previous verious is not trivial. Please review [UPGRADE.rst](UPGRADE.rst) for more details on these changes and for general upgrade guidance. Features -------- - Add support for multiple SSO Identity Providers. ([\#9015](#9015), [\#9017](#9017), [\#9036](#9036), [\#9067](#9067), [\#9081](#9081), [\#9082](#9082), [\#9105](#9105), [\#9107](#9107), [\#9109](#9109), [\#9110](#9110), [\#9127](#9127), [\#9153](#9153), [\#9154](#9154), [\#9177](#9177)) - During user-interactive authentication via single-sign-on, give a better error if the user uses the wrong account on the SSO IdP. ([\#9091](#9091)) - Give the `public_baseurl` a default value, if it is not explicitly set in the configuration file. ([\#9159](#9159)) - Improve performance when calculating ignored users in large rooms. ([\#9024](#9024)) - Implement [MSC2176](matrix-org/matrix-spec-proposals#2176) in an experimental room version. ([\#8984](#8984)) - Add an admin API for protecting local media from quarantine. ([\#9086](#9086)) - Remove a user's avatar URL and display name when deactivated with the Admin API. ([\#8932](#8932)) - Update `/_synapse/admin/v1/users/<user_id>/joined_rooms` to work for both local and remote users. ([\#8948](#8948)) - Add experimental support for handling to-device messages on worker processes. ([\#9042](#9042), [\#9043](#9043), [\#9044](#9044), [\#9130](#9130)) - Add experimental support for handling `/keys/claim` and `/room_keys` APIs on worker processes. ([\#9068](#9068)) - Add experimental support for handling `/devices` API on worker processes. ([\#9092](#9092)) - Add experimental support for moving off receipts and account data persistence off master. ([\#9104](#9104), [\#9166](#9166)) Bugfixes -------- - Fix a long-standing issue where an internal server error would occur when requesting a profile over federation that did not include a display name / avatar URL. ([\#9023](#9023)) - Fix a long-standing bug where some caches could grow larger than configured. ([\#9028](#9028)) - Fix error handling during insertion of client IPs into the database. ([\#9051](#9051)) - Fix bug where we didn't correctly record CPU time spent in `on_new_event` block. ([\#9053](#9053)) - Fix a minor bug which could cause confusing error messages from invalid configurations. ([\#9054](#9054)) - Fix incorrect exit code when there is an error at startup. ([\#9059](#9059)) - Fix `JSONDecodeError` spamming the logs when sending transactions to remote servers. ([\#9070](#9070)) - Fix "Failed to send request" errors when a client provides an invalid room alias. ([\#9071](#9071)) - Fix bugs in federation catchup logic that caused outbound federation to be delayed for large servers after start up. Introduced in v1.8.0 and v1.21.0. ([\#9114](#9114), [\#9116](#9116)) - Fix corruption of `pushers` data when a postgres bouncer is used. ([\#9117](#9117)) - Fix minor bugs in handling the `clientRedirectUrl` parameter for SSO login. ([\#9128](#9128)) - Fix "Unhandled error in Deferred: BodyExceededMaxSize" errors when .well-known files that are too large. ([\#9108](#9108)) - Fix "UnboundLocalError: local variable 'length' referenced before assignment" errors when the response body exceeds the expected size. This bug was introduced in v1.25.0. ([\#9145](#9145)) - Fix a long-standing bug "ValueError: invalid literal for int() with base 10" when `/publicRooms` is requested with an invalid `server` parameter. ([\#9161](#9161)) Improved Documentation ---------------------- - Add some extra docs for getting Synapse running on macOS. ([\#8997](#8997)) - Correct a typo in the `systemd-with-workers` documentation. ([\#9035](#9035)) - Correct a typo in `INSTALL.md`. ([\#9040](#9040)) - Add missing `user_mapping_provider` configuration to the Keycloak OIDC example. Contributed by @chris-ruecker. ([\#9057](#9057)) - Quote `pip install` packages when extras are used to avoid shells interpreting bracket characters. ([\#9151](#9151)) Deprecations and Removals ------------------------- - Remove broken and unmaintained `demo/webserver.py` script. ([\#9039](#9039)) Internal Changes ---------------- - Improve efficiency of large state resolutions. ([\#8868](#8868), [\#9029](#9029), [\#9115](#9115), [\#9118](#9118), [\#9124](#9124)) - Various clean-ups to the structured logging and logging context code. ([\#8939](#8939)) - Ensure rejected events get added to some metadata tables. ([\#9016](#9016)) - Ignore date-rotated homeserver logs saved to disk. ([\#9018](#9018)) - Remove an unused column from `access_tokens` table. ([\#9025](#9025)) - Add a `-noextras` factor to `tox.ini`, to support running the tests with no optional dependencies. ([\#9030](#9030)) - Fix running unit tests when optional dependencies are not installed. ([\#9031](#9031)) - Allow bumping schema version when using split out state database. ([\#9033](#9033)) - Configure the linters to run on a consistent set of files. ([\#9038](#9038)) - Various cleanups to device inbox store. ([\#9041](#9041)) - Drop unused database tables. ([\#9055](#9055)) - Remove unused `SynapseService` class. ([\#9058](#9058)) - Remove unnecessary declarations in the tests for the admin API. ([\#9063](#9063)) - Remove `SynapseRequest.get_user_agent`. ([\#9069](#9069)) - Remove redundant `Homeserver.get_ip_from_request` method. ([\#9080](#9080)) - Add type hints to media repository. ([\#9093](#9093)) - Fix the wrong arguments being passed to `BlacklistingAgentWrapper` from `MatrixFederationAgent`. Contributed by Timothy Leung. ([\#9098](#9098)) - Reduce the scope of caught exceptions in `BlacklistingAgentWrapper`. ([\#9106](#9106)) - Improve `UsernamePickerTestCase`. ([\#9112](#9112)) - Remove dependency on `distutils`. ([\#9125](#9125)) - Enforce that replication HTTP clients are called with keyword arguments only. ([\#9144](#9144)) - Fix the Python 3.5 / old dependencies build in CI. ([\#9146](#9146)) - Replace the old `perspectives` option in the Synapse docker config file template with `trusted_key_servers`. ([\#9157](#9157))
Synapse 1.26.0 (2021-01-27) =========================== This release brings a new schema version for Synapse and rolling back to a previous version is not trivial. Please review [UPGRADE.rst](UPGRADE.rst) for more details on these changes and for general upgrade guidance. No significant changes since 1.26.0rc2. Synapse 1.26.0rc2 (2021-01-25) ============================== Bugfixes -------- - Fix receipts and account data not being sent down sync. Introduced in v1.26.0rc1. ([\#9193](#9193), [\#9195](#9195)) - Fix chain cover update to handle events with duplicate auth events. Introduced in v1.26.0rc1. ([\#9210](#9210)) Internal Changes ---------------- - Add an `oidc-` prefix to any `idp_id`s which are given in the `oidc_providers` configuration. ([\#9189](#9189)) - Bump minimum `psycopg2` version to v2.8. ([\#9204](#9204)) Synapse 1.26.0rc1 (2021-01-20) ============================== This release brings a new schema version for Synapse and rolling back to a previous version is not trivial. Please review [UPGRADE.rst](UPGRADE.rst) for more details on these changes and for general upgrade guidance. Features -------- - Add support for multiple SSO Identity Providers. ([\#9015](#9015), [\#9017](#9017), [\#9036](#9036), [\#9067](#9067), [\#9081](#9081), [\#9082](#9082), [\#9105](#9105), [\#9107](#9107), [\#9109](#9109), [\#9110](#9110), [\#9127](#9127), [\#9153](#9153), [\#9154](#9154), [\#9177](#9177)) - During