Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

The default OpenId Connect user mapping provider fail to initialize with default config #9213

Closed
tmortagne opened this issue Jan 23, 2021 · 2 comments · Fixed by #9229
Closed

The default OpenId Connect user mapping provider fail to initialize with default config #9213

tmortagne opened this issue Jan 23, 2021 · 2 comments · Fixed by #9229
Labels
S-Tolerable Minor significance, cosmetic issues, low or no impact to users. T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues.

Comments

@tmortagne
Copy link
Contributor

tmortagne commented Jan 23, 2021
edited
Loading

Enable OpenID Connect, configure the required properties (issuer, client_id, etc.) and don't change anything to user_mapping_provider (i.e. use the default user mapping behavior).

The OIDC section of the configuration look like this:

# Enable OpenID Connect (OIDC) / OAuth 2.0 for registration and login.
#
# See https://github.com/matrix-org/synapse/blob/master/docs/openid.md
# for some example configurations.
#
oidc_config:
  # Uncomment the following to enable authorization against an OpenID Connect
  # server. Defaults to false.
  #
  enabled: true

  # Uncomment the following to disable use of the OIDC discovery mechanism to
  # discover endpoints. Defaults to true.
  #
  #discover: false

  # the OIDC issuer. Used to validate tokens and (if discovery is enabled) to
  # discover the provider's endpoints.
  #
  # Required if 'enabled' is true.
  #
  issuer: "https://myhost/oidc/"

  # oauth2 client id to use.
  #
  # Required if 'enabled' is true.
  #
  client_id: "matrix"

  # oauth2 client secret to use.
  #
  # Required if 'enabled' is true.
  #
  client_secret: "dontcare"

  # auth method to use when exchanging the token.
  # Valid values are 'client_secret_basic' (default), 'client_secret_post' and
  # 'none'.
  #
  #client_auth_method: client_secret_post

  # list of scopes to request. This should normally include the "openid" scope.
  # Defaults to ["openid"].
  #
  #scopes: ["openid", "profile"]

  # the oauth2 authorization endpoint. Required if provider discovery is disabled.
  #
  #authorization_endpoint: "https://accounts.example.com/oauth2/auth"
  # the oauth2 token endpoint. Required if provider discovery is disabled.
  #
  #token_endpoint: "https://accounts.example.com/oauth2/token"

  # the OIDC userinfo endpoint. Required if discovery is disabled and the
  # "openid" scope is not requested.
  #
  #userinfo_endpoint: "https://accounts.example.com/userinfo"

  # URI where to fetch the JWKS. Required if discovery is disabled and the
  # "openid" scope is used.
  #
  #jwks_uri: "https://accounts.example.com/.well-known/jwks.json"

  # Uncomment to skip metadata verification. Defaults to false.
  #
  # Use this if you are connecting to a provider that is not OpenID Connect
  # compliant.
  # Avoid this in production.
  #
  #skip_verification: true

  # Whether to fetch the user profile from the userinfo endpoint. Valid
  # values are: "auto" or "userinfo_endpoint".
  #
  # Defaults to "auto", which fetches the userinfo endpoint if "openid" is included
  # in `scopes`. Uncomment the following to always fetch the userinfo endpoint.
  #
  #user_profile_method: "userinfo_endpoint"

  # Uncomment to allow a user logging in via OIDC to match a pre-existing account instead
  # of failing. This could be used if switching from password logins to OIDC. Defaults to false.
  #
  #allow_existing_users: true

  # An external module can be provided here as a custom solution to mapping
  # attributes returned from a OIDC provider onto a matrix user.
  #
  user_mapping_provider:
    # The custom module's class. Uncomment to use a custom module.
    # Default is 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider'.
    #
    # See https://github.com/matrix-org/synapse/blob/master/docs/sso_mapping_providers.md#openid-mapping-providers
    # for information on implementing a custom mapping provider.
    #
    # module: mapping_provider.OidcMappingProvider

    # Custom configuration values for the module. This section will be passed as
    # a Python dictionary to the user mapping provider module's `parse_config`
    # method.

    #
    # The examples below are intended for the default provider: they should be
    # changed if using a custom provider.
    #
    config:
      # name of the claim containing a unique identifier for the user.
      # Defaults to `sub`, which OpenID Connect compliant providers should provide.
      #
      #subject_claim: "sub"

      # Jinja2 template for the localpart of the MXID.
      #
      # When rendering, this template is given the following variables:
      #   * user: The claims returned by the UserInfo Endpoint and/or in the ID
      #     Token
      #
      # If this is not set, the user will be prompted to choose their
      # own username.
      #
      #localpart_template: "{{ user.preferred_username }}"

      # Jinja2 template for the display name to set on first login.
      #
      # If unset, no displayname will be set.
      #
      #display_name_template: "{{ user.given_name }} {{ user.last_name }}"

      # Jinja2 templates for extra attributes to send back to the client during
      # login.
      #
      # Note that these are non-standard and clients will ignore them without modifications.
      #
      #extra_attributes:
        #birthdate: "{{ user.birthdate }}"

Synapse won't start and log the following error:

Jan 23 11:09:40 vps690980 matrix-synapse[10924]: Error in configuration at 'oidc_config.user_mapping_provider.config':
Jan 23 11:09:40 vps690980 matrix-synapse[10924]:   Failed to parse config for module 'synapse.handlers.oidc_handler.JinjaOidcMappingProvider':
Jan 23 11:09:40 vps690980 matrix-synapse[10924]:     'NoneType' object has no attribute 'get'

It seems you can workaround this by setting one of the properties in user_mapping_provider:config: to its default (for example subject_claim: "sub"). At least I don't have the error anymore.

I'm hardly a Python expert but feels like when config: is totally empty it produces a NoneType object instead of a dictionary/map (or whatever is expected by the provider for the configuration) object so the get() call in https://github.com/matrix-org/synapse/blob/develop/synapse/handlers/oidc_handler.py#L1157 crashes.

Version information

Synapse Debian package (matrix-synapse-py3) 1.25.0+stretch1.

System: Debian Stretch
@anoadragon453 anoadragon453 mentioned this issue Jan 26, 2021
Merged
@anoadragon453
Copy link
Member

Thanks for the report! Looks like we were incorrectly passing None to modules if an empty config block was specified in the homserver's config. I've created a PR to pass an empty dictionary in this case instead: #9229

@anoadragon453 anoadragon453 added S-Tolerable Minor significance, cosmetic issues, low or no impact to users. T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues. labels Jan 26, 2021
@tmortagne
Copy link
Contributor Author

Thanks for the more accurate analysis and pull request @anoadragon453 :)

# for free to subscribe to this conversation on GitHub. Already have an account? #.
Assignees
No one assigned
Labels
S-Tolerable Minor significance, cosmetic issues, low or no impact to users. T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues.
Projects
None yet
Milestone
No milestone
2 participants
@tmortagne @anoadragon453