try oidc provider

README.md

@@ -65,17 +65,63 @@ Whether to generate new thumbnails on the fly to precisely match the resolution
 ## REGISTRATIONS
 - default: []
 
-Comma seperated list of registration files to load.
+Semi colon seperated list of registration files to load.
 
-Whether to report statistics.
+## OIDC_ENABLED
+- default: false
+
+Whether to enable authorization against an OpenID Connect server.
+
+## OIDC_DISCOVER
+- default: true
+
+Whether to use the OIDC discovery mechanism to discover endpoints.
+
+## OIDC_ISSUER
+The OIDC issuer. Used to validate tokens and (if discovery is enabled) to discover the provider's endpoints.
+
+## OIDC_CLIENT_ID
+oauth2 client id.
+
+## OIDC_CLIENT_SECRET
+oauth2 client secret.
+
+## OIDC_SCOPES
+- default: "\"openid\""
+
+Comma separated list of scopes to request.
+
+## OIDC_AUTH_ENDPOINT
+oauth2 authorization endpoint. Required if provider discovery is disabled.
+
+## OIDC_TOKEN_ENDPOINT
+oauth2 token endpoint. Required if provider discovery is disabled.
+
+## OIDC_USERINFO_ENDPOINT
+OIDC userinfo endpoint. Required if discovery is disabled and the "openid" scope 
+is not requested.
+
+## OIDC_JWKS_URI
+URI where to fetch the JWKS. Required if discovery is disabled and the "openid" 
+scope is used.
+
+## OIDC_MAPPING_PROVIDER
+- default: synapse.handlers.oidc_handler.JinjaOidcMappingProvider
+
+Python module for mapping attributes returned from a OIDC provider onto a matrix 
+user.
+
+## OIDC_ALLOW_EXISTING_USER
+- default: false
+
+Whether to allow a user logging in via OIDC to match a pre-existing account 
+instead of failing.
+
+## SSO_CLIENT_WHITELIST
+- default: []
+
+A semi colon separated list of client URLs which are whitelisted so that the user does not have to 
+confirm giving access to their account to the URL.
 
 # Ports
 - 8008
-
-# Capabilities
-- CHOWN
-- DAC_OVERRIDE
-- FOWNER
-- NET_BIND_SERVICE
-- SETGID
-- SETUID

rootfs/etc/confd/templates/server.yaml.tmpl

@@ -1,17 +1,3 @@
-# This file is maintained as an up-to-date snapshot of the default
-# homeserver.yaml configuration generated by Synapse.
-#
-# It is intended to act as a reference for the default configuration,
-# helping admins keep track of new options and other changes, and compare
-# their configs with the current default.  As such, many of the actual
-# config values shown are placeholders.
-#
-# It is *not* intended to be copied and used as the basis for a real
-# homeserver.yaml. Instead, if you are starting from scratch, please generate
-# a fresh config using Synapse by following the instructions in INSTALL.md.
-
-################################################################################
-
 # Configuration file for Synapse.
 #
 # This is a YAML file: see [1] for a quick introduction. Note in particular
@@ -22,10 +8,23 @@
 
 ## Server ##
 
-# The domain name of the server, with optional explicit port.
+# The public-facing domain of the server
-# This is used by remote servers to connect to this server,
+#
-# e.g. matrix.org, localhost:8080, etc.
+# The server_name name will appear at the end of usernames and room addresses
-# This is also the last part of your UserID.
+# created on this server. For example if the server_name was example.com,
+# usernames on this server would be in the format @user:example.com
+#
+# In most cases you should avoid using a matrix specific subdomain such as
+# matrix.example.com or synapse.example.com as the server_name for the same
+# reasons you wouldn't use user@email.example.com as your email address.
+# See https://github.com/matrix-org/synapse/blob/master/docs/delegate.md
+# for information on how to host Synapse on a subdomain while preserving
+# a clean server_name.
+#
+# The server_name cannot be changed later so it is important to
+# configure this correctly before you start Synapse. It should be all
+# lowercase and may contain an explicit port.
+# Examples: matrix.org, localhost:8080
 #
 server_name: "{{getenv "SERVER_NAME"}}"
 
@@ -95,7 +94,7 @@ use_presence: true
 # For example, for room version 1, default_room_version should be set
 # to "1".
 #
-#default_room_version: "5"
+#default_room_version: "6"
 
 # The GC threshold parameters to pass to `gc.set_threshold`, if defined
 #
@@ -314,6 +313,10 @@ limit_remote_rooms:
   #
   #complexity_error: "This room is too complex."
 
