Support importing avatars from SSO identity provider #9357
Comments
|
Indeed it would. I thought we had an issue open to track this, but I can't find it :) |
richvdh
changed the title
erikjohnston
added
the
T-Enhancement
|
It looks like this would only be about calling set_avatar_url from complete_sso_login_request, and map the picture claim in JinjaOidcMappingProvider. Have I missed something? |
I think that's most of it, I believe avatar URLs need to be mxc URLs though so you might need to store the image first. |
This commit adds support for handling a provided avatar picture URL when logging in via SSO. Signed-off-by: Ashish Kumar <ashfame@users.noreply.github.com> Fixes #9357.
|
@squahtx We should probably re-open this issue until we cover all server configurations where media repository is outside of the main process. I understand when media repository is outside such as matrix-media-repo, this would happen using client server API (unsure whose credentials get used for those requests) and for cases when its in worker mode, I know nothing about that at all, so can use some guidance there. |
|
Thanks for pointing that out. We still need
As per Rich's comment here:
For examples of worker mode internal HTTP APIs, you can look for classes derived from |
|
Also note that #13917 only does this for OIDC, not for SAML or CAS. Those could probably be filed as separate issues though if someone wants it. |
@squahtx @richvdh I can only see the Based on previous discussions, it seems like using this secret we avoided the need to temporarily have an access token for uploading the image for the user. Found out that the media admin api, doesn't support uploading images. So, I am guessing its supposed to work more like Lastly, would I need matrix-media-repo configured locally and running in order to work towards this or just relying on media upload client-server api is sufficient? |
I believe the proposal is to add a new config option that will hold the access token to use on the regular It's best to test with a real instance of matrix-media-repo. |
|
Ok, so the idea is to provide an access token for a user like Are we sure that we don't want the actual user to be associated with the image upload? I think that's desirable and seems like a cleaner approach too? Overall, this feels like a band-aid solution where we are interacting with our own public API. There should be a function which abstracts this mechanism away, ideally without a call to our own public API, by directly invoking the endpoint handler or the underlying code for that handler. Thoughts? |
|
@squahtx Any thoughts on what I said above? |
Yes, but only for the external matrix-media-repo case.
If you had the user's access token, you could pass it to matrix-media-repo. The difficulty is that the user's access token has not been generated yet at the time The above only applies to an external media repository, like matrix-media-repo. When the media repository is in another Synapse worker, you are free to define your own internal HTTP API to upload images as a given user. |
This commit adds support for handling a provided avatar picture URL when logging in via SSO. Signed-off-by: Ashish Kumar <ashfame@users.noreply.github.com> Fixes #9357.
It would be nice to (optionally?) transfer the account picture/avatar of a user created through OpenID Connect (OIDC) to the Synapse user account. I'm using google as my provider. Their account pictures is in the
pictureattribute and is a url to the image.The text was updated successfully, but these errors were encountered: