Support SSO to GitHub OIDC with specific organization

[08d2]

This is a new issue based on this comment. I'm trying to configure SSO/OIDC to GitHub such that only users in a specific organization are permitted. But this doesn't seem to be possible.

[DMRobertson]

I don't think we're keen to add any logic or integration specific to GitHub. But perhaps someone else on the team could chip in?

If someone wants to take a crack at this in the spirit of the original comment, it looks like there are two key places to change:

1. the structure defining an attribute requirement

synapse/synapse/config/sso.py

Lines 31 to 44 in f44d729

	@attr.s(frozen=True, auto_attribs=True)
	class SsoAttributeRequirement:
	"""Object describing a single requirement for SSO attributes."""
	attribute: str
	# If a value is not given, than the attribute must simply exist.
	value: Optional[str]
	JSON_SCHEMA = {
	"type": "object",
	"properties": {"attribute": {"type": "string"}, "value": {"type": "string"}},
	"required": ["attribute", "value"],
	}

2. the logic which checks that requirement

synapse/synapse/handlers/sso.py

Lines 1029 to 1059 in 3f7cfbc

	def _check_attribute_requirement(
	attributes: Mapping[str, List[Any]], req: SsoAttributeRequirement
	) -> bool:
	"""Check if SSO attributes meet the proper requirements.
	Args:
	attributes: A mapping of attributes to an iterable of one or more values.
	requirement: The configured requirement to check.
	Returns:
	True if the required attribute was found and had a proper value.
	"""
	if req.attribute not in attributes:
	logger.info("SSO attribute missing: %s", req.attribute)
	return False
	# If the requirement is None, the attribute existing is enough.
	if req.value is None:
	return True
	values = attributes[req.attribute]
	if req.value in values:
	return True
	logger.info(
	"SSO attribute %s did not match required value '%s' (was '%s')",
	req.attribute,
	req.value,
	values,
	)
	return False

[clokep]

If you add the read:org scope to the list of scopes that Synapse requests does that give the additional information you would need to filter on?

[08d2]

@clokep

If you add the read:org scope to the list of scopes that Synapse requests does that give the additional information you would need to filter on?

Nope, as the returned user info doesn't include organizations directly, it provides a URL — which can be successfully retrieved with read:org, but as a separate step.

---

@DMRobertson

I don't think we're keen to add any logic or integration specific to GitHub.

Consider the e.g. Grafana integration with GitHub, which accepts team_ids and allowed_organizations parameters and satisfies them with GitHub-specific code. As a user, auth constraints like this are requirements for an SSO integration to be useful.