+  # allow server admins to join complex rooms. Default is false.
+  #
+  #admins_can_join: true
+
 # Whether to require a user to be in the room to add an alias to it.
 # Defaults to 'true'.
 #
@@ -363,11 +366,10 @@ retention:
   #  min_lifetime: 1d
   #  max_lifetime: 1y
 
-  # Retention policy limits. If set, a user won't be able to send a
+  # Retention policy limits. If set, and the state of a room contains a
-  # 'm.room.retention' event which features a 'min_lifetime' or a 'max_lifetime'
+  # 'm.room.retention' event in its state which contains a 'min_lifetime' or a
-  # that's not within this range. This is especially useful in closed federations,
+  # 'max_lifetime' that's out of these bounds, Synapse will cap the room's policy
-  # in which server admins can make sure every federating server applies the same
+  # to these limits when running purge jobs.
-  # rules.
   #
   #allowed_lifetime_min: 1d
   #allowed_lifetime_max: 1y
@@ -393,12 +395,19 @@ retention:
   # (e.g. every 12h), but not want that purge to be performed by a job that's
   # iterating over every room it knows, which could be heavy on the server.
   #
+  # If any purge job is configured, it is strongly recommended to have at least
+  # a single job with neither 'shortest_max_lifetime' nor 'longest_max_lifetime'
+  # set, or one job without 'shortest_max_lifetime' and one job without
+  # 'longest_max_lifetime' set. Otherwise some rooms might be ignored, even if
+  # 'allowed_lifetime_min' and 'allowed_lifetime_max' are set, because capping a
+  # room's policy to these values is done after the policies are retrieved from
+  # Synapse's database (which is done using the range specified in a purge job's
+  # configuration).
+  #
   #purge_jobs:
-  #  - shortest_max_lifetime: 1d
+  #  - longest_max_lifetime: 3d
-  #    longest_max_lifetime: 3d
   #    interval: 12h
   #  - shortest_max_lifetime: 3d
-  #    longest_max_lifetime: 1y
   #    interval: 1d
 
 # Inhibits the /requestToken endpoints from returning an error that might leak
@@ -411,6 +420,24 @@ retention:
 #
 #request_token_inhibit_3pid_errors: true
 
+# A list of domains that the domain portion of 'next_link' parameters
+# must match.
+#
+# This parameter is optionally provided by clients while requesting
+# validation of an email or phone number, and maps to a link that
+# users will be automatically redirected to after validation
+# succeeds. Clients can make use this parameter to aid the validation
+# process.
+#
+# The whitelist is applied whether the homeserver or an
+# identity server is handling validation.
+#
+# The default value is no whitelist functionality; all domains are
+# allowed. Setting this value to an empty list will instead disallow
+# all domains.
+#
+#next_link_domain_whitelist: ["matrix.org"]
+
 
 ## TLS ##
 
@@ -426,11 +453,11 @@ retention:
 # instance, if using certbot, use `fullchain.pem` as your certificate,
 # not `cert.pem`).
 #
-#tls_certificate_path: "CONFDIR/SERVERNAME.tls.crt"
+#tls_certificate_path: "/my.domain.name.tls.crt"
 
 # PEM-encoded private key for TLS
 #
-#tls_private_key_path: "CONFDIR/SERVERNAME.tls.key"
+#tls_private_key_path: "/my.domain.name.tls.key"
 
 # Whether to verify TLS server certificates for outbound federation requests.
 #
@@ -547,7 +574,7 @@ acme:
     #
     # If unspecified, we will use CONFDIR/client.key.
     #
-    account_key_file: DATADIR/acme_account.key
+    account_key_file: /acme_account.key
 
 # List of allowed TLS fingerprints for this server to publish along
 # with the signing keys for this server. Other matrix servers that
@@ -577,6 +604,7 @@ acme:
 #tls_fingerprints: [{"sha256": "<base64_encoded_sha256_fingerprint>"}]
 
 
+## Federation ##
 
 # Restrict federation to the following whitelist of domains.
 # N.B. we recommend also firewalling your federation listener to limit
@@ -610,6 +638,17 @@ federation_ip_range_blacklist:
   - 'fe80::/64'
   - 'fc00::/7'
 
+# Report prometheus metrics on the age of PDUs being sent to and received from
+# the following domains. This can be used to give an idea of "delay" on inbound
+# and outbound federation, though be aware that any delay can be due to problems
+# at either end or with the intermediate network.
+#
+# By default, no domains are monitored in this way.
+#
+#federation_metrics_domains:
+#  - matrix.org
+#  - example.com
+
 
 ## Caching ##
 
@@ -622,7 +661,7 @@ federation_ip_range_blacklist:
 # The number of events to cache in memory. Not affected by
 # caches.global_factor.
 #
-event_cache_size: 10K
+#event_cache_size: 10K
 
 caches:
    # Controls the global cache factor, which is the default cache factor
@@ -734,6 +773,10 @@ log_config: "/var/lib/matrix-synapse/log.config"
 #   - one for ratelimiting redactions by room admins. If this is not explicitly
 #     set then it uses the same ratelimiting as per rc_message. This is useful
 #     to allow room admins to deal with abuse quickly.
+#   - two for ratelimiting number of rooms a user can join, "local" for when
+#     users are joining rooms the server is already in (this is cheap) vs
+#     "remote" for when users are trying to join rooms not on the server (which
+#     can be more expensive)
 #
 # The defaults are as shown below.
 #
@@ -759,6 +802,14 @@ log_config: "/var/lib/matrix-synapse/log.config"
 #rc_admin_redaction:
 #  per_second: 1
 #  burst_count: 50
+#
+#rc_joins:
+#  local:
+#    per_second: 0.1
+#    burst_count: 3
+#  remote:
+#    per_second: 0.01
+#    burst_count: 3
 
 
 # Ratelimiting settings for incoming federation
@@ -987,11 +1038,11 @@ url_preview_accept_language:
 
 # The public URIs of the TURN server to give to clients
 #
-turn_uris: [{{getenv "TURN_URIS" "[]"}}]
+#turn_uris: [{{getenv "TURN_URIS" ""}}]
 
 # The shared secret used to compute passwords for the TURN server
 #
-turn_shared_secret: "{{getenv "TURN_SHARED_SECRET"}}"
+#turn_shared_secret: "{{getenv "TURN_SHARED_SECRET"}}"
 
 # The Username and password if the TURN server needs them and
 # does not use a token
@@ -1124,7 +1175,7 @@ account_validity:
 # If set, allows registration of standard or admin accounts by anyone who
 # has the shared secret, even if registration is otherwise disabled.
 #
-#registration_shared_secret: <PRIVATE STRING>
+registration_shared_secret: "BdTL~rq@=X1B#WKaj;U*oP,Bjz8MM7oolJE*8qN@xB4cwCL#EQ"
 
 # Set the number of bcrypt rounds used to generate password hash.
 # Larger numbers increase the work factor needed to generate the hash.
@@ -1148,24 +1199,6 @@ account_validity:
 #
 default_identity_server: https://matrix.org
 
-# The list of identity servers trusted to verify third party
-# identifiers by this server.
-#
-# Also defines the ID server which will be called when an account is
-# deactivated (one will be picked arbitrarily).
-#
-# Note: This option is deprecated. Since v0.99.4, Synapse has tracked which identity
-# server a 3PID has been bound to. For 3PIDs bound before then, Synapse runs a
-# background migration script, informing itself that the identity server all of its
-# 3PIDs have been bound to is likely one of the below.
-#
-# As of Synapse v1.4.0, all other functionality of this option has been deprecated, and
-# it is now solely used for the purposes of the background migration script, and can be
-# removed once it has run.
-#trusted_third_party_id_servers:
-#  - matrix.org
-#  - vector.im
-
 # Handle threepid (email/phone etc) registration and password resets through a set of
 # *trusted* identity servers. Note that this allows the configured identity server to
 # reset passwords for accounts!
@@ -1175,8 +1208,9 @@ default_identity_server: https://matrix.org
 # email will be globally disabled.
 #
 # Additionally, if `msisdn` is not set, registration and password resets via msisdn
-# will be disabled regardless. This is due to Synapse currently not supporting any
+# will be disabled regardless, and users will not be able to associate an msisdn
-# method of sending SMS messages on its own.
+# identifier to their account. This is due to Synapse currently not supporting
+# any method of sending SMS messages on its own.
 #
 # To enable using an identity server for operations regarding a particular third-party
 # identifier type, set the value to the URL of that identity server as shown in the
@@ -1321,7 +1355,7 @@ metrics_flags:
 
