Support attribute requirements for jwt_login

[alpha856]

Hello,
I have custom SSO based on Keycloak and using JWT token with Synapse. some of SSO users have special "roles" to using messenger and other Not have. this roles are exist in JWT tokens and can be set per user in Keycloak. in Synapse homeserver JWT config, there is only "audiences" option that is client base and also can't set for each user separately. I think if you add "roles" option to JWT config, server admin can separate SSO users to access matrix based on their roles.

Thanks

[DMRobertson]

Ahh, it sounds like you want to set attribute_requirements in your config. See https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#oidc_providers, in particular the sentence It is possible to configure Synapse to only allow logins if certain attributes match particular values in the OIDC userinfo.

[DMRobertson]

Let us know if that works!

[alpha856]

I am using this manual for config : https://matrix-org.github.io/synapse/latest/usage/configuration/config_documentation.html#jwt_config

in this manual there is not any attribute or role options for user logging.
is it true? my sample JWT homeserver config :

jwt_config:
enabled: true
secret: |-
-----BEGIN PUBLIC KEY-----
.........................
-----END PUBLIC KEY-----
algorithm: "RS256"
subject_claim: "preferred_username"
issuer: "http://keycloak:8080/auth/realms/Server"
audiences:
- account

[alpha856]

i want to validate user "roles" in this config.

[clokep]

i want to validate user "roles" in this config.

This is not possible using JWT logins at the moment. Synapse only supports using the aud claim for this, as you've found above.

[alpha856]

Now I am using JWT for android matrix application messenger and want to validate this. i hope you add this option or support custom claim for this method.
and also can i replace this JWT config with OIDC config?