Update documentation for configuring facebook login (#11755)

richvdh · web-flow · commit b0352f9c08a1 · 2022-01-17T12:35:00.000Z
... and a minor thinko fix in the sample config.
diff --git a/changelog.d/11755.doc b/changelog.d/11755.doc
@@ -0,0 +1 @@
+Update documentation for configuring login with facebook.
diff --git a/docs/openid.md b/docs/openid.md
@@ -390,9 +390,6 @@ oidc_providers:
 
 ### Facebook
 
-Like Github, Facebook provide a custom OAuth2 API rather than an OIDC-compliant
-one so requires a little more configuration.
-
 0. You will need a Facebook developer account. You can register for one
    [here](https://developers.facebook.com/async/registration/).
 1. On the [apps](https://developers.facebook.com/apps/) page of the developer
@@ -412,24 +409,28 @@ Synapse config:
     idp_name: Facebook
     idp_brand: "facebook"  # optional: styling hint for clients
     discover: false
-    issuer: "https://facebook.com"
+    issuer: "https://www.facebook.com"
     client_id: "your-client-id" # TO BE FILLED
     client_secret: "your-client-secret" # TO BE FILLED
     scopes: ["openid", "email"]
-    authorization_endpoint: https://facebook.com/dialog/oauth
-    token_endpoint: https://graph.facebook.com/v9.0/oauth/access_token
-    user_profile_method: "userinfo_endpoint"
-    userinfo_endpoint: "https://graph.facebook.com/v9.0/me?fields=id,name,email,picture"
+    authorization_endpoint: "https://facebook.com/dialog/oauth"
+    token_endpoint: "https://graph.facebook.com/v9.0/oauth/access_token"
+    jwks_uri: "https://www.facebook.com/.well-known/oauth/openid/jwks/"
     user_mapping_provider:
       config:
-        subject_claim: "id"
         display_name_template: "{{ user.name }}"
+        email_template: "{{ '{{ user.email }}' }}"
 ```
 
 Relevant documents:
- * https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow
- * Using Facebook's Graph API: https://developers.facebook.com/docs/graph-api/using-graph-api/
- * Reference to the User endpoint: https://developers.facebook.com/docs/graph-api/reference/user
+ * [Manually Build a Login Flow](https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow)
+ * [Using Facebook's Graph API](https://developers.facebook.com/docs/graph-api/using-graph-api/)
+ * [Reference to the User endpoint](https://developers.facebook.com/docs/graph-api/reference/user)
+
+Facebook do have an [OIDC discovery endpoint](https://www.facebook.com/.well-known/openid-configuration),
+but it has a `response_types_supported` which excludes "code" (which we rely on, and
+is even mentioned in their [documentation](https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow#login)),
+so we have to disable discovery and configure the URIs manually.
 
 ### Gitea
 
diff --git a/docs/sample_config.yaml b/docs/sample_config.yaml
@@ -1877,10 +1877,13 @@ saml2_config:
 #       Defaults to false. Avoid this in production.
 #
 #   user_profile_method: Whether to fetch the user profile from the userinfo
-#       endpoint. Valid values are: 'auto' or 'userinfo_endpoint'.
+#       endpoint, or to rely on the data returned in the id_token from the
+#       token_endpoint.
 #
-#       Defaults to 'auto', which fetches the userinfo endpoint if 'openid' is
-#       included in 'scopes'. Set to 'userinfo_endpoint' to always fetch the
+#       Valid values are: 'auto' or 'userinfo_endpoint'.
+#
+#       Defaults to 'auto', which uses the userinfo endpoint if 'openid' is
+#       not included in 'scopes'. Set to 'userinfo_endpoint' to always use the
 #       userinfo endpoint.
 #
 #   allow_existing_users: set to 'true' to allow a user logging in via OIDC to
diff --git a/synapse/config/oidc.py b/synapse/config/oidc.py
@@ -148,10 +148,13 @@ def generate_config_section(self, config_dir_path, server_name, **kwargs) -> str
         #       Defaults to false. Avoid this in production.
         #
         #   user_profile_method: Whether to fetch the user profile from the userinfo
-        #       endpoint. Valid values are: 'auto' or 'userinfo_endpoint'.
+        #       endpoint, or to rely on the data returned in the id_token from the
+        #       token_endpoint.
         #
-        #       Defaults to 'auto', which fetches the userinfo endpoint if 'openid' is
-        #       included in 'scopes'. Set to 'userinfo_endpoint' to always fetch the
+        #       Valid values are: 'auto' or 'userinfo_endpoint'.
+        #
+        #       Defaults to 'auto', which uses the userinfo endpoint if 'openid' is
+        #       not included in 'scopes'. Set to 'userinfo_endpoint' to always use the
         #       userinfo endpoint.
         #
         #   allow_existing_users: set to 'true' to allow a user logging in via OIDC to

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+Update documentation for configuring login with facebook.`
Original file line number	Diff line number	Diff line change
`@@ -1877,10 +1877,13 @@ saml2_config:`
`1877`	`1877`	`# Defaults to false. Avoid this in production.`
`1878`	`1878`	`#`
`1879`	`1879`	`# user_profile_method: Whether to fetch the user profile from the userinfo`
`1880`		`-# endpoint. Valid values are: 'auto' or 'userinfo_endpoint'.`
	`1880`	`+# endpoint, or to rely on the data returned in the id_token from the`
	`1881`	`+# token_endpoint.`
`1881`	`1882`	`#`
`1882`		`-# Defaults to 'auto', which fetches the userinfo endpoint if 'openid' is`
`1883`		`-# included in 'scopes'. Set to 'userinfo_endpoint' to always fetch the`
	`1883`	`+# Valid values are: 'auto' or 'userinfo_endpoint'.`
	`1884`	`+#`
	`1885`	`+# Defaults to 'auto', which uses the userinfo endpoint if 'openid' is`
	`1886`	`+# not included in 'scopes'. Set to 'userinfo_endpoint' to always use the`
`1884`	`1887`	`# userinfo endpoint.`
`1885`	`1888`	`#`
`1886`	`1889`	`# allow_existing_users: set to 'true' to allow a user logging in via OIDC to`
Original file line number	Diff line number	Diff line change
`@@ -148,10 +148,13 @@ def generate_config_section(self, config_dir_path, server_name, **kwargs) -> str`
`148`	`148`	`# Defaults to false. Avoid this in production.`
`149`	`149`	`#`
`150`	`150`	`# user_profile_method: Whether to fetch the user profile from the userinfo`
`151`		`- # endpoint. Valid values are: 'auto' or 'userinfo_endpoint'.`
	`151`	`+ # endpoint, or to rely on the data returned in the id_token from the`
	`152`	`+ # token_endpoint.`
`152`	`153`	`#`
`153`		`- # Defaults to 'auto', which fetches the userinfo endpoint if 'openid' is`
`154`		`- # included in 'scopes'. Set to 'userinfo_endpoint' to always fetch the`
	`154`	`+ # Valid values are: 'auto' or 'userinfo_endpoint'.`
	`155`	`+ #`
	`156`	`+ # Defaults to 'auto', which uses the userinfo endpoint if 'openid' is`
	`157`	`+ # not included in 'scopes'. Set to 'userinfo_endpoint' to always use the`
`155`	`158`	`# userinfo endpoint.`
`156`	`159`	`#`
`157`	`160`	`# allow_existing_users: set to 'true' to allow a user logging in via OIDC to`