user-interactive authentication via single-sign-on, give a better error if the user uses the wrong account on the SSO IdP. ([\#9091](#9091)) - Give the `public_baseurl` a default value, if it is not explicitly set in the configuration file. ([\#9159](#9159)) - Improve performance when calculating ignored users in large rooms. ([\#9024](#9024)) - Implement [MSC2176](matrix-org/matrix-spec-proposals#2176) in an experimental room version. ([\#8984](#8984)) - Add an admin API for protecting local media from quarantine. ([\#9086](#9086)) - Remove a user's avatar URL and display name when deactivated with the Admin API. ([\#8932](#8932)) - Update `/_synapse/admin/v1/users/<user_id>/joined_rooms` to work for both local and remote users. ([\#8948](#8948)) - Add experimental support for handling to-device messages on worker processes. ([\#9042](#9042), [\#9043](#9043), [\#9044](#9044), [\#9130](#9130)) - Add experimental support for handling `/keys/claim` and `/room_keys` APIs on worker processes. ([\#9068](#9068)) - Add experimental support for handling `/devices` API on worker processes. ([\#9092](#9092)) - Add experimental support for moving off receipts and account data persistence off master. ([\#9104](#9104), [\#9166](#9166)) Bugfixes -------- - Fix a long-standing issue where an internal server error would occur when requesting a profile over federation that did not include a display name / avatar URL. ([\#9023](#9023)) - Fix a long-standing bug where some caches could grow larger than configured. ([\#9028](#9028)) - Fix error handling during insertion of client IPs into the database. ([\#9051](#9051)) - Fix bug where we didn't correctly record CPU time spent in `on_new_event` block. ([\#9053](#9053)) - Fix a minor bug which could cause confusing error messages from invalid configurations. ([\#9054](#9054)) - Fix incorrect exit code when there is an error at startup. ([\#9059](#9059)) - Fix `JSONDecodeError` spamming the logs when sending transactions to remote servers. ([\#9070](#9070)) - Fix "Failed to send request" errors when a client provides an invalid room alias. ([\#9071](#9071)) - Fix bugs in federation catchup logic that caused outbound federation to be delayed for large servers after start up. Introduced in v1.8.0 and v1.21.0. ([\#9114](#9114), [\#9116](#9116)) - Fix corruption of `pushers` data when a postgres bouncer is used. ([\#9117](#9117)) - Fix minor bugs in handling the `clientRedirectUrl` parameter for SSO login. ([\#9128](#9128)) - Fix "Unhandled error in Deferred: BodyExceededMaxSize" errors when .well-known files that are too large. ([\#9108](#9108)) - Fix "UnboundLocalError: local variable 'length' referenced before assignment" errors when the response body exceeds the expected size. This bug was introduced in v1.25.0. ([\#9145](#9145)) - Fix a long-standing bug "ValueError: invalid literal for int() with base 10" when `/publicRooms` is requested with an invalid `server` parameter. ([\#9161](#9161)) Improved Documentation ---------------------- - Add some extra docs for getting Synapse running on macOS. ([\#8997](#8997)) - Correct a typo in the `systemd-with-workers` documentation. ([\#9035](#9035)) - Correct a typo in `INSTALL.md`. ([\#9040](#9040)) - Add missing `user_mapping_provider` configuration to the Keycloak OIDC example. Contributed by @chris-ruecker. ([\#9057](#9057)) - Quote `pip install` packages when extras are used to avoid shells interpreting bracket characters. ([\#9151](#9151)) Deprecations and Removals ------------------------- - Remove broken and unmaintained `demo/webserver.py` script. ([\#9039](#9039)) Internal Changes ---------------- - Improve efficiency of large state