Home Explore Help
Sign In
RISCI_ATOM
/
synapse
mirror of https://github.com/matrix-org/synapse.git
1
0
Fork 0
Files Issues 3 Wiki
Branch: t3chguy/fix_contains-url_filtering
Branches Tags
synapse
/
docs
/
password_auth_providers.rst

password_auth_providers.rst 4.2 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899 
  1. Password auth provider modules
    2. 

  2. ==============================
    3. 

  3. 

  4. Password auth providers offer a way for server administrators to integrate
    5. 

  5. their Synapse installation with an existing authentication system.
    6. 

  6. 

  7. A password auth provider is a Python class which is dynamically loaded into
    8. 

  8. Synapse, and provides a number of methods by which it can integrate with the
    9. 

  9. authentication system.
    10. 

  10. 

  11. This document serves as a reference for those looking to implement their own
    12. 

  12. password auth providers.
    13. 

  13. 

  14. Required methods
    15. 

  15. ----------------
    16. 

  16. 

  17. Password auth provider classes must provide the following methods:
    18. 

  18. 

  19. *class* ``SomeProvider.parse_config``\(*config*)
    20. 

  20. 

  21.     This method is passed the ``config`` object for this module from the
    22. 

  22.     homeserver configuration file.
    23. 

  23. 

  24.     It should perform any appropriate sanity checks on the provided
    25. 

  25.     configuration, and return an object which is then passed into ``__init__``.
    26. 

  26. 

  27. *class* ``SomeProvider``\(*config*, *account_handler*)
    28. 

  28. 

  29.     The constructor is passed the config object returned by ``parse_config``,
    30. 

  30.     and a ``synapse.module_api.ModuleApi`` object which allows the
    31. 

  31.     password provider to check if accounts exist and/or create new ones.
    32. 

  32. 

  33. Optional methods
    34. 

  34. ----------------
    35. 

  35. 

  36. Password auth provider classes may optionally provide the following methods.
    37. 

  37. 

  38. *class* ``SomeProvider.get_db_schema_files``\()
    39. 

  39. 

  40.     This method, if implemented, should return an Iterable of ``(name,
    41. 

  41.     stream)`` pairs of database schema files. Each file is applied in turn at
    42. 

  42.     initialisation, and a record is then made in the database so that it is
    43. 

  43.     not re-applied on the next start.
    44. 

  44. 

  45. ``someprovider.get_supported_login_types``\()
    46. 

  46. 

  47.     This method, if implemented, should return a ``dict`` mapping from a login
    48. 

  48.     type identifier (such as ``m.login.password``) to an iterable giving the
    49. 

  49.     fields which must be provided by the user in the submission to the
    50. 

  50.     ``/login`` api. These fields are passed in the ``login_dict`` dictionary
    51. 

  51.     to ``check_auth``.
    52. 

  52. 

  53.     For example, if a password auth provider wants to implement a custom login
    54. 

  54.     type of ``com.example.custom_login``, where the client is expected to pass
    55. 

  55.     the fields ``secret1`` and ``secret2``, the provider should implement this
    56. 

  56.     method and return the following dict::
    57. 

  57. 

  58.       {"com.example.custom_login": ("secret1", "secret2")}
    59. 

  59. 

  60. ``someprovider.check_auth``\(*username*, *login_type*, *login_dict*)
    61. 

  61. 

  62.     This method is the one that does the real work. If implemented, it will be
    63. 

  63.     called for each login attempt where the login type matches one of the keys
    64. 

  64.     returned by ``get_supported_login_types``.
    65. 

  65. 

  66.     It is passed the (possibly UNqualified) ``user`` provided by the client,
    67. 

  67.     the login type, and a dictionary of login secrets passed by the client.
    68. 

  68. 

  69.     The method should return a Twisted ``Deferred`` object, which resolves to
    70. 

  70.     the canonical ``@localpart:domain`` user id if authentication is successful,
    71. 

  71.     and ``None`` if not.
    72. 

  72. 

  73.     Alternatively, the ``Deferred`` can resolve to a ``(str, func)`` tuple, in
    74. 

  74.     which case the second field is a callback which will be called with the
    75. 

  75.     result from the ``/login`` call (including ``access_token``, ``device_id``,
    76. 

  76.     etc.)
    77. 

  77. 

  78. ``someprovider.check_password``\(*user_id*, *password*)
    79. 

  79. 

  80.     This method provides a simpler interface than ``get_supported_login_types``
    81. 

  81.     and ``check_auth`` for password auth providers that just want to provide a
    82. 

  82.     mechanism for validating ``m.login.password`` logins.
    83. 

  83. 

  84.     Iif implemented, it will be called to check logins with an
    85. 

  85.     ``m.login.password`` login type. It is passed a qualified
    86. 

  86.     ``@localpart:domain`` user id, and the password provided by the user.
    87. 

  87. 

  88.     The method should return a Twisted ``Deferred`` object, which resolves to
    89. 

  89.     ``True`` if authentication is successful, and ``False`` if not.
    90. 

  90. 

  91. ``someprovider.on_logged_out``\(*user_id*, *device_id*, *access_token*)
    92. 

  92. 

  93.     This method, if implemented, is called when a user logs out. It is passed
    94. 

  94.     the qualified user ID, the ID of the deactivated device (if any: access
    95. 

  95.     tokens are occasionally created without an associated device ID), and the
    96. 

  96.     (now deactivated) access token.
    97. 

  97. 

  98.     It may return a Twisted ``Deferred`` object; the logout request will wait
    99. 

  99.     for the deferred to complete but the result is ignored.
    100.