New user moderation for users registering with OpenID Connect (OIDC)

[shaun-blake]

I would like to run a private Synapse server where users sign in with their Google account with OpenID Connect (OIDC). I would like to only allow certain users to register, though, instead of allowing all users with a google account to sign up. For my particular case, it would even work to enable OIDC registration while I'm adding users, then disable registration through OIDC but still allow OIDC for sign in.

Is this something that would be possible?

[erikjohnston]

I don't believe we have any way of doing that at the moment. An extension to the user mapping provider that allows rejecting users may be a nice way of solving this?

[HubbeKing]

I would personally like to see something similar to what the SAML and CAS single sign-on providers support, attribute_requirements - something that would let me only allow logins if the userinfo for the user contains certain attributes, maybe?

I am unsure as to how one would go about adding support for this, though. The openid authentication code in synapse looks a bit complex.

The documentation would have to make sure to mention that those attributes need to be part of the scopes that synapse requests, though. Otherwise it'd be quite easy to accidentally lock everyone out of signing in entirely, as the required attributes would never match.

Disabling registration would have to be global to SSO in general, however. If I'm reading the code right, the OIDC handler simply handles the OIDC portion of things, and then calls a general function in sso.py that handles finding an existing synapse user and registering a new one if there's no matches on the user id.

[clokep]

The spam checker's check_registration_for_spam is potentially related to this (also see #9572, but that's not the same request).

I would personally like to see something similar to what the SAML and CAS single sign-on providers support, attribute_requirements - something that would let me only allow logins if the userinfo for the user contains certain attributes, maybe?

It would be nice to have some more feature parity here. This should be fairly simple to add into the OIDC code:

• The config bits can mostly be copied from SAML (note that each provider should be able to have separate attributes).
• There would need to be some glue passing the config through to the provider.
• The OIDC login flow would need to be modified (around here) to call self._sso_handler.check_required_attributes.

There might be a bit more code necessary to munge the OIDC token into the correct form, but I think it is already very close.

[HubbeKing]

The actual check to self._sso_handler.check_require_attributes should just be as simple as checking userinfo against the required attributes, the actual fiddly part would be copying over the config bits from SAML and getting that into the OIDC handler... Which might not be a ton of work?

Gonna give it a fair go over the weekend, see if I can't wrangle something together.

[clokep]

the actual fiddly part would be copying over the config bits from SAML and getting that into the OIDC handler... Which might not be a ton of work?

I think that shouldn't be too bad. Please use the SAML stuff as a guide as it is a bit more flexible than the CAS stuff. Give a shout if you have any questions!

[clokep]

I think this is solvable via a combination of #9609 (which will be in Synapse v1.31.0) and #9572 (which will be in Synapse v1.30.0, but requires a custom spam checker).

[08d2]

There doesn't seem to be a way to set attribute_requirements so that it permits one of N possible values?

attribute_requirements:
  - attribute: username
    values: ["alice", "barry", "celia"]

Motivation: I'm trying to oidc with GitHub and permit only users in a specific org. Alas, org membership isn't part of the user info (as far as I can tell) so the back-up plan is to just enumerate specific user IDs in the config. But I can't do that either :(