Skip to content

Commit 4384a2f

Browse files
ChurchOfTheSubgeniusChurchOfTheSubgenius
authored
Include example SSO config for Rauthy.
1 parent 881c6df commit 4384a2f

File tree

1 file changed

+65
-0
lines changed

1 file changed

+65
-0
lines changed

docs/setup/sso.md

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -385,3 +385,68 @@ upstream_oauth2:
385385
template: "{{ user.email }}"
386386
set_email_verification: always
387387
```
388+
389+
390+
### Rauthy
391+
392+
1. Click `Clients` in the Rauthy Admin sidebar and click `Add new Client`
393+
2. Fill in the fields as below:
394+
395+
| Field | Value |
396+
|-----------|-----------|
397+
| Client ID | `matrix-authentication-service` |
398+
| Client Name | `matrix-authentication-service` |
399+
| Redirect URI | `https://<auth-service-domain>/upstream/callback/<id>` |
400+
401+
3. Set the client to be `Confidential`.
402+
403+
4. Click `Save`
404+
405+
5. Select the client you just created from the clients list.
406+
6. Enable the `authorization_code`, and `refresh_token` grant types.
407+
7. Set the allowed scopes to `openid`, `profile`, and `email`.
408+
8. Set both Access Algorithm and ID Algorithm to `RS256`.
409+
9. Set PKCE challenge method to `S256`.
410+
10. Click `Save`
411+
11. Copy the `Client ID` from the `Config` tab and the `Client Secret` from the `Secret` tab.
412+
413+
414+
Authentication service configuration:
415+
416+
```yaml
417+
upstream_oauth2:
418+
providers:
419+
- id: "01JFFHK7HJF70YSYF753GEWVRP"
420+
human_name: Rauthy
421+
brand_name: "rauthy"
422+
issuer: "https://<rauthy>/auth/v1" # TO BE FILLED
423+
client_id: "<client-id>" # TO BE FILLED
424+
client_secret: "<client-secret>" # TO BE FILLED
425+
scope: "openid profile email"
426+
claims_imports:
427+
localpart:
428+
action: ignore
429+
displayname:
430+
action: suggest
431+
template: "{{ user.given_name }}"
432+
email:
433+
action: suggest
434+
template: "{{ user.email }}"
435+
```
436+
437+
To use a Rauthy-supported [Ephemeral Client](https://sebadob.github.io/rauthy/work/ephemeral_clients.html#ephemeral-clients), use this JSON document:
438+
439+
```json
440+
{
441+
"client_id": "https://path.to.this.json",
442+
"redirect_uris": [
443+
"https://your-app.com/callback"
444+
],
445+
"grant_types": [
446+
"authorization_code",
447+
"refresh_token"
448+
],
449+
"access_token_signed_response_alg": "RS256",
450+
"id_token_signed_response_alg": "RS256"
451+
}
452+
```

0 commit comments

Comments
 (0)