 # Whether or not to report anonymized homeserver usage statistics.
 #
-report_stats: true
+report_stats: false
 
 # The endpoint to report the anonymized homeserver usage statistics to.
 # Defaults to https://matrix.org/report-usage-stats/push
@@ -1350,7 +1384,6 @@ app_service_config_files: {{if not (getenv "REGISTRATIONS")}}[]{{end}}
 {{end}}
 {{end}}
 
-
 # Uncomment to enable tracking of application service IP addresses. Implicitly
 # enables MAU tracking for application service users.
 #
@@ -1454,16 +1487,22 @@ suppress_key_server_warning: true
 
 ## Single sign-on integration ##
 
+# The following settings can be used to make Synapse use a single sign-on
+# provider for authentication, instead of its internal password database.
+#
+# You will probably also want to set the following options to `false` to
+# disable the regular login/registration flows:
+#   * enable_registration
+#   * password_config.enabled
+#
+# You will also want to investigate the settings under the "sso" configuration
+# section below.
+
 # Enable SAML2 for registration and login. Uses pysaml2.
 #
 # At least one of `sp_config` or `config_path` must be set in this section to
 # enable SAML login.
 #
-# (You will probably also want to set the following options to `false` to
-# disable the regular login/registration flows:
-#   * enable_registration
-#   * password_config.enabled
-#
 # Once SAML support is enabled, a metadata file will be exposed at
 # https://<server>:<port>/_matrix/saml2/metadata.xml, which you may be able to
 # use to configure your SAML IdP with. Alternatively, you can manually configure
@@ -1478,36 +1517,66 @@ saml2_config:
   # so it is not normally necessary to specify them unless you need to
   # override them.
   #
-  #sp_config:
+  sp_config:
-  #  # point this to the IdP's metadata. You can use either a local file or
+    # Point this to the IdP's metadata. You must provide either a local
-  #  # (preferably) a URL.
+    # file via the `local` attribute or (preferably) a URL via the
-  #  metadata:
+    # `remote` attribute.
-  #    #local: ["saml2/idp.xml"]
+    #
+    #metadata:
+    #  local: ["saml2/idp.xml"]
     #  remote:
     #    - url: https://our_idp/metadata.xml
+
+    # Allowed clock difference in seconds between the homeserver and IdP.
     #
-  #  # By default, the user has to go to our login page first. If you'd like
+    # Uncomment the below to increase the accepted time difference from 0 to 3 seconds.
-  #  # to allow IdP-initiated login, set 'allow_unsolicited: true' in a
-  #  # 'service.sp' section:
-  #  #
-  #  #service:
-  #  #  sp:
-  #  #    allow_unsolicited: true
     #
-  #  # The examples below are just used to generate our metadata xml, and you
+    #accepted_time_diff: 3
-  #  # may well not need them, depending on your setup. Alternatively you
+
-  #  # may need a whole lot more detail - see the pysaml2 docs!
+    # By default, the user has to go to our login page first. If you'd like
+    # to allow IdP-initiated login, set 'allow_unsolicited: true' in a
+    # 'service.sp' section:
     #
-  #  description: ["My awesome SP", "en"]
+    #service:
-  #  name: ["Test SP", "en"]
+    #  sp:
-  #
+    #    allow_unsolicited: true
-  #  organization:
+
+    # The examples below are just used to generate our metadata xml, and you
+    # may well not need them, depending on your setup. Alternatively you
+    # may need a whole lot more detail - see the pysaml2 docs!
+
+    #description: ["My awesome SP", "en"]
+    #name: ["Test SP", "en"]
+
+    #ui_info:
+    #  display_name:
+    #    - lang: en
+    #      text: "Display Name is the descriptive name of your service."
+    #  description:
+    #    - lang: en
+    #      text: "Description should be a short paragraph explaining the purpose of the service."
+    #  information_url:
+    #    - lang: en
+    #      text: "https://example.com/terms-of-service"
+    #  privacy_statement_url:
+    #    - lang: en
+    #      text: "https://example.com/privacy-policy"
+    #  keywords:
+    #    - lang: en
+    #      text: ["Matrix", "Element"]
+    #  logo:
+    #    - lang: en
+    #      text: "https://example.com/logo.svg"
+    #      width: "200"
+    #      height: "80"
+
+    #organization:
     #  name: Example com
     #  display_name:
     #    - ["Example co", "en"]
     #  url: "http://example.com"
-  #
+
-  #  contact_person:
+    #contact_person:
     #  - given_name: Bob
     #    sur_name: "the Sysadmin"
     #    email_address": ["admin@example.com"]
@@ -1516,7 +1585,7 @@ saml2_config:
   # Instead of putting the config inline as above, you can specify a
   # separate pysaml2 configuration file:
   #
-  #config_path: "CONFDIR/sp_conf.py"
+  #config_path: "//sp_conf.py"
 
   # The lifetime of a SAML session. This defines how long a user has to
   # complete the authentication process, if allow_unsolicited is unset.
@@ -1575,67 +1644,60 @@ saml2_config:
   #
   #grandfathered_mxid_source_attribute: upn
 
-  # Directory in which Synapse will try to find the template files below.
+  # It is possible to configure Synapse to only allow logins if SAML attributes
-  # If not set, default templates from within the Synapse package will be used.
+  # match particular values. The requirements can be listed under
+  # `attribute_requirements` as shown below. All of the listed attributes must
+  # match for the login to be permitted.
   #
-  # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates.
+  #attribute_requirements:
-  # If you *do* uncomment it, you will need to make sure that all the templates
+  #  - attribute: userGroup
-  # below are in the directory.
+  #    value: "staff"
+  #  - attribute: department
+  #    value: "sales"
+
+  # If the metadata XML contains multiple IdP entities then the `idp_entityid`
+  # option must be set to the entity to redirect users to.
   #
-  # Synapse will look for the following templates in this directory:
+  # Most deployments only have a single IdP entity and so should omit this
+  # option.
   #
-  # * HTML page to display to users if something goes wrong during the
+  #idp_entityid: 'https://our_idp/entityid'
-  #   authentication process: 'saml_error.html'.
-  #
-  #   When rendering, this template is given the following variables:
-  #     * code: an HTML error code corresponding to the error that is being
-  #       returned (typically 400 or 500)
-  #
-  #     * msg: a textual message describing the error.
-  #
-  #   The variables will automatically be HTML-escaped.
-  #
-  # You can see the default templates at:
-  # https://github.com/matrix-org/synapse/tree/master/synapse/res/templates
-  #
-  #template_dir: "res/templates"
 
 
-# OpenID Connect integration. The following settings can be used to make Synapse
+# Enable OpenID Connect (OIDC) / OAuth 2.0 for registration and login.
-# use an OpenID Connect Provider for authentication, instead of its internal
-# password database.
 #
-# See https://github.com/matrix-org/synapse/blob/master/docs/openid.md.
+# See https://github.com/matrix-org/synapse/blob/master/docs/openid.md
+# for some example configurations.
 #
 oidc_config:
   # Uncomment the following to enable authorization against an OpenID Connect
   # server. Defaults to false.
   #
-  #enabled: true
+  enabled: "{{getenv "OIDC_ENABLED" "false"}}"
 
   # Uncomment the following to disable use of the OIDC discovery mechanism to
   # discover endpoints. Defaults to true.
   #
-  #discover: false
+  discover: "{{getenv "OIDC_DISCOVER" "true"}}"
 
   # the OIDC issuer. Used to validate tokens and (if discovery is enabled) to
   # discover the provider's endpoints.
   #
   # Required if 'enabled' is true.
   #
-  #issuer: "https://accounts.example.com/"
+  issuer: "{{getenv "OIDC_ISSUER" "true"}}"
 
   # oauth2 client id to use.
   #
   # Required if 'enabled' is true.
   #
-  #client_id: "provided-by-your-issuer"
+  client_id: "{{getenv "OIDC_CLIENT_ID"}}"
 
   # oauth2 client secret to use.
   #
   # Required if 'enabled' is true.
   #
-  #client_secret: "provided-by-your-issuer"
+  client_secret: "{{getenv "OIDC_CLIENT_SECRET"}}"
 
   # auth method to use when exchanging the token.
   # Valid values are 'client_secret_basic' (default), 'client_secret_post' and
@@ -1646,25 +1708,25 @@ oidc_config:
   # list of scopes to request. This should normally include the "openid" scope.
   # Defaults to ["openid"].
   #
-  #scopes: ["openid", "profile"]
+  scopes: [{{getenv "OIDC_SCOPES" "\"openid\""}}]
 
   # the oauth2 authorization endpoint. Required if provider discovery is disabled.
   #
-  #authorization_endpoint: "https://accounts.example.com/oauth2/auth"
+  authorization_endpoint: "{{getenv "OIDC_AUTH_ENDPOINT"}}"
 
   # the oauth2 token endpoint. Required if provider discovery is disabled.
   #
-  #token_endpoint: "https://accounts.example.com/oauth2/token"
+  token_endpoint: "{{getenv "OIDC_TOKEN_ENDPOINT"}}"
 
   # the OIDC userinfo endpoint. Required if discovery is disabled and the
   # "openid" scope is not requested.
   #
-  #userinfo_endpoint: "https://accounts.example.com/userinfo"
+  userinfo_endpoint: "{{getenv "OIDC_USERINFO_ENDPOINT"}}"
 
   # URI where to fetch the JWKS. Required if discovery is disabled and the
   # "openid" scope is used.
   #
-  #jwks_uri: "https://accounts.example.com/.well-known/jwks.json"
+  jwks_uri: "{{getenv "OIDC_JWKS_URI"}}"
 
   # Uncomment to skip metadata verification. Defaults to false.
   #
@@ -1674,6 +1736,19 @@ oidc_config:
   #
   #skip_verification: true
 
+  # Whether to fetch the user profile from the userinfo endpoint. Valid
+  # values are: "auto" or "userinfo_endpoint".
+  #
+  # Defaults to "auto", which fetches the userinfo endpoint if "openid" is included
+  # in `scopes`. Uncomment the following to always fetch the userinfo endpoint.
+  #
+  #user_profile_method: "userinfo_endpoint"
+
+  # Uncomment to allow a user logging in via OIDC to match a pre-existing account instead
+  # of failing. This could be used if switching from password logins to OIDC. Defaults to false.
+  #
+  allow_existing_users:  "{{getenv "OIDC_ALLOW_EXISTING_USER", "false"}}"
+
   # An external module can be provided here as a custom solution to mapping
   # attributes returned from a OIDC provider onto a matrix user.
   #
@@ -1684,7 +1759,7 @@ oidc_config:
     # See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers
     # for information on implementing a custom mapping provider.
     #
-    #module: mapping_provider.OidcMappingProvider
+    module: "{{getenv "OIDC_MAPPING_PROVIDER", "synapse.handlers.oidc_handler.JinjaOidcMappingProvider"}}"
 
     # Custom configuration values for the module. This section will be passed as
     # a Python dictionary to the user mapping provider module's `parse_config`
@@ -1707,25 +1782,55 @@ oidc_config:
       #
       # This must be configured if using the default mapping provider.
       #
-      localpart_template: "user.preferred_username"
+      localpart_template: "{{ user.preferred_username }}"
 
       # Jinja2 template for the display name to set on first login.
       #
       # If unset, no displayname will be set.
       #
-      #display_name_template: "user.given_name user.last_name"
+      #display_name_template: "{{ user.given_name }} {{ user.last_name }}"
+
+      # Jinja2 templates for extra attributes to send back to the client during
+      # login.
+      #
+      # Note that these are non-standard and clients will ignore them without modifications.
+      #
+      #extra_attributes:
+        #birthdate: "{{ user.birthdate }}"
 
 
 
-# Enable CAS for registration and login.
+# Enable Central Authentication Service (CAS) for registration and login.
 #
-#cas_config:
+cas_config:
-#   enabled: true
+  # Uncomment the following to enable authorization against a CAS server.
-#   server_url: "https://cas-server.com"
+  # Defaults to false.
-#   service_url: "https://homeserver.domain.com:8448"
+  #
-#   #displayname_attribute: name
+  #enabled: true
-#   #required_attributes:
+
-#   #    name: value
+  # The URL of the CAS authorization endpoint.
+  #
+  #server_url: "https://cas-server.com"
+
+  # The public URL of the homeserver.
+  #
+  #service_url: "https://homeserver.domain.com:8448"
+
+  # The attribute of the CAS response to use as the display name.
+  #
+  # If unset, no displayname will be set.
+  #
+  #displayname_attribute: name
+
+  # It is possible to configure Synapse to only allow logins if CAS attributes
+  # match particular values. All of the keys in the mapping below must exist
+  # and the values must match the given value. Alternately if the given value
+  # is None then any value is allowed (the attribute just must exist).
+  # All of the listed attributes must match for the login to be permitted.
+  #
+  #required_attributes:
+  #  userGroup: "staff"
+  #  department: None
 
