David Robertson
32a59a6495
Keep track of `user_ips` and `monthly_active_users` when delegating auth ( #16672 )
...
* Describe `insert_client_ip`
* Pull out client_ips and MAU tracking to BaseAuth
* Define HAS_AUTHLIB once in tests
sick of copypasting
* Track ips and token usage when delegating auth
* Test that we track MAU and user_ips
* Don't track `__oidc_admin`
2023-11-23 12:35:37 +00:00
Christoph
32fd9bc673
Fix possible AttributeError when account-api is called over unix socket ( #16404 )
...
Fixes #16396
2023-10-09 10:16:07 +01:00
Erik Johnston
954921736b
Refactor `get_user_by_id` ( #16316 )
2023-09-14 12:46:30 +01:00
Quentin Gliech
1940d990a3
Revert MSC3861 introspection cache, admin impersonation and account lock ( #16258 )
2023-09-06 15:19:51 +01:00
Shay
69048f7b48
Add an admin endpoint to allow authorizing server to signal token revocations ( #16125 )
2023-08-22 14:15:34 +00:00
Mathieu Velten
2d15e39684
MSC3861: allow impersonation by an admin using a query param ( #16132 )
2023-08-18 15:46:46 +02:00
Erik Johnston
6130afb862
Add response time metrics for introspection requests ( #16131 )
...
See #16119
2023-08-18 12:16:00 +01:00
Shay
54a51ff6c1
Cache token introspection response from OIDC provider ( #16117 )
2023-08-17 10:53:10 -07:00
Mathieu Velten
dac97642e4
Implements admin API to lock an user (MSC3939) ( #15870 )
2023-08-10 09:10:55 +00:00
Patrick Cloke
c01343de43
Add stricter mypy options ( #15694 )
...
Enable warn_unused_configs, strict_concatenate, disallow_subclassing_any,
and disallow_incomplete_defs.
2023-05-31 07:18:29 -04:00
Quentin Gliech
ceb3dd77db
Enforce that an admin token also has the basic Matrix API scope
2023-05-30 09:43:06 -04:00
Quentin Gliech
f739bde962
Reject tokens with multiple device scopes
2023-05-30 09:43:06 -04:00
Quentin Gliech
98afc57d59
Make OIDC scope constants
2023-05-30 09:43:06 -04:00
Quentin Gliech
14a5be9c4d
Handle errors when introspecting tokens
...
This returns a proper 503 when the introspection endpoint is not working
for some reason, which should avoid logging out clients in those cases.
2023-05-30 09:43:06 -04:00
Quentin Gliech
4d0231b364
Make AS tokens work & allow ASes to /register
2023-05-30 09:43:06 -04:00
Quentin Gliech
c008b44b4f
Add an admin token for MAS -> Synapse calls
2023-05-30 09:43:06 -04:00
Hugh Nimmo-Smith
249f4a338d
Refactor config to be an experimental feature
...
Also enforce you can't combine it with incompatible config options
2023-05-30 09:43:06 -04:00
Hugh Nimmo-Smith
5fe96082d0
Actually enforce guest + return www-authenticate header
2023-05-30 09:43:06 -04:00
Hugh Nimmo-Smith
a1374b5c70
MSC2967: Check access token scope for use as user and add guest support
2023-05-30 09:43:06 -04:00
Hugh Nimmo-Smith
d20669971a
Use `name` claim as display name when registering users on the fly.
...
This makes is so that the `name` claim got when introspecting the token
is used as the display name when registering a user on the fly.
2023-05-30 09:43:06 -04:00
Quentin Gliech
f9cd549f64
Record the `sub` claims as an external_id
2023-05-30 09:43:06 -04:00
Quentin Gliech
7628dbf4e9
Handle the Synapse admin scope
2023-05-30 09:43:06 -04:00
Quentin Gliech
c5cf1b421d
Save the scopes in the requester
2023-05-30 09:43:06 -04:00
Quentin Gliech
765244faee
Initial MSC3964 support: delegation of auth to OIDC server
2023-05-30 09:43:06 -04:00
Quentin Gliech
e2c8458bba
Make the api.auth.Auth a Protocol
2023-05-30 09:43:06 -04:00