resolutions. ([\#8868](#8868), [\#9029](#9029), [\#9115](#9115), [\#9118](#9118), [\#9124](#9124)) - Various clean-ups to the structured logging and logging context code. ([\#8939](#8939)) - Ensure rejected events get added to some metadata tables. ([\#9016](#9016)) - Ignore date-rotated homeserver logs saved to disk. ([\#9018](#9018)) - Remove an unused column from `access_tokens` table. ([\#9025](#9025)) - Add a `-noextras` factor to `tox.ini`, to support running the tests with no optional dependencies. ([\#9030](#9030)) - Fix running unit tests when optional dependencies are not installed. ([\#9031](#9031)) - Allow bumping schema version when using split out state database. ([\#9033](#9033)) - Configure the linters to run on a consistent set of files. ([\#9038](#9038)) - Various cleanups to device inbox store. ([\#9041](#9041)) - Drop unused database tables. ([\#9055](#9055)) - Remove unused `SynapseService` class. ([\#9058](#9058)) - Remove unnecessary declarations in the tests for the admin API. ([\#9063](#9063)) - Remove `SynapseRequest.get_user_agent`. ([\#9069](#9069)) - Remove redundant `Homeserver.get_ip_from_request` method. ([\#9080](#9080)) - Add type hints to media repository. ([\#9093](#9093)) - Fix the wrong arguments being passed to `BlacklistingAgentWrapper` from `MatrixFederationAgent`. Contributed by Timothy Leung. ([\#9098](#9098)) - Reduce the scope of caught exceptions in `BlacklistingAgentWrapper`. ([\#9106](#9106)) - Improve `UsernamePickerTestCase`. ([\#9112](#9112)) - Remove dependency on `distutils`. ([\#9125](#9125)) - Enforce that replication HTTP clients are called with keyword arguments only. ([\#9144](#9144)) - Fix the Python 3.5 / old dependencies build in CI. ([\#9146](#9146)) - Replace the old `perspectives` option in the Synapse docker config file template with `trusted_key_servers`. ([\#9157](#9157))
Synapse 1.26.0 (2021-01-27) =========================== This release brings a new schema version for Synapse and rolling back to a previous version is not trivial. Please review [UPGRADE.rst](UPGRADE.rst) for more details on these changes and for general upgrade guidance. No significant changes since 1.26.0rc2. Synapse 1.26.0rc2 (2021-01-25) ============================== Bugfixes -------- - Fix receipts and account data not being sent down sync. Introduced in v1.26.0rc1. ([\#9193](matrix-org/synapse#9193), [\#9195](matrix-org/synapse#9195)) - Fix chain cover update to handle events with duplicate auth events. Introduced in v1.26.0rc1. ([\#9210](matrix-org/synapse#9210)) Internal Changes ---------------- - Add an `oidc-` prefix to any `idp_id`s which are given in the `oidc_providers` configuration. ([\#9189](matrix-org/synapse#9189)) - Bump minimum `psycopg2` version to v2.8. ([\#9204](matrix-org/synapse#9204)) Synapse 1.26.0rc1 (2021-01-20) ============================== This release brings a new schema version for Synapse and rolling back to a previous version is not trivial. Please review [UPGRADE.rst](UPGRADE.rst) for more details on these changes and for general upgrade guidance. Features -------- - Add support for multiple SSO Identity Providers. ([\#9015](matrix-org/synapse#9015), [\#9017](matrix-org/synapse#9017), [\#9036](matrix-org/synapse#9036), [\#9067](matrix-org/synapse#9067), [\#9081](matrix-org/synapse#9081), [\#9082](matrix-org/synapse#9082), [\#9105](matrix-org/synapse#9105), [\#9107](matrix-org/synapse#9107), [\#9109](matrix-org/synapse#9109), [\#9110](matrix-org/synapse#9110), [\#9127](matrix-org/synapse#9127), [\#9153](matrix-org/synapse#9153), [\#9154](matrix-org/synapse#9154), [\#9177](matrix-org/synapse#9177)) - During user-interactive authentication via single-sign-on, give a better error if the user uses the