Skip to content
This repository was archived by the owner on Apr 26, 2024. It is now read-only.

Commit 557fc19

Browse files
villepehH-Shay
villepeh
authored and
H-Shay
committed
Add Mastodon SSO setup instructions to docs (#14594)
Fixes #14147
1 parent 89199ef commit 557fc19

2 files changed

Lines changed: 42 additions & 0 deletions

File tree

changelog.d/14594.doc

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
Add Single-Sign On setup instructions for Mastodon-based instances.

docs/openid.md

Lines changed: 41 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -590,3 +590,44 @@ oidc_providers:
590590
display_name_template: "{{ user.first_name }} {{ user.last_name }}"
591591
email_template: "{{ user.email }}"
592592
```
593+
594+
### Mastodon
595+
596+
[Mastodon](https://docs.joinmastodon.org/) instances provide an [OAuth API](https://docs.joinmastodon.org/spec/oauth/), allowing those instances to be used as a single sign-on provider for Synapse.
597+
598+
The first step is to register Synapse as an application with your Mastodon instance, using the [Create an application API](https://docs.joinmastodon.org/methods/apps/#create) (see also [here](https://docs.joinmastodon.org/client/token/)). There are several ways to do this, but in the example below we are using CURL.
599+
600+
This example assumes that:
601+
* the Mastodon instance website URL is `https://your.mastodon.instance.url`, and
602+
* Synapse will be registered as an app named `my_synapse_app`.
603+
604+
Send the following request, substituting the value of `synapse_public_baseurl` from your Synapse installation.
605+
```sh
606+
curl -d "client_name=my_synapse_app&redirect_uris=https://[synapse_public_baseurl]/_synapse/client/oidc/callback" -X POST https://your.mastodon.instance.url/api/v1/apps
607+
```
608+
609+
You should receive a response similar to the following. Make sure to save it.
610+
```json
611+
{"client_id":"someclientid_123","client_secret":"someclientsecret_123","id":"12345","name":"my_synapse_app","redirect_uri":"https://[synapse_public_baseurl]/_synapse/client/oidc/callback","website":null,"vapid_key":"somerandomvapidkey_123"}
612+
```
613+
614+
As the Synapse login mechanism needs an attribute to uniquely identify users, and Mastodon's endpoint does not return a `sub` property, an alternative `subject_claim` has to be set. Your Synapse configuration should include the following:
615+
616+
```yaml
617+
oidc_providers:
618+
- idp_id: my_mastodon
619+
idp_name: "Mastodon Instance Example"
620+
discover: false
621+
issuer: "https://your.mastodon.instance.url/@admin"
622+
client_id: "someclientid_123"
623+
client_secret: "someclientsecret_123"
624+
authorization_endpoint: "https://your.mastodon.instance.url/oauth/authorize"
625+
token_endpoint: "https://your.mastodon.instance.url/oauth/token"
626+
userinfo_endpoint: "https://your.mastodon.instance.url/api/v1/accounts/verify_credentials"
627+
scopes: ["read"]
628+
user_mapping_provider:
629+
config:
630+
subject_claim: "id"
631+
```
632+
633+
Note that the fields `client_id` and `client_secret` are taken from the CURL response above.

0 commit comments

Comments
 (0)