Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

doc: add django-oauth-toolkit to oidc doc #10192

Merged
merged 2 commits into from
Aug 23, 2021
Merged
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelog.d/10192.doc
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Add documentation on how to connect Django with synapse using oidc and django-oauth-toolkit. Contributed by @HugoDelval.
48 changes: 48 additions & 0 deletions docs/openid.md
Original file line number Diff line number Diff line change
Expand Up @@ -446,3 +446,51 @@ The synapse config will look like this:
config:
email_template: "{{ user.email }}"
```

## Django OAuth Toolkit

[django-oauth-toolkit](https://github.com/jazzband/django-oauth-toolkit) is a
Django application providing out of the box all the endpoints, data and logic
needed to add OAuth2 capabilities to your Django projects. It supports
[OpenID Connect too](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html).

**Configuration on Django's side:**
HugoDelval marked this conversation as resolved.
Show resolved Hide resolved

1. Add an application: https://example.com/admin/oauth2_provider/application/add/ and choose parameters like this:
* `Redirect uris`: https://synapse.example.com/_synapse/client/oidc/callback
* `Client type`: `Confidential`
* `Authorization grant type`: `Authorization code`
* `Algorithm`: `HMAC with SHA-2 256`
HugoDelval marked this conversation as resolved.
Show resolved Hide resolved
2. You can [customize the claims](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html#customizing-the-oidc-responses) Django gives to synapse (optional):
<details>
<summary>Code sample</summary>

```python
class CustomOAuth2Validator(OAuth2Validator):

def get_additional_claims(self, request):
return {
"sub": request.user.email,
"email": request.user.email,
"first_name": request.user.first_name,
"last_name": request.user.last_name,
}
```
</details>
HugoDelval marked this conversation as resolved.
Show resolved Hide resolved
3. Your synapse config is then:

HugoDelval marked this conversation as resolved.
Show resolved Hide resolved
```yaml
oidc_providers:
- idp_id: django_example
idp_name: "Django Example"
issuer: "https://example.com/o/"
client_id: "your-client-id" # CHANGE ME
client_secret: "your-client-secret" # CHANGE ME
scopes: ["openid"]
user_profile_method: "userinfo_endpoint" # needed because oauth-toolkit does not include user information in the authorization response
user_mapping_provider:
config:
localpart_template: "{{ user.email.split('@')[0] }}"
display_name_template: "{{ user.first_name }} {{ user.last_name }}"
email_template: "{{ user.email }}"
```