wrong account on the SSO IdP. ([\#9091](matrix-org/synapse#9091)) - Give the `public_baseurl` a default value, if it is not explicitly set in the configuration file. ([\#9159](matrix-org/synapse#9159)) - Improve performance when calculating ignored users in large rooms. ([\#9024](matrix-org/synapse#9024)) - Implement [MSC2176](matrix-org/matrix-spec-proposals#2176) in an experimental room version. ([\#8984](matrix-org/synapse#8984)) - Add an admin API for protecting local media from quarantine. ([\#9086](matrix-org/synapse#9086)) - Remove a user's avatar URL and display name when deactivated with the Admin API. ([\#8932](matrix-org/synapse#8932)) - Update `/_synapse/admin/v1/users/<user_id>/joined_rooms` to work for both local and remote users. ([\#8948](matrix-org/synapse#8948)) - Add experimental support for handling to-device messages on worker processes. ([\#9042](matrix-org/synapse#9042), [\#9043](matrix-org/synapse#9043), [\#9044](matrix-org/synapse#9044), [\#9130](matrix-org/synapse#9130)) - Add experimental support for handling `/keys/claim` and `/room_keys` APIs on worker processes. ([\#9068](matrix-org/synapse#9068)) - Add experimental support for handling `/devices` API on worker processes. ([\#9092](matrix-org/synapse#9092)) - Add experimental support for moving off receipts and account data persistence off master. ([\#9104](matrix-org/synapse#9104), [\#9166](matrix-org/synapse#9166)) Bugfixes -------- - Fix a long-standing issue where an internal server error would occur when requesting a profile over federation that did not include a display name / avatar URL. ([\#9023](matrix-org/synapse#9023)) - Fix a long-standing bug where some caches could grow larger than configured. ([\#9028](matrix-org/synapse#9028)) - Fix error handling during insertion of client IPs into the database. ([\#9051](matrix-org/synapse#9051)) - Fix bug where we didn't correctly record CPU time spent in `on_new_event` block. ([\#9053](matrix-org/synapse#9053)) - Fix a minor bug which could cause confusing error messages from invalid configurations. ([\#9054](matrix-org/synapse#9054)) - Fix incorrect exit code when there is an error at startup. ([\#9059](matrix-org/synapse#9059)) - Fix `JSONDecodeError` spamming the logs when sending transactions to remote servers. ([\#9070](matrix-org/synapse#9070)) - Fix "Failed to send request" errors when a client provides an invalid room alias. ([\#9071](matrix-org/synapse#9071)) - Fix bugs in federation catchup logic that caused outbound federation to be delayed for large servers after start up. Introduced in v1.8.0 and v1.21.0. ([\#9114](matrix-org/synapse#9114), [\#9116](matrix-org/synapse#9116)) - Fix corruption of `pushers` data when a postgres bouncer is used. ([\#9117](matrix-org/synapse#9117)) - Fix minor bugs in handling the `clientRedirectUrl` parameter for SSO login. ([\#9128](matrix-org/synapse#9128)) - Fix "Unhandled error in Deferred: BodyExceededMaxSize" errors when .well-known files that are too large. ([\#9108](matrix-org/synapse#9108)) - Fix "UnboundLocalError: local variable 'length' referenced before assignment" errors when the response body exceeds the expected size. This bug was introduced in v1.25.0. ([\#9145](matrix-org/synapse#9145)) - Fix a long-standing bug "ValueError: invalid literal for int() with base 10" when `/publicRooms` is requested with an invalid `server` parameter. ([\#9161](matrix-org/synapse#9161)) Improved Documentation ---------------------- - Add some extra docs for getting Synapse running on macOS. ([\#8997](matrix-org/synapse#8997)) - Correct a typo in the `systemd-with-workers` documentation. ([\#9035](matrix-org/synapse#9035)) - Correct a typo in `INSTALL.md`. ([\#9040](matrix-org/synapse#9040)) - Add