Add Authelia OIDC for Synapse.

2024-05-09 11:22:22 +02:00 · 2024-05-09 11:22:22 +02:00 · c0f8721a00
commit c0f8721a00
parent b544f9a78d
3 changed files with 45 additions and 1 deletions
--- a/roles/authelia/templates/configuration.yml
+++ b/roles/authelia/templates/configuration.yml
@ -69,4 +69,18 @@ notifier:
    password: '{{ authelia_secrets["smtp_password"] }}'
    sender: 'Authelia <authelia@{{ domain }}>'

-# identity_providers:
+identity_providers:
+  oidc:
+    hmac_secret: '{{ authelia_secrets["hmac_secret"] }}'
+    jwks:
+      - key: |
+          {{ authelia_secrets["jwks_key"] | indent(width=10) }}
+    clients:
+      - client_id: '{{ synapse_secrets["oidc_client_id"] }}'
+        client_name: Synapse
+        client_secret: '{{ synapse_secrets["oidc_client_secret_hash"] }}'
+        redirect_uris: 'https://matrix.{{ domain }}/_synapse/client/oidc/callback'
+        scopes:
+          - 'openid'
+          - 'profile'
+          - 'email'
--- a/roles/synapse/templates/homeserver.yaml
+++ b/roles/synapse/templates/homeserver.yaml
@ -104,3 +104,25 @@ signing_key_path: "/data/{{ domain }}.signing.key"
 trusted_key_servers:
  - server_name: "matrix.org"
 suppress_key_server_warning: true
+
+
+# Single sign-on integration
+oidc_providers:
+  - idp_id: authelia
+    idp_name: "Authelia"
+    idp_icon: "mxc://authelia.com/cKlrTPsGvlpKxAYeHWJsdVHI"
+    discover: false
+    issuer: "https://auth.{{ domain }}"
+    client_id: '{{ synapse_secrets["oidc_client_id"] }}'
+    client_secret: '{{ synapse_secrets["oidc_client_secret"] }}'
+    scopes: ["openid", "profile", "email"]
+    authorization_endpoint: 'https://auth.{{ domain }}/api/oidc/authorization'
+    token_endpoint: 'https://auth.{{ domain }}/api/oidc/token'
+    jwks_uri: 'https://auth.{{ domain }}/jwks.json'
+    allow_existing_users: true
+    user_mapping_provider:
+      config:
+        subject_claim: "sub"
+        localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}"
+        display_name_template: "{% raw %}{{ user.name }}{% endraw %}"
+        email_template: "{% raw %}{{ user.email }}{% endraw %}"
--- a/secrets.yml.example
+++ b/secrets.yml.example
@ -12,6 +12,8 @@ cifs_credentials:
 authelia_secrets:
  # Encryption key for the database, must be saved
  encryption_key:
+  hmac_secret:
+  jwks_key: | # openssl genrsa 4096
  jwt_secret:
  # LDAP bind dn
  ldap_user:
@ -21,6 +23,7 @@ authelia_secrets:
  smtp_user:
  smtp_password:

+
 coturn_secrets:
  static_auth_secret:

@ -48,6 +51,11 @@ searxng_secrets:
  searxng_secret:

 synapse_secrets:
+  # docker run --rm authelia/authelia:4 authelia crypto rand --length 72 --charset rfc3986
+  oidc_client_id:
+  # Generate random secret + hash : docker run --rm authelia/authelia:4 authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
+  oidc_client_secret:
+  oidc_client_secret_hash:
  smtp_user:
  smtp_pass:
  postgres_user: