Skip to content

Commit 1434429

Browse files
ChurchOfTheSubgeniussandhose
ChurchOfTheSubgenius
and
sandhose
authored
Include example SSO config for Rauthy. (#3725)
Co-authored-by: Quentin Gliech <[email protected]>
1 parent 881c6df commit 1434429

File tree

1 file changed

+64
-0
lines changed

1 file changed

+64
-0
lines changed

docs/setup/sso.md

Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -385,3 +385,67 @@ upstream_oauth2:
385385
template: "{{ user.email }}"
386386
set_email_verification: always
387387
```
388+
389+
390+
### Rauthy
391+
392+
1. Click `Clients` in the Rauthy Admin sidebar and click `Add new Client`
393+
2. Fill in the fields as below:
394+
395+
| Field | Value |
396+
|-----------|-----------|
397+
| Client ID | `matrix-authentication-service` |
398+
| Client Name | `matrix-authentication-service` |
399+
| Redirect URI | `https://<auth-service-domain>/upstream/callback/<id>` |
400+
401+
3. Set the client to be `Confidential`.
402+
403+
4. Click `Save`
404+
405+
5. Select the client you just created from the clients list.
406+
6. Enable the `authorization_code`, and `refresh_token` grant types.
407+
7. Set the allowed scopes to `openid`, `profile`, and `email`.
408+
8. Set both Access Algorithm and ID Algorithm to `RS256`.
409+
9. Set PKCE challenge method to `S256`.
410+
10. Click `Save`
411+
11. Copy the `Client ID` from the `Config` tab and the `Client Secret` from the `Secret` tab.
412+
413+
414+
Authentication service configuration:
415+
416+
```yaml
417+
upstream_oauth2:
418+
providers:
419+
- id: "01JFFHK7HJF70YSYF753GEWVRP"
420+
human_name: Rauthy
421+
issuer: "https://<rauthy>/auth/v1" # TO BE FILLED
422+
client_id: "<client-id>" # TO BE FILLED
423+
client_secret: "<client-secret>" # TO BE FILLED
424+
scope: "openid profile email"
425+
claims_imports:
426+
localpart:
427+
action: ignore
428+
displayname:
429+
action: suggest
430+
template: "{{ user.given_name }}"
431+
email:
432+
action: suggest
433+
template: "{{ user.email }}"
434+
```
435+
436+
To use a Rauthy-supported [Ephemeral Client](https://sebadob.github.io/rauthy/work/ephemeral_clients.html#ephemeral-clients), use this JSON document:
437+
438+
```json
439+
{
440+
"client_id": "https://path.to.this.json",
441+
"redirect_uris": [
442+
"https://your-app.com/callback"
443+
],
444+
"grant_types": [
445+
"authorization_code",
446+
"refresh_token"
447+
],
448+
"access_token_signed_response_alg": "RS256",
449+
"id_token_signed_response_alg": "RS256"
450+
}
451+
```

0 commit comments

Comments
 (0)