mirror of
https://github.com/vector-im/element-web.git
synced 2024-12-01 15:11:11 +08:00
36a8d503df
* Resolve race condition between opening settings & well-known check in OIDC mode Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> * Add OIDC-aware and OIDC-native tests using MAS Signed-off-by: Michael Telatynski <7t3chguy@gmail.com> --------- Signed-off-by: Michael Telatynski <7t3chguy@gmail.com>
195 lines
7.1 KiB
YAML
195 lines
7.1 KiB
YAML
server_name: "localhost"
|
|
pid_file: /data/homeserver.pid
|
|
public_baseurl: "{{PUBLIC_BASEURL}}"
|
|
listeners:
|
|
- port: 8008
|
|
tls: false
|
|
bind_addresses: ["::"]
|
|
type: http
|
|
x_forwarded: true
|
|
|
|
resources:
|
|
- names: [client]
|
|
compress: false
|
|
|
|
database:
|
|
name: "sqlite3"
|
|
args:
|
|
database: ":memory:"
|
|
|
|
log_config: "/data/log.config"
|
|
|
|
rc_messages_per_second: 10000
|
|
rc_message_burst_count: 10000
|
|
rc_registration:
|
|
per_second: 10000
|
|
burst_count: 10000
|
|
rc_joins:
|
|
local:
|
|
per_second: 9999
|
|
burst_count: 9999
|
|
remote:
|
|
per_second: 9999
|
|
burst_count: 9999
|
|
rc_joins_per_room:
|
|
per_second: 9999
|
|
burst_count: 9999
|
|
rc_3pid_validation:
|
|
per_second: 1000
|
|
burst_count: 1000
|
|
|
|
rc_invites:
|
|
per_room:
|
|
per_second: 1000
|
|
burst_count: 1000
|
|
per_user:
|
|
per_second: 1000
|
|
burst_count: 1000
|
|
|
|
rc_login:
|
|
address:
|
|
per_second: 10000
|
|
burst_count: 10000
|
|
account:
|
|
per_second: 10000
|
|
burst_count: 10000
|
|
failed_attempts:
|
|
per_second: 10000
|
|
burst_count: 10000
|
|
|
|
media_store_path: "/data/media_store"
|
|
uploads_path: "/data/uploads"
|
|
registration_shared_secret: "{{REGISTRATION_SECRET}}"
|
|
report_stats: false
|
|
macaroon_secret_key: "{{MACAROON_SECRET_KEY}}"
|
|
form_secret: "{{FORM_SECRET}}"
|
|
signing_key_path: "/data/localhost.signing.key"
|
|
|
|
trusted_key_servers:
|
|
- server_name: "matrix.org"
|
|
suppress_key_server_warning: true
|
|
|
|
ui_auth:
|
|
session_timeout: "300s"
|
|
|
|
# Inhibit background updates as this Synapse isn't long-lived
|
|
background_updates:
|
|
min_batch_size: 100000
|
|
sleep_duration_ms: 100000
|
|
|
|
serve_server_wellknown: true
|
|
experimental_features:
|
|
msc3861:
|
|
enabled: true
|
|
|
|
issuer: http://localhost:%MAS_PORT%/
|
|
# We have to bake in the metadata here as we need to override `introspection_endpoint`
|
|
issuer_metadata: {
|
|
"issuer": "http://localhost:%MAS_PORT%/",
|
|
"authorization_endpoint": "http://localhost:%MAS_PORT%/authorize",
|
|
"token_endpoint": "http://localhost:%MAS_PORT%/oauth2/token",
|
|
"jwks_uri": "http://localhost:%MAS_PORT%/oauth2/keys.json",
|
|
"registration_endpoint": "http://localhost:%MAS_PORT%/oauth2/registration",
|
|
"scopes_supported": ["openid", "email"],
|
|
"response_types_supported": ["code", "id_token", "code id_token"],
|
|
"response_modes_supported": ["form_post", "query", "fragment"],
|
|
"grant_types_supported":
|
|
[
|
|
"authorization_code",
|
|
"refresh_token",
|
|
"client_credentials",
|
|
"urn:ietf:params:oauth:grant-type:device_code",
|
|
],
|
|
