Add Authelia OIDC for Synapse.

roles/authelia/templates/configuration.yml

@@ -69,4 +69,18 @@ notifier:
     password: '{{ authelia_secrets["smtp_password"] }}'
     sender: 'Authelia <authelia@{{ domain }}>'
 
-# identity_providers:
+identity_providers:
+  oidc:
+    hmac_secret: '{{ authelia_secrets["hmac_secret"] }}'
+    jwks:
+      - key: |
+          {{ authelia_secrets["jwks_key"] | indent(width=10) }}
+    clients:
+      - client_id: '{{ synapse_secrets["oidc_client_id"] }}'
+        client_name: Synapse
+        client_secret: '{{ synapse_secrets["oidc_client_secret_hash"] }}'
+        redirect_uris: 'https://matrix.{{ domain }}/_synapse/client/oidc/callback'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'

roles/synapse/templates/homeserver.yaml

@@ -104,3 +104,25 @@ signing_key_path: "/data/{{ domain }}.signing.key"
 trusted_key_servers:
   - server_name: "matrix.org"
 suppress_key_server_warning: true
+
+
+# Single sign-on integration
+oidc_providers:
+  - idp_id: authelia
+    idp_name: "Authelia"
+    idp_icon: "mxc://authelia.com/cKlrTPsGvlpKxAYeHWJsdVHI"
+    discover: false
+    issuer: "https://auth.{{ domain }}"
+    client_id: '{{ synapse_secrets["oidc_client_id"] }}'
+    client_secret: '{{ synapse_secrets["oidc_client_secret"] }}'
+    scopes: ["openid", "profile", "email"]
+    authorization_endpoint: 'https://auth.{{ domain }}/api/oidc/authorization'
+    token_endpoint: 'https://auth.{{ domain }}/api/oidc/token'
+    jwks_uri: 'https://auth.{{ domain }}/jwks.json'
+    allow_existing_users: true
+    user_mapping_provider:
+      config:
+        subject_claim: "sub"
+        localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}"
+        display_name_template: "{% raw %}{{ user.name }}{% endraw %}"
+        email_template: "{% raw %}{{ user.email }}{% endraw %}"

secrets.yml.example

@@ -12,6 +12,8 @@ cifs_credentials:
 authelia_secrets:
   # Encryption key for the database, must be saved
   encryption_key:
+  hmac_secret:
+  jwks_key: | # openssl genrsa 4096
   jwt_secret:
   # LDAP bind dn
   ldap_user:
@@ -21,6 +23,7 @@ authelia_secrets:
   smtp_user:
   smtp_password:
 
+
 coturn_secrets:
   static_auth_secret:
 
@@ -48,6 +51,11 @@ searxng_secrets:
   searxng_secret:
 
 synapse_secrets:
+  # docker run --rm authelia/authelia:4 authelia crypto rand --length 72 --charset rfc3986
+  oidc_client_id:
+  # Generate random secret + hash : docker run --rm authelia/authelia:4 authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
+  oidc_client_secret:
+  oidc_client_secret_hash:
   smtp_user:
   smtp_pass:
   postgres_user: