Allow setting can_request_admin dynamically by upstream IDP #4785
Description
Is your feature request related to a problem? Please describe.
The option of only setting Synapse admin users statically via the local password database or the configuration file is restrictive.
When using an upstream IDP with a dynamic set of admin users, I would like to enable dynamic setting of the can_request_admin attribute.
Describe the solution you'd like
As part of the OAuth2 callback, the claims of the upstream IDP are evaluated and imported.
IDPs can usually be configured so that they dynamically add claims to the token/UserInfo based on groups or similar.
For example, an upstream IDP can set the Boolean claim is_admin based on a group membership so that it can be imported like other claims using
admin:
action: force
template: "{{ user.is_admin }}"
The can_request_admin flag can then be set accordingly in the UserRepository.
Describe alternatives you've considered
I could enter any admin user in the configuration. However, this would duplicate information from my existing user administration, which I don't think makes sense.
Additional context
Using a POC I already made that work using Authentik as upstream IDP (I have to check how it behaves if a user once was an admin but got that attribute revoked and re-authenticates).
Please let me know if that feature is wanted :)