From 05416dea6407a6037ed934613469be390267a8d9 Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Sat, 15 Jan 2022 14:53:45 +0000 Subject: [PATCH 1/4] Update documentation for configuring facebook login --- docs/openid.md | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/docs/openid.md b/docs/openid.md index ff9de9d5b8bf..171ea3b7128b 100644 --- a/docs/openid.md +++ b/docs/openid.md @@ -390,9 +390,6 @@ oidc_providers: ### Facebook -Like Github, Facebook provide a custom OAuth2 API rather than an OIDC-compliant -one so requires a little more configuration. - 0. You will need a Facebook developer account. You can register for one [here](https://developers.facebook.com/async/registration/). 1. On the [apps](https://developers.facebook.com/apps/) page of the developer @@ -412,24 +409,28 @@ Synapse config: idp_name: Facebook idp_brand: "facebook" # optional: styling hint for clients discover: false - issuer: "https://facebook.com" + issuer: "https://www.facebook.com" client_id: "your-client-id" # TO BE FILLED client_secret: "your-client-secret" # TO BE FILLED scopes: ["openid", "email"] - authorization_endpoint: https://facebook.com/dialog/oauth - token_endpoint: https://graph.facebook.com/v9.0/oauth/access_token - user_profile_method: "userinfo_endpoint" - userinfo_endpoint: "https://graph.facebook.com/v9.0/me?fields=id,name,email,picture" + authorization_endpoint: "https://facebook.com/dialog/oauth" + token_endpoint: "https://graph.facebook.com/v9.0/oauth/access_token" + jwks_uri: "https://www.facebook.com/.well-known/oauth/openid/jwks/" user_mapping_provider: config: - subject_claim: "id" display_name_template: "{{ user.name }}" + email_template: "{{ '{{ user.email }}' }}" ``` Relevant documents: - * https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow - * Using Facebook's Graph API: https://developers.facebook.com/docs/graph-api/using-graph-api/ - * Reference to the User endpoint: https://developers.facebook.com/docs/graph-api/reference/user + * [Manually Build a Login Flow](https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow) + * [Using Facebook's Graph API](https://developers.facebook.com/docs/graph-api/using-graph-api/) + * [Reference to the User endpoint](https://developers.facebook.com/docs/graph-api/reference/user) + +Facebook do have an [OIDC discovery endpoint](https://www.facebook.com/.well-known/openid-configuration), +but it has a `response_types_supported` which excludes "code" (which we rely on, and +is even mentioned in their [documentation](https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#login)), +so we have to disable discovery and configure the URIs manually. ### Gitea From ef039cae8095ab1b86fcf34cbcc8aa0458a44a2f Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Sat, 15 Jan 2022 14:54:44 +0000 Subject: [PATCH 2/4] Minor fix to openid configuration docs --- docs/sample_config.yaml | 9 ++++++--- synapse/config/oidc.py | 9 ++++++--- 2 files changed, 12 insertions(+), 6 deletions(-) diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml index 9a501167ee3b..4d4f6a694888 100644 --- a/docs/sample_config.yaml +++ b/docs/sample_config.yaml @@ -1877,10 +1877,13 @@ saml2_config: # Defaults to false. Avoid this in production. # # user_profile_method: Whether to fetch the user profile from the userinfo -# endpoint. Valid values are: 'auto' or 'userinfo_endpoint'. +# endpoint, or to rely on the data returned in the id_token from the +# token_endpoint. # -# Defaults to 'auto', which fetches the userinfo endpoint if 'openid' is -# included in 'scopes'. Set to 'userinfo_endpoint' to always fetch the +# Valid values are: 'auto' or 'userinfo_endpoint'. +# +# Defaults to 'auto', which uses the userinfo endpoint if 'openid' is +# not included in 'scopes'. Set to 'userinfo_endpoint' to always use the # userinfo endpoint. # # allow_existing_users: set to 'true' to allow a user logging in via OIDC to diff --git a/synapse/config/oidc.py b/synapse/config/oidc.py index 79c400fe30b8..e783b1131501 100644 --- a/synapse/config/oidc.py +++ b/synapse/config/oidc.py @@ -148,10 +148,13 @@ def generate_config_section(self, config_dir_path, server_name, **kwargs) -> str # Defaults to false. Avoid this in production. # # user_profile_method: Whether to fetch the user profile from the userinfo - # endpoint. Valid values are: 'auto' or 'userinfo_endpoint'. + # endpoint, or to rely on the data returned in the id_token from the + # token_endpoint. # - # Defaults to 'auto', which fetches the userinfo endpoint if 'openid' is - # included in 'scopes'. Set to 'userinfo_endpoint' to always fetch the + # Valid values are: 'auto' or 'userinfo_endpoint'. + # + # Defaults to 'auto', which uses the userinfo endpoint if 'openid' is + # not included in 'scopes'. Set to 'userinfo_endpoint' to always use the # userinfo endpoint. # # allow_existing_users: set to 'true' to allow a user logging in via OIDC to From 967d537d7e7e5e0e4f3d76c48b58778d953ca8d1 Mon Sep 17 00:00:00 2001 From: Richard van der Hoff Date: Sat, 15 Jan 2022 14:55:52 +0000 Subject: [PATCH 3/4] changelog --- changelog.d/11755.docs | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/11755.docs diff --git a/changelog.d/11755.docs b/changelog.d/11755.docs new file mode 100644 index 000000000000..5dd8feea63e7 --- /dev/null +++ b/changelog.d/11755.docs @@ -0,0 +1 @@ +Update documentation for configuring login with facebook. From 58470a583c3058d63c0cf6c88b18fe04cfce3333 Mon Sep 17 00:00:00 2001 From: David Robertson Date: Mon, 17 Jan 2022 11:39:15 +0000 Subject: [PATCH 4/4] Rename 11755.docs to 11755.doc --- changelog.d/{11755.docs => 11755.doc} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename changelog.d/{11755.docs => 11755.doc} (100%) diff --git a/changelog.d/11755.docs b/changelog.d/11755.doc similarity index 100% rename from changelog.d/11755.docs rename to changelog.d/11755.doc