Merge branch 'master' into synapse-workers

development
Slavi Pantaleev 4 years ago
commit 1cd2a218de

@ -11,7 +11,7 @@ matrix_synapse_docker_image_name_prefix: "{{ 'localhost/' if matrix_synapse_cont
# The if statement below may look silly at times (leading to the same version being returned), # The if statement below may look silly at times (leading to the same version being returned),
# but ARM-compatible container images are only released 1-7 hours after a release, # but ARM-compatible container images are only released 1-7 hours after a release,
# so we may often be on different versions for different architectures when new Synapse releases come out. # so we may often be on different versions for different architectures when new Synapse releases come out.
matrix_synapse_docker_image_tag: "{{ 'v1.25.0' if matrix_architecture == 'amd64' else 'v1.25.0' }}" matrix_synapse_docker_image_tag: "{{ 'v1.26.0' if matrix_architecture == 'amd64' else 'v1.26.0' }}"
matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}" matrix_synapse_docker_image_force_pull: "{{ matrix_synapse_docker_image.endswith(':latest') }}"
matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse" matrix_synapse_base_path: "{{ matrix_base_data_path }}/synapse"

@ -43,11 +43,16 @@ pid_file: /homeserver.pid
# #
#web_client_location: https://riot.example.com/ #web_client_location: https://riot.example.com/
# The public-facing base URL that clients use to access this HS # The public-facing base URL that clients use to access this Homeserver (not
# (not including _matrix/...). This is the same URL a user would # including _matrix/...). This is the same URL a user might enter into the
# enter into the 'custom HS URL' field on their client. If you # 'Custom Homeserver URL' field on their client. If you use Synapse with a
# use synapse with a reverse proxy, this should be the URL to reach # reverse proxy, this should be the URL to reach Synapse via the proxy.
# synapse via the proxy. # Otherwise, it should be the URL to reach Synapse's client HTTP listener (see
# 'listeners' below).
#
# If this is left unset, it defaults to 'https://<server_name>/'. (Note that
# that will not work unless you configure Synapse or a reverse-proxy to listen
# on port 443.)
# #
public_baseurl: https://{{ matrix_server_fqn_matrix }}/ public_baseurl: https://{{ matrix_server_fqn_matrix }}/
@ -1152,8 +1157,9 @@ account_validity:
# send an email to the account's email address with a renewal link. By # send an email to the account's email address with a renewal link. By
# default, no such emails are sent. # default, no such emails are sent.
# #
# If you enable this setting, you will also need to fill out the 'email' and # If you enable this setting, you will also need to fill out the 'email'
# 'public_baseurl' configuration sections. # configuration section. You should also check that 'public_baseurl' is set
# correctly.
# #
#renew_at: 1w #renew_at: 1w
@ -1250,8 +1256,7 @@ allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }}
# The identity server which we suggest that clients should use when users log # The identity server which we suggest that clients should use when users log
# in on this server. # in on this server.
# #
# (By default, no suggestion is made, so it is left up to the client. # (By default, no suggestion is made, so it is left up to the client.)
# This setting is ignored unless public_baseurl is also set.)
# #
#default_identity_server: https://matrix.org #default_identity_server: https://matrix.org
@ -1276,8 +1281,6 @@ allow_guest_access: {{ matrix_synapse_allow_guest_access|to_json }}
# by the Matrix Identity Service API specification: # by the Matrix Identity Service API specification:
# https://matrix.org/docs/spec/identity_service/latest # https://matrix.org/docs/spec/identity_service/latest
# #
# If a delegate is specified, the config option public_baseurl must also be filled out.
#
account_threepid_delegates: account_threepid_delegates:
email: {{ matrix_synapse_account_threepid_delegates_email|to_json }} email: {{ matrix_synapse_account_threepid_delegates_email|to_json }}
msisdn: {{ matrix_synapse_account_threepid_delegates_msisdn|to_json }} msisdn: {{ matrix_synapse_account_threepid_delegates_msisdn|to_json }}
@ -1722,141 +1725,158 @@ saml2_config:
#idp_entityid: 'https://our_idp/entityid' #idp_entityid: 'https://our_idp/entityid'
# Enable OpenID Connect (OIDC) / OAuth 2.0 for registration and login. # List of OpenID Connect (OIDC) / OAuth 2.0 identity providers, for registration
# and login.
# #
# See https://github.com/matrix-org/synapse/blob/master/docs/openid.md # Options for each entry include:
# for some example configurations.
# #
oidc_config: # idp_id: a unique identifier for this identity provider. Used internally
# Uncomment the following to enable authorization against an OpenID Connect # by Synapse; should be a single word such as 'github'.
# server. Defaults to false. #
# # Note that, if this is changed, users authenticating via that provider
#enabled: true # will no longer be recognised as the same user!
#
# Uncomment the following to disable use of the OIDC discovery mechanism to # idp_name: A user-facing name for this identity provider, which is used to
# discover endpoints. Defaults to true. # offer the user a choice of login mechanisms.
# #
#discover: false # idp_icon: An optional icon for this identity provider, which is presented
# by identity picker pages. If given, must be an MXC URI of the format
# the OIDC issuer. Used to validate tokens and (if discovery is enabled) to # mxc://<server-name>/<media-id>. (An easy way to obtain such an MXC URI
# discover the provider's endpoints. # is to upload an image to an (unencrypted) room and then copy the "url"
# # from the source of the event.)
# Required if 'enabled' is true. #
# # discover: set to 'false' to disable the use of the OIDC discovery mechanism
#issuer: "https://accounts.example.com/" # to discover endpoints. Defaults to true.
#
# oauth2 client id to use. # issuer: Required. The OIDC issuer. Used to validate tokens and (if discovery
# # is enabled) to discover the provider's endpoints.
# Required if 'enabled' is true. #
# # client_id: Required. oauth2 client id to use.
#client_id: "provided-by-your-issuer" #
# client_secret: Required. oauth2 client secret to use.
# oauth2 client secret to use. #
# # client_auth_method: auth method to use when exchanging the token. Valid
# Required if 'enabled' is true. # values are 'client_secret_basic' (default), 'client_secret_post' and
# # 'none'.
#client_secret: "provided-by-your-issuer" #
# scopes: list of scopes to request. This should normally include the "openid"
# auth method to use when exchanging the token. # scope. Defaults to ["openid"].
# Valid values are 'client_secret_basic' (default), 'client_secret_post' and #
# 'none'. # authorization_endpoint: the oauth2 authorization endpoint. Required if
# # provider discovery is disabled.
#client_auth_method: client_secret_post #
# token_endpoint: the oauth2 token endpoint. Required if provider discovery is
# list of scopes to request. This should normally include the "openid" scope. # disabled.
# Defaults to ["openid"]. #
# # userinfo_endpoint: the OIDC userinfo endpoint. Required if discovery is
#scopes: ["openid", "profile"] # disabled and the 'openid' scope is not requested.
#
# the oauth2 authorization endpoint. Required if provider discovery is disabled. # jwks_uri: URI where to fetch the JWKS. Required if discovery is disabled and
# # the 'openid' scope is used.
#authorization_endpoint: "https://accounts.example.com/oauth2/auth" #
# skip_verification: set to 'true' to skip metadata verification. Use this if
# the oauth2 token endpoint. Required if provider discovery is disabled. # you are connecting to a provider that is not OpenID Connect compliant.
# # Defaults to false. Avoid this in production.
#token_endpoint: "https://accounts.example.com/oauth2/token" #
# user_profile_method: Whether to fetch the user profile from the userinfo
# the OIDC userinfo endpoint. Required if discovery is disabled and the # endpoint. Valid values are: 'auto' or 'userinfo_endpoint'.
# "openid" scope is not requested. #
# # Defaults to 'auto', which fetches the userinfo endpoint if 'openid' is
#userinfo_endpoint: "https://accounts.example.com/userinfo" # included in 'scopes'. Set to 'userinfo_endpoint' to always fetch the
# userinfo endpoint.
# URI where to fetch the JWKS. Required if discovery is disabled and the #
# "openid" scope is used. # allow_existing_users: set to 'true' to allow a user logging in via OIDC to
# # match a pre-existing account instead of failing. This could be used if
#jwks_uri: "https://accounts.example.com/.well-known/jwks.json" # switching from password logins to OIDC. Defaults to false.
