Skip to content

Allow setting can_request_admin dynamically by claims of upstream IDP #4802

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Allow setting can_request_admin dynamically by claims of upstream IDP #4802

wants to merge 4 commits into from

Conversation

fl0lli
Copy link

@fl0lli fl0lli commented Jul 18, 2025

The option of only setting Synapse admin users statically via the local password database or the configuration file is restrictive.
When using an upstream IDP with a dynamic set of admin users, I would like to enable dynamic setting of the can_request_admin attribute.

As part of the OAuth2 callback, the claims of the upstream IDP are evaluated and imported.
IDPs can usually be configured so that they dynamically add claims to the token/UserInfo based on groups or similar.
For example, an upstream IDP can set the Boolean claim is_admin based on a group membership so that it can be imported like other claims using

admin:
 action: force
 template: "{{ user.is_admin }}"

The can_request_admin flag can then be set accordingly in the UserRepository.

This closes #4785.

fl0lli added 4 commits July 18, 2025 19:53
@fl0lli
feat: add claim import for dynamically setting can_request_admin user…
1e37151 
… attribute; add test
@fl0lli
test: extend test cases for determine_admin_flag
ff3849e 
Signed-off-by: fl0lli <github@fl0lli.de>
@fl0lli
test: create tests using wiremock server for testing can_request_admi…
ac6c9cb 
…n feature of callback handler

Signed-off-by: fl0lli <github@fl0lli.de>
@fl0lli
chore: formatting
3f5ec23 
Signed-off-by: fl0lli <github@fl0lli.de>
@CLAassistant
Copy link

CLAassistant commented Jul 18, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Allow setting can_request_admin dynamically by upstream IDP
2 participants
@fl0lli @CLAassistant