Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

keycloak openid documentation is incomplete #9037

Closed
richvdh opened this issue Jan 7, 2021 · 4 comments
Closed

keycloak openid documentation is incomplete #9037

richvdh opened this issue Jan 7, 2021 · 4 comments

Comments

@richvdh
Copy link
Member

richvdh commented Jan 7, 2021
edited
Loading

https://github.com/matrix-org/synapse/blob/develop/docs/openid.md#keycloak

in particular, it omits user_mapping_provider.config.localpart_template etc.
@richvdh
Copy link
Member Author

richvdh commented Jan 7, 2021

this was added in #7659. cc @hungrymonkey

@richvdh
Copy link
Member Author

richvdh commented Jan 7, 2021

Synapse 1.25 makes localpart_template optional, so maybe it doesn't matter so much? but it would be nice if the documentation for the providers was consistent.

@hungrymonkey
Copy link
Contributor

hungrymonkey commented Jan 7, 2021
edited by richvdh
Loading

@richvdh

I left it out because I cannot personally test it. The "{{ string }}" syntax conflicts with ansible yaml. I use this project below to deploy my synapse set up.

https://github.com/spantaleev/matrix-docker-ansible-deploy

However, I can provide some information to set localpart_template. In keycloak, openid userinfo is provided by this url: https://domain.com/auth/realms/master/.well-known/openid-configuration

{
   "issuer":"https://domain.com/auth/realms/master",
   "authorization_endpoint":"https://domain.com/auth/realms/master/protocol/openid-connect/auth",
   "token_endpoint":"https://domain.com/auth/realms/master/protocol/openid-connect/token",
   "introspection_endpoint":"https://domain.com/auth/realms/master/protocol/openid-connect/token/introspect",
   "userinfo_endpoint":"https://domain.com/auth/realms/master/protocol/openid-connect/userinfo",
   "end_session_endpoint":"https://domain.com/auth/realms/master/protocol/openid-connect/logout",
   "jwks_uri":"https://domain.com/auth/realms/master/protocol/openid-connect/certs",
   "check_session_iframe":"https://domain.com/auth/realms/master/protocol/openid-connect/login-status-iframe.html",
   "grant_types_supported":[
      "authorization_code",
      "implicit",
      "refresh_token",
      "password",
      "client_credentials"
   ],
   "response_types_supported":[
      "code",
      "none",
      "id_token",
      "token",
      "id_token token",
      "code id_token",
      "code token",
      "code id_token token"
   ],
   "subject_types_supported":[
      "public",
      "pairwise"
   ],
   "id_token_signing_alg_values_supported":[
      "PS384",
      "ES384",
      "RS384",
      "HS256",
      "HS512",
      "ES256",
      "RS256",
      "HS384",
      "ES512",
      "PS256",
      "PS512",
      "RS512"
   ],
   "id_token_encryption_alg_values_supported":[
      "RSA-OAEP",
      "RSA1_5"
   ],
   "id_token_encryption_enc_values_supported":[
      "A256GCM",
      "A192GCM",
      "A128GCM",
      "A128CBC-HS256",
      "A192CBC-HS384",
      "A256CBC-HS512"
   ],
   "userinfo_signing_alg_values_supported":[
      "PS384",
      "ES384",
      "RS384",
      "HS256",
      "HS512",
      "ES256",
      "RS256",
      "HS384",
      "ES512",
      "PS256",
      "PS512",
      "RS512",
      "none"
   ],
   "request_object_signing_alg_values_supported":[
      "PS384",
      "ES384",
      "RS384",
      "HS256",
      "HS512",
      "ES256",
      "RS256",
      "HS384",
      "ES512",
      "PS256",
      "PS512",
      "RS512",
      "none"
   ],
   "response_modes_supported":[
      "query",
      "fragment",
      "form_post"
   ],
   "registration_endpoint":"https://domain.com/auth/realms/master/clients-registrations/openid-connect",
   "token_endpoint_auth_methods_supported":[
      "private_key_jwt",
      "client_secret_basic",
      "client_secret_post",
      "tls_client_auth",
      "client_secret_jwt"
   ],
   "token_endpoint_auth_signing_alg_values_supported":[
      "PS384",
      "ES384",
      "RS384",
      "HS256",
      "HS512",
      "ES256",
      "RS256",
      "HS384",
      "ES512",
      "PS256",
      "PS512",
      "RS512"
   ],
   "claims_supported":[
      "aud",
      "sub",
      "iss",
      "auth_time",
      "name",
      "given_name",
      "family_name",
      "preferred_username",
      "email",
      "acr"
   ],
   "claim_types_supported":[
      "normal"
   ],
   "claims_parameter_supported":false,
   "scopes_supported":[
      "openid",
      "offline_access",
      "profile",
      "email",
      "address",
      "phone",
      "roles",
      "web-origins",
      "microprofile-jwt"
   ],
   "request_parameter_supported":true,
   "request_uri_parameter_supported":true,
   "code_challenge_methods_supported":[
      "plain",
      "S256"
   ],
   "tls_client_certificate_bound_access_tokens":true
}

From this openid configuration, you can configure the user_mapping_provider in the claims_supported json field.

user_mapping_provider:
     config:
       localpart_template: "{{ user.preferred_username }}"
       display_name_template: "{{ user.name }}"

chris-ruecker added a commit to chris-ruecker/synapse that referenced this issue Jan 8, 2021
@chris-ruecker
Keycloak mapping_provider example (matrix-org#9037)
d89d26e
@richvdh richvdh mentioned this issue Jan 8, 2021
Merged
richvdh pushed a commit that referenced this issue Jan 8, 2021
@chris-ruecker
Keycloak mapping_provider example (#9037) (#9057)
bce0c91 
This PR adds the missing user_mapping_provider section in oidc.md

Signed-off-by: Christopher Rücker [email protected]
@richvdh
Copy link
Member Author

richvdh commented Jan 8, 2021

fixed in #9057

@richvdh richvdh closed this as completed Jan 8, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hungrymonkey @richvdh