 
 # Additional settings to use with single-sign on systems such as OpenID Connect,
@@ -1748,9 +1853,12 @@ sso:
     #
     # By default, this list is empty.
     #
-    #client_whitelist:
+    client_whitelist: {{if not (getenv "SSO_CLIENT_WHITELIST")}}[]{{end}}
-    #  - https://riot.im/develop
+    {{- if (getenv "SSO_CLIENT_WHITELIST")}}
-    #  - https://my.custom.client/
+    {{- range $client := split (getenv "SSO_CLIENT_WHITELIST") ";"}}
+      - {{ $client -}}
+    {{end}}
+    {{end}}
 
     # Directory in which Synapse will try to find the template files below.
     # If not set, default templates from within the Synapse package will be used.
@@ -1825,7 +1933,7 @@ sso:
 # and issued at ("iat") claims are validated if present.
 #
 # Note that this is a non-standard login type and client support is
-# expected to be non-existant.
+# expected to be non-existent.
 #
 # See https://github.com/matrix-org/synapse/blob/master/docs/jwt.md.
 #
@@ -1873,7 +1981,7 @@ sso:
 password_config:
    # Uncomment to disable password login
    #
-   #enabled: false
+   enabled: {{ not (getenv "OIDC_ENABLED" "false") }}
 
    # Uncomment to disable authentication against the local password
    # database. This is ignored if `enabled` is false, and is only useful
@@ -1989,9 +2097,7 @@ email:
   # Directory in which Synapse will try to find the template files below.
   # If not set, default templates from within the Synapse package will be used.
   #
-  # DO NOT UNCOMMENT THIS SETTING unless you want to customise the templates.
+  # Do not uncomment this setting unless you want to customise the templates.
-  # If you *do* uncomment it, you will need to make sure that all the templates
-  # below are in the directory.
   #
   # Synapse will look for the following templates in this directory:
   #
@@ -2004,9 +2110,13 @@ email:
   # * The contents of password reset emails sent by the homeserver:
   #   'password_reset.html' and 'password_reset.txt'
   #
-  # * HTML pages for success and failure that a user will see when they follow
+  # * An HTML page that a user will see when they follow the link in the password
-  #   the link in the password reset email: 'password_reset_success.html' and
+  #   reset email. The user will be asked to confirm the action before their
-  #   'password_reset_failure.html'
+  #   password is reset: 'password_reset_confirmation.html'
+  #
+  # * HTML pages for success and failure that a user will see when they confirm
+  #   the password reset flow using the page above: 'password_reset_success.html'
+  #   and 'password_reset_failure.html'
   #
   # * The contents of address verification emails sent during registration:
   #   'registration.html' and 'registration.txt'
@@ -2125,20 +2235,35 @@ password_providers:
 
 
 
-# Clients requesting push notifications can either have the body of
+## Push ##
-# the message sent in the notification poke along with other details
+
-# like the sender, or just the event ID and room ID (`event_id_only`).
+push:
-# If clients choose the former, this option controls whether the
+  # Clients requesting push notifications can either have the body of
-# notification request includes the content of the event (other details
+  # the message sent in the notification poke along with other details
-# like the sender are still included). For `event_id_only` push, it
+  # like the sender, or just the event ID and room ID (`event_id_only`).
-# has no effect.
+  # If clients choose the former, this option controls whether the
-#
+  # notification request includes the content of the event (other details
-# For modern android devices the notification content will still appear
+  # like the sender are still included). For `event_id_only` push, it
-# because it is loaded by the app. iPhone, however will send a
+  # has no effect.
-# notification saying only that a message arrived and who it came from.
+  #
-#
+  # For modern android devices the notification content will still appear
-#push:
+  # because it is loaded by the app. iPhone, however will send a
-#  include_content: true
+  # notification saying only that a message arrived and who it came from.
+  #
+  # The default value is "true" to include message details. Uncomment to only
+  # include the event ID and room ID in push notification payloads.
+  #
+  #include_content: false
+
+  # When a push notification is received, an unread count is also sent.
+  # This number can either be calculated as the number of unread messages
+  # for the user, or the number of *rooms* the user has unread messages in.
+  #
+  # The default value is "true", meaning push clients will see the number of
+  # rooms with unread messages in them. Uncomment to instead send the number
+  # of unread messages.
+  #
+  #group_unread_count_by_room: false
 