#
# Uncomment to skip metadata verification. Defaults to false. # user_mapping_provider: Configuration for how attributes returned from a OIDC
# # provider are mapped onto a matrix user. This setting has the following
# Use this if you are connecting to a provider that is not OpenID Connect # sub-properties:
# compliant. #
# Avoid this in production. # module: The class name of a custom mapping module. Default is
# # 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'.
#skip_verification: true # See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers
# for information on implementing a custom mapping provider.
# Whether to fetch the user profile from the userinfo endpoint. Valid #
# values are: "auto" or "userinfo_endpoint". # config: Configuration for the mapping provider module. This section will
# # be passed as a Python dictionary to the user mapping provider
# Defaults to "auto", which fetches the userinfo endpoint if "openid" is included # module's `parse_config` method.
# in `scopes`. Uncomment the following to always fetch the userinfo endpoint. #
# # For the default provider, the following settings are available:
#user_profile_method: "userinfo_endpoint" #
# sub: name of the claim containing a unique identifier for the
# Uncomment to allow a user logging in via OIDC to match a pre-existing account instead # user. Defaults to 'sub', which OpenID Connect compliant
# of failing. This could be used if switching from password logins to OIDC. Defaults to false. # providers should provide.
# #
#allow_existing_users: true # localpart_template: Jinja2 template for the localpart of the MXID.
# If this is not set, the user will be prompted to choose their
# An external module can be provided here as a custom solution to mapping # own username.
# attributes returned from a OIDC provider onto a matrix user. #
# # display_name_template: Jinja2 template for the display name to set
user_mapping_provider: # on first login. If unset, no displayname will be set.
# The custom module's class. Uncomment to use a custom module. #
# Default is 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'. # extra_attributes: a map of Jinja2 templates for extra attributes
# # to send back to the client during login.
# See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers # Note that these are non-standard and clients will ignore them
# for information on implementing a custom mapping provider. # without modifications.
# #
#module: mapping_provider.OidcMappingProvider # When rendering, the Jinja2 templates are given a 'user' variable,
# which is set to the claims returned by the UserInfo Endpoint and/or
# Custom configuration values for the module. This section will be passed as # in the ID Token.
# a Python dictionary to the user mapping provider module's `parse_config` #
# method. # See https://github.com/matrix-org/synapse/blob/master/docs/openid.md
# # for information on how to configure these options.
# The examples below are intended for the default provider: they should be #
# changed if using a custom provider. # For backwards compatibility, it is also possible to configure a single OIDC
# # provider via an 'oidc_config' setting. This is now deprecated and admins are
config: # advised to migrate to the 'oidc_providers' format. (When doing that migration,
# name of the claim containing a unique identifier for the user. # use 'oidc' for the idp_id to ensure that existing users continue to be
# Defaults to `sub`, which OpenID Connect compliant providers should provide. # recognised.)
# #
#subject_claim: "sub" oidc_providers:
# Generic example
# Jinja2 template for the localpart of the MXID. #
# #- idp_id: my_idp
# When rendering, this template is given the following variables: # idp_name: "My OpenID provider"
# * user: The claims returned by the UserInfo Endpoint and/or in the ID # idp_icon: "mxc://example.com/mediaid"
# Token # discover: false
# # issuer: "https://accounts.example.com/"
# If this is not set, the user will be prompted to choose their # client_id: "provided-by-your-issuer"
# own username. # client_secret: "provided-by-your-issuer"
# # client_auth_method: client_secret_post
localpart_template: "{% raw %}{{ user.preferred_username }}{% endraw %}" # scopes: ["openid", "profile"]
# authorization_endpoint: "https://accounts.example.com/oauth2/auth"
# Jinja2 template for the display name to set on first login. # token_endpoint: "https://accounts.example.com/oauth2/token"
# # userinfo_endpoint: "https://accounts.example.com/userinfo"
# If unset, no displayname will be set. # jwks_uri: "https://accounts.example.com/.well-known/jwks.json"
# # skip_verification: true
#display_name_template: "{% raw %}{{ user.given_name }} {{ user.last_name }}{% endraw %}"
# For use with Keycloak
# Jinja2 templates for extra attributes to send back to the client during #
# login. #- idp_id: keycloak
# # idp_name: Keycloak
# Note that these are non-standard and clients will ignore them without modifications. # issuer: "https://127.0.0.1:8443/auth/realms/my_realm_name"
# # client_id: "synapse"
#extra_attributes: # client_secret: "copy secret generated in Keycloak UI"
#birthdate: "{% raw %}{{ user.birthdate }}{% endraw %}" # scopes: ["openid", "profile"]
# For use with Github
#
#- idp_id: github
# idp_name: Github
# discover: false
# issuer: "https://github.com/"
# client_id: "your-client-id" # TO BE FILLED
# client_secret: "your-client-secret" # TO BE FILLED
# authorization_endpoint: "https://github.com/login/oauth/authorize"
# token_endpoint: "https://github.com/login/oauth/access_token"
# userinfo_endpoint: "https://api.github.com/user"
# scopes: ["read:user"]
# user_mapping_provider:
# config:
# subject_claim: "id"
# localpart_template: "{ user.login }"
# display_name_template: "{ user.name }"
# Enable Central Authentication Service (CAS) for registration and login. # Enable Central Authentication Service (CAS) for registration and login.
