Skip to content
This repository was archived by the owner on Apr 26, 2024. It is now read-only.

Commit 86415f1

Browse files
HugoDelvalHugoDelval
authored
doc: add django-oauth-toolkit to oidc doc (#10192)
Signed-off-by: Hugo Delval <[email protected]>
1 parent 0c1d6f6 commit 86415f1

File tree

2 files changed

+49
-0
lines changed

2 files changed

+49
-0
lines changed

changelog.d/10192.doc

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Add documentation on how to connect Django with synapse using oidc and django-oauth-toolkit. Contributed by @HugoDelval.

docs/openid.md

Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -450,3 +450,51 @@ The synapse config will look like this:
450450
config:
451451
email_template: "{{ user.email }}"
452452
```
453+
454+
## Django OAuth Toolkit
455+
456+
[django-oauth-toolkit](https://github.com/jazzband/django-oauth-toolkit) is a
457+
Django application providing out of the box all the endpoints, data and logic
458+
needed to add OAuth2 capabilities to your Django projects. It supports
459+
[OpenID Connect too](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html).
460+
461+
Configuration on Django's side:
462+
463+
1. Add an application: https://example.com/admin/oauth2_provider/application/add/ and choose parameters like this:
464+
* `Redirect uris`: https://synapse.example.com/_synapse/client/oidc/callback
465+
* `Client type`: `Confidential`
466+
* `Authorization grant type`: `Authorization code`
467+
* `Algorithm`: `HMAC with SHA-2 256`
468+
2. You can [customize the claims](https://django-oauth-toolkit.readthedocs.io/en/latest/oidc.html#customizing-the-oidc-responses) Django gives to synapse (optional):
469+
<details>
470+
<summary>Code sample</summary>
471+
472+
```python
473+
class CustomOAuth2Validator(OAuth2Validator):
474+
475+
def get_additional_claims(self, request):
476+
return {
477+
"sub": request.user.email,
478+
"email": request.user.email,
479+
"first_name": request.user.first_name,
480+
"last_name": request.user.last_name,
481+
}
482+
```
483+
</details>
484+
Your synapse config is then:
485+
486+
```yaml
487+
oidc_providers:
488+
- idp_id: django_example
489+
idp_name: "Django Example"
490+
issuer: "https://example.com/o/"
491+
client_id: "your-client-id" # CHANGE ME
492+
client_secret: "your-client-secret" # CHANGE ME
493+
scopes: ["openid"]
494+
user_profile_method: "userinfo_endpoint" # needed because oauth-toolkit does not include user information in the authorization response
495+
user_mapping_provider:
496+
config:
497+
localpart_template: "{{ user.email.split('@')[0] }}"
498+
display_name_template: "{{ user.first_name }} {{ user.last_name }}"
499+
email_template: "{{ user.email }}"
500+
```

0 commit comments

Comments
 (0)