Home Explore Help
Register Sign In
RISCI_ATOM
/
synapse
mirror of https://github.com/matrix-org/synapse.git
1
0
Fork 0
Files Issues 3 Wiki
Browse Source

Update documentation for configuring facebook login (#11755)

... and a minor thinko fix in the sample config.
Richard van der Hoff 2 years ago
parent
6a78ede569
commit
b0352f9c08
4 changed files with 26 additions and 18 deletions
Split View Show Diff Stats
  1. 1 0
      changelog.d/11755.doc
  2. 13 12
      docs/openid.md
  3. 6 3
      docs/sample_config.yaml
  4. 6 3
      synapse/config/oidc.py

+ 1 - 0
changelog.d/11755.doc
View File 

@@ -0,0 +1 @@
 
+Update documentation for configuring login with facebook.

+ 13 - 12
docs/openid.md
View File 

@@ -390,9 +390,6 @@ oidc_providers:
 
 
 ### Facebook
 
 
-Like Github, Facebook provide a custom OAuth2 API rather than an OIDC-compliant
 
-one so requires a little more configuration.
 
-
 
 0. You will need a Facebook developer account. You can register for one
 
    [here](https://developers.facebook.com/async/registration/).
 
 1. On the [apps](https://developers.facebook.com/apps/) page of the developer
 
@@ -412,24 +409,28 @@ Synapse config:
 
     idp_name: Facebook
 
     idp_brand: "facebook"  # optional: styling hint for clients
 
     discover: false
 
-    issuer: "https://facebook.com"
 
+    issuer: "https://www.facebook.com"
 
     client_id: "your-client-id" # TO BE FILLED
 
     client_secret: "your-client-secret" # TO BE FILLED
 
     scopes: ["openid", "email"]
 
-    authorization_endpoint: https://facebook.com/dialog/oauth
 
-    token_endpoint: https://graph.facebook.com/v9.0/oauth/access_token
 
-    user_profile_method: "userinfo_endpoint"
 
-    userinfo_endpoint: "https://graph.facebook.com/v9.0/me?fields=id,name,email,picture"
 
+    authorization_endpoint: "https://facebook.com/dialog/oauth"
 
+    token_endpoint: "https://graph.facebook.com/v9.0/oauth/access_token"
 
+    jwks_uri: "https://www.facebook.com/.well-known/oauth/openid/jwks/"
 
     user_mapping_provider:
 
       config:
 
-        subject_claim: "id"
 
         display_name_template: "{{ user.name }}"
 
+        email_template: "{{ '{{ user.email }}' }}"
 
 ```
 
 
 Relevant documents:
 
- * https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow
 
- * Using Facebook's Graph API: https://developers.facebook.com/docs/graph-api/using-graph-api/
 
- * Reference to the User endpoint: https://developers.facebook.com/docs/graph-api/reference/user
 
+ * [Manually Build a Login Flow](https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow)
 
+ * [Using Facebook's Graph API](https://developers.facebook.com/docs/graph-api/using-graph-api/)
 
+ * [Reference to the User endpoint](https://developers.facebook.com/docs/graph-api/reference/user)
 
+
 
+Facebook do have an [OIDC discovery endpoint](https://www.facebook.com/.well-known/openid-configuration),
 
+but it has a `response_types_supported` which excludes "code" (which we rely on, and
 
+is even mentioned in their [documentation](https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#login)),
 
+so we have to disable discovery and configure the URIs manually.
 
 
 ### Gitea

+ 6 - 3
docs/sample_config.yaml
View File 

@@ -1877,10 +1877,13 @@ saml2_config:
 
 #       Defaults to false. Avoid this in production.
 
 #
 
 #   user_profile_method: Whether to fetch the user profile from the userinfo
 
-#       endpoint. Valid values are: 'auto' or 'userinfo_endpoint'.
 
+#       endpoint, or to rely on the data returned in the id_token from the
 
+#       token_endpoint.
 
 #
 
-#       Defaults to 'auto', which fetches the userinfo endpoint if 'openid' is
 
-#       included in 'scopes'. Set to 'userinfo_endpoint' to always fetch the
 
+#       Valid values are: 'auto' or 'userinfo_endpoint'.
 
+#
 
+#       Defaults to 'auto', which uses the userinfo endpoint if 'openid' is
 
+#       not included in 'scopes'. Set to 'userinfo_endpoint' to always use the
 
 #       userinfo endpoint.
 
 #
 
 #   allow_existing_users: set to 'true' to allow a user logging in via OIDC to

+ 6 - 3
synapse/config/oidc.py
View File 

@@ -148,10 +148,13 @@ class OIDCConfig(Config):
 
         #       Defaults to false. Avoid this in production.
 
         #
 
         #   user_profile_method: Whether to fetch the user profile from the userinfo
 
-        #       endpoint. Valid values are: 'auto' or 'userinfo_endpoint'.
 
+        #       endpoint, or to rely on the data returned in the id_token from the
 
+        #       token_endpoint.
 
         #
 
-        #       Defaults to 'auto', which fetches the userinfo endpoint if 'openid' is
 
-        #       included in 'scopes'. Set to 'userinfo_endpoint' to always fetch the
 
+        #       Valid values are: 'auto' or 'userinfo_endpoint'.
 
+        #
 
+        #       Defaults to 'auto', which uses the userinfo endpoint if 'openid' is
 
+        #       not included in 'scopes'. Set to 'userinfo_endpoint' to always use the
 
         #       userinfo endpoint.
 
         #
 
         #   allow_existing_users: set to 'true' to allow a user logging in via OIDC to