 
 # Spam checkers are third-party modules that can block specific actions
@@ -2171,7 +2296,7 @@ spam_checker:
 # Note that this option will only affect rooms created after it is set. It
 # will also not affect rooms created by other servers.
 #
-encryption_enabled_by_default_for_room_type: "off"
+#encryption_enabled_by_default_for_room_type: invite
 
 
 # Uncomment to allow non-server-admin users to create groups on this server
@@ -2339,7 +2464,7 @@ encryption_enabled_by_default_for_room_type: "off"
 #
 # Options for the rules include:
 #
-#   user_id: Matches agaisnt the creator of the alias
+#   user_id: Matches against the creator of the alias
 #   room_id: Matches against the room ID being published
 #   alias: Matches against any current local or canonical aliases
 #            associated with the room
@@ -2369,7 +2494,7 @@ encryption_enabled_by_default_for_room_type: "off"
 
 ## Opentracing ##
 
-# These settings enable opentracing, which im plements distributed tracing.
+# These settings enable opentracing, which implements distributed tracing.
 # This allows you to observe the causal chains of events across servers
 # including requests, key lookups etc., across any server running
 # synapse or any other other services which supports opentracing
@@ -2385,7 +2510,7 @@ opentracing:
     # This is a list of regexes which are matched against the server_name of the
     # homeserver.
     #
-    # By defult, it is empty, so no servers are matched.
+    # By default, it is empty, so no servers are matched.
     #
     #homeserver_whitelist:
     #  - ".*"
@@ -2405,3 +2530,63 @@ opentracing:
     #
     #  logging:
     #    false
+
+
+## Workers ##
+
+# Disables sending of outbound federation transactions on the main process.
+# Uncomment if using a federation sender worker.
+#
+#send_federation: false
+
+# It is possible to run multiple federation sender workers, in which case the
+# work is balanced across them.
+#
+# This configuration must be shared between all federation sender workers, and if
+# changed all federation sender workers must be stopped at the same time and then
+# started, to ensure that all instances are running with the same config (otherwise
+# events may be dropped).
+#
+#federation_sender_instances:
+#  - federation_sender1
+
+# When using workers this should be a map from `worker_name` to the
+# HTTP replication listener of the worker, if configured.
+#
+#instance_map:
+#  worker1:
+#    host: localhost
+#    port: 8034
+
+# Experimental: When using workers you can define which workers should
+# handle event persistence and typing notifications. Any worker
+# specified here must also be in the `instance_map`.
+#
+#stream_writers:
+#  events: worker1
+#  typing: worker1
+
+# The worker that is used to run background tasks (e.g. cleaning up expired
+# data). If not provided this defaults to the main process.
+#
+#run_background_tasks_on: worker1
+
+
+# Configuration for Redis when using workers. This *must* be enabled when
+# using workers (unless using old style direct TCP configuration).
+#
+redis:
+  # Uncomment the below to enable Redis support.
+  #
+  #enabled: true
+
+  # Optional host and port to use to connect to redis. Defaults to
+  # localhost and 6379
+  #
+  #host: localhost
+  #port: 6379
+
+  # Optional password if configured on the Redis instance
+  #
+  #password: <secret_password>
+

rootfs/usr/lib/python3.8/site-packages/nextcloud_oicd_mapping_provider.py

@@ -0,0 +1,22 @@
+from synapse.handlers.oidc_handler import OidcMappingProvider
+
+
+class NextcloudOidcMappingProvider(OidcMappingProvider):
+    def __init__(self, config):
+        self._config = config
+
+    @staticmethod
+    def parse_config(config):
+        return {}
+
+    def get_remote_user_id(self, userinfo):
+        return userinfo["ocs"]["data"]["id"]
+
+    async def map_user_attributes(self, userinfo, token):
+        localpart = userinfo["ocs"]["data"]["id"]
+        display_name = userinfo["ocs"]["data"]["display-name"]
+        return {"localpart": localpart, "display_name": display_name}
+
+    async def get_extra_attributes(self, userinfo, token):
+        extras = {}
+        return extras