@ -1906,9 +1926,9 @@ sso:
# phishing attacks from evil.site. To avoid this, include a slash after the # phishing attacks from evil.site. To avoid this, include a slash after the
# hostname: "https://my.client/". # hostname: "https://my.client/".
# #
# If public_baseurl is set, then the login fallback page (used by clients # The login fallback page (used by clients that don't natively support the
# that don't natively support the required login flows) is whitelisted in # required login flows) is automatically whitelisted in addition to any URLs
# addition to any URLs in this list. # in this list.
# #
# By default, this list is empty. # By default, this list is empty.
# #
@ -1922,22 +1942,31 @@ sso:
# #
# Synapse will look for the following templates in this directory: # Synapse will look for the following templates in this directory:
# #
# * HTML page for a confirmation step before redirecting back to the client # * HTML page to prompt the user to choose an Identity Provider during
# with the login token: 'sso_redirect_confirm.html'. # login: 'sso_login_idp_picker.html'.
# #
# When rendering, this template is given three variables: # This is only used if multiple SSO Identity Providers are configured.
# * redirect_url: the URL the user is about to be redirected to. Needs
# manual escaping (see
# https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping).
# #
# * display_url: the same as `redirect_url`, but with the query # When rendering, this template is given the following variables:
# parameters stripped. The intention is to have a # * redirect_url: the URL that the user will be redirected to after
# human-readable URL to show to users, not to use it as # login. Needs manual escaping (see
# the final address to redirect to. Needs manual escaping # https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping).
# (see https://jinja.palletsprojects.com/en/2.11.x/templates/#html-escaping).
# #
# * server_name: the homeserver's name. # * server_name: the homeserver's name.
# #
# * providers: a list of available Identity Providers. Each element is
# an object with the following attributes:
# * idp_id: unique identifier for the IdP
# * idp_name: user-facing name for the IdP
#
# The rendered HTML page should contain a form which submits its results
# back as a GET request, with the following query parameters:
#
# * redirectUrl: the client redirect URI (ie, the `redirect_url` passed
# to the template)
#
# * idp: the 'idp_id' of the chosen IDP.
#
# * HTML page which notifies the user that they are authenticating to confirm # * HTML page which notifies the user that they are authenticating to confirm
# an operation on their account during the user interactive authentication # an operation on their account during the user interactive authentication
# process: 'sso_auth_confirm.html'. # process: 'sso_auth_confirm.html'.
@ -1957,6 +1986,14 @@ sso:
# #
# This template has no additional variables. # This template has no additional variables.
# #
# * HTML page shown after a user-interactive authentication session which
# does not map correctly onto the expected user: 'sso_auth_bad_user.html'.
#
# When rendering, this template is given the following variables:
# * server_name: the homeserver's name.
# * user_id_to_verify: the MXID of the user that we are trying to
# validate.
#
# * HTML page shown during single sign-on if a deactivated user (according to Synapse's database) # * HTML page shown during single sign-on if a deactivated user (according to Synapse's database)
# attempts to login: 'sso_account_deactivated.html'. # attempts to login: 'sso_account_deactivated.html'.
# #

Loading…
Cancel
Save