missing `user_mapping_provider` configuration to the Keycloak OIDC example. Contributed by @chris-ruecker. ([\#9057](matrix-org/synapse#9057)) - Quote `pip install` packages when extras are used to avoid shells interpreting bracket characters. ([\#9151](matrix-org/synapse#9151)) Deprecations and Removals ------------------------- - Remove broken and unmaintained `demo/webserver.py` script. ([\#9039](matrix-org/synapse#9039)) Internal Changes ---------------- - Improve efficiency of large state resolutions. ([\#8868](matrix-org/synapse#8868), [\#9029](matrix-org/synapse#9029), [\#9115](matrix-org/synapse#9115), [\#9118](matrix-org/synapse#9118), [\#9124](matrix-org/synapse#9124)) - Various clean-ups to the structured logging and logging context code. ([\#8939](matrix-org/synapse#8939)) - Ensure rejected events get added to some metadata tables. ([\#9016](matrix-org/synapse#9016)) - Ignore date-rotated homeserver logs saved to disk. ([\#9018](matrix-org/synapse#9018)) - Remove an unused column from `access_tokens` table. ([\#9025](matrix-org/synapse#9025)) - Add a `-noextras` factor to `tox.ini`, to support running the tests with no optional dependencies. ([\#9030](matrix-org/synapse#9030)) - Fix running unit tests when optional dependencies are not installed. ([\#9031](matrix-org/synapse#9031)) - Allow bumping schema version when using split out state database. ([\#9033](matrix-org/synapse#9033)) - Configure the linters to run on a consistent set of files. ([\#9038](matrix-org/synapse#9038)) - Various cleanups to device inbox store. ([\#9041](matrix-org/synapse#9041)) - Drop unused database tables. ([\#9055](matrix-org/synapse#9055)) - Remove unused `SynapseService` class. ([\#9058](matrix-org/synapse#9058)) - Remove unnecessary declarations in the tests for the admin API. ([\#9063](matrix-org/synapse#9063)) - Remove `SynapseRequest.get_user_agent`. ([\#9069](matrix-org/synapse#9069)) - Remove redundant `Homeserver.get_ip_from_request` method. ([\#9080](matrix-org/synapse#9080)) - Add type hints to media repository. ([\#9093](matrix-org/synapse#9093)) - Fix the wrong arguments being passed to `BlacklistingAgentWrapper` from `MatrixFederationAgent`. Contributed by Timothy Leung. ([\#9098](matrix-org/synapse#9098)) - Reduce the scope of caught exceptions in `BlacklistingAgentWrapper`. ([\#9106](matrix-org/synapse#9106)) - Improve `UsernamePickerTestCase`. ([\#9112](matrix-org/synapse#9112)) - Remove dependency on `distutils`. ([\#9125](matrix-org/synapse#9125)) - Enforce that replication HTTP clients are called with keyword arguments only. ([\#9144](matrix-org/synapse#9144)) - Fix the Python 3.5 / old dependencies build in CI. ([\#9146](matrix-org/synapse#9146)) - Replace the old `perspectives` option in the Synapse docker config file template with `trusted_key_servers`. ([\#9157](matrix-org/synapse#9157))
Fixes #8966. * Factor out build_synapse_client_resource_tree Start a function which will mount resources common to all workers. * Move sso init into build_synapse_client_resource_tree ... so that we don't have to do it for each worker * Fix SSO-login-via-a-worker Expose the SSO login endpoints on workers, like the documentation says. * Update workers config for new endpoints Add documentation for endpoints recently added (#8942, #9017, #9262) * remove submit_token from workers endpoints list this *doesn't* work on workers (yet). * changelog * Add a comment about the odd path for SAML2Resource
During login, if there are multiple IdPs enabled, offer the user a choice of IdPs.
This is deliberately a bit basic for now. You can see what it looks like at https://matrix.org/_matrix/media/r0/download/sw1v.org/pFnpZJJawgBgsseJuynxximd.