"token_endpoint_auth_methods_supported":
|
|
["client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none"],
|
|
"token_endpoint_auth_signing_alg_values_supported":
|
|
[
|
|
"HS256",
|
|
"HS384",
|
|
"HS512",
|
|
"RS256",
|
|
"RS384",
|
|
"RS512",
|
|
"PS256",
|
|
"PS384",
|
|
"PS512",
|
|
"ES256",
|
|
"ES384",
|
|
"ES256K",
|
|
],
|
|
"revocation_endpoint": "http://localhost:%MAS_PORT%/oauth2/revoke",
|
|
"revocation_endpoint_auth_methods_supported":
|
|
["client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none"],
|
|
"revocation_endpoint_auth_signing_alg_values_supported":
|
|
[
|
|
"HS256",
|
|
"HS384",
|
|
"HS512",
|
|
"RS256",
|
|
"RS384",
|
|
"RS512",
|
|
"PS256",
|
|
"PS384",
|
|
"PS512",
|
|
"ES256",
|
|
"ES384",
|
|
"ES256K",
|
|
],
|
|
# This is the only changed value
|
|
"introspection_endpoint": "http://host.containers.internal:%MAS_PORT%/oauth2/introspect",
|
|
"introspection_endpoint_auth_methods_supported":
|
|
["client_secret_basic", "client_secret_post", "client_secret_jwt", "private_key_jwt", "none"],
|
|
"introspection_endpoint_auth_signing_alg_values_supported":
|
|
[
|
|
"HS256",
|
|
"HS384",
|
|
"HS512",
|
|
"RS256",
|
|
"RS384",
|
|
"RS512",
|
|
"PS256",
|
|
"PS384",
|
|
"PS512",
|
|
"ES256",
|
|
"ES384",
|
|
"ES256K",
|
|
],
|
|
"code_challenge_methods_supported": ["plain", "S256"],
|
|
"userinfo_endpoint": "http://localhost:%MAS_PORT%/oauth2/userinfo",
|
|
"subject_types_supported": ["public"],
|
|
"id_token_signing_alg_values_supported":
|
|
["RS256", "RS384", "RS512", "ES256", "ES384", "PS256", "PS384", "PS512", "ES256K"],
|
|
"userinfo_signing_alg_values_supported":
|
|
["RS256", "RS384", "RS512", "ES256", "ES384", "PS256", "PS384", "PS512", "ES256K"],
|
|
"display_values_supported": ["page"],
|
|
"claim_types_supported": ["normal"],
|
|
"claims_supported": ["iss", "sub", "aud", "iat", "exp", "nonce", "auth_time", "at_hash", "c_hash"],
|
|
"claims_parameter_supported": false,
|
|
"request_parameter_supported": false,
|
|
"request_uri_parameter_supported": false,
|
|
"prompt_values_supported": ["none", "login", "create"],
|
|
"device_authorization_endpoint": "http://localhost:%MAS_PORT%/oauth2/device",
|
|
"org.matrix.matrix-authentication-service.graphql_endpoint": "http://localhost:%MAS_PORT%/graphql",
|
|
"account_management_uri": "http://localhost:%MAS_PORT%/account/",
|
|
"account_management_actions_supported":
|
|
[
|
|
"org.matrix.profile",
|
|
"org.matrix.sessions_list",
|
|
"org.matrix.session_view",
|
|
"org.matrix.session_end",
|
|
],
|
|
}
|
|
|
|
# Matches the `client_id` in the auth service config
|
|
client_id: 0000000000000000000SYNAPSE
|
|
# Matches the `client_auth_method` in the auth service config
|
|
client_auth_method: client_secret_basic
|
|
# Matches the `client_secret` in the auth service config
|
|
client_secret: "SomeRandomSecret"
|
|
|
|
# Matches the `matrix.secret` in the auth service config
|
|
admin_token: "AnotherRandomSecret"
|
|
|
|
# URL to advertise to clients where users can self-manage their account
|
|
account_management_url: "http://localhost:%MAS_PORT%/account"
|