Support SAML in the user interactive authentication workflow.

synapse/handlers/auth.py

@@ -148,10 +148,10 @@ def __init__(self, hs):
 
         # Load the SSO HTML templates.
 
-        # The following template is shown to the user before redirecting them to
-        # the SSO login page. It notifies the user they are about to be
-        # redirected and that the Synapse server will be gaining access to their
-        # SSO account.
+        # The following template is shown to the user during a client login via SSO,
+        # after the SSO completes and before redirecting them back to their client.
+        # It notifies the user they are about to give access to their matrix account
+        # to the client.
         self._sso_redirect_confirm_template = load_jinja2_templates(
             hs.config.sso_redirect_confirm_template_dir, ["sso_redirect_confirm.html"],
         )[0]
@@ -174,6 +174,7 @@ def validate_user_via_ui_auth(
         request: SynapseRequest,
         request_body: Dict[str, Any],
         clientip: str,
+        description: str,
     ):
         """
         Checks that the user is who they claim to be, via a UI auth.
@@ -191,6 +192,9 @@ def validate_user_via_ui_auth(
 
             clientip: The IP address of the client.
 
+            description: A human readable string to be displayed to the user that
+                         describes the operation happening on their account.
+
         Returns:
             defer.Deferred[dict]: the parameters for this request (which may
                 have been given only in a previous call).
@@ -223,7 +227,7 @@ def validate_user_via_ui_auth(
 
         try:
             result, params, _ = yield self.check_auth(
-                flows, request, request_body, clientip
+                flows, request, request_body, clientip, description
             )
         except LoginError:
             # Update the ratelimite to say we failed (`can_do_action` doesn't raise).
@@ -268,6 +272,7 @@ def check_auth(
         request: SynapseRequest,
         clientdict: Dict[str, Any],
         clientip: str,
+        description: str,
     ):
         """
         Takes a dictionary sent by the client in the login / registration
@@ -294,6 +299,9 @@ def check_auth(
 
             clientip: The IP address of the client.
 
+            description: A human readable string to be displayed to the user that
+                         describes the operation happening on their account.
+
         Returns:
             defer.Deferred[dict, dict, str]: a deferred tuple of
                 (creds, params, session_id).
@@ -343,12 +351,18 @@ def check_auth(
         comparator = (request.uri, request.method, clientdict)
         if "ui_auth" not in session:
             session["ui_auth"] = comparator
+            self._save_session(session)
         elif session["ui_auth"] != comparator:
             raise SynapseError(
                 403,
                 "Requested operation has changed during the UI authentication session.",
             )
 
+        # Add a human readable description to the session.
+        if "description" not in session:
+            session["description"] = description
+            self._save_session(session)
+
         if not authdict:
             raise InteractiveAuthIncompleteError(
                 self._auth_dict_for_flows(flows, session)
@@ -1035,14 +1049,24 @@ def _do_validate_hash():
         else:
             return defer.succeed(False)
 
-    def start_sso_ui_auth(self, redirect_url: str) -> str:
+    def start_sso_ui_auth(self, redirect_url: str, session_id: str) -> str:
         """
         Get the HTML for the SSO redirect confirmation page.
 
-        :param redirect_url: The URL to redirect to the SSO provider.
-        :return: The HTML to render.
+        Args:
+            redirect_url: The URL to redirect to the SSO provider.
+            session_id: The user interactive authentication session ID.
+
+        Returns:
+            The HTML to render.
         """
-        return self._sso_auth_confirm_template.render(redirect_url=redirect_url,)
+        session = self._get_session_info(session_id)
+        # Get the human readable operation of what is occurring, falling back to
+        # a generic message if it isn't available for some reason.
+        description = session.get("description", "modify your account")
+        return self._sso_auth_confirm_template.render(
+            description=description, redirect_url=redirect_url,
+        )
 
     def complete_sso_ui_auth(
         self, registered_user_id: str, session_id: str, request: SynapseRequest,

synapse/res/templates/sso_auth_confirm.html

@@ -5,8 +5,7 @@
     <body>
         <div>
             <p>
-                A client is trying to remove a device/add an email address/take over
-                your account. To confirm this action,
+                A client is trying to {{ description | e }}. To confirm this action,
                 <a href="{{ redirect_url | e }}">re-authenticate with single sign-on</a>.
                 If you did not expect this, your account may be compromised!
             </p>

synapse/rest/client/v2_alpha/account.py

@@ -234,7 +234,11 @@ async def on_POST(self, request):
         if self.auth.has_access_token(request):
             requester = await self.auth.get_user_by_req(request)
             params = await self.auth_handler.validate_user_via_ui_auth(
-                requester, request, body, self.hs.get_ip_from_request(request),
+                requester,
+                request,
+                body,
+                self.hs.get_ip_from_request(request),
+                "modify your account password",
             )
             user_id = requester.user.to_string()
         else:
@@ -244,6 +248,7 @@ async def on_POST(self, request):
                 request,
                 body,
                 self.hs.get_ip_from_request(request),
+                "modify your account password",
             )
 
             if LoginType.EMAIL_IDENTITY in result:
@@ -311,7 +316,11 @@ async def on_POST(self, request):
             return 200, {}
 
         await self.auth_handler.validate_user_via_ui_auth(
-            requester, request, body, self.hs.get_ip_from_request(request),
+            requester,
+            request,
+            body,
+            self.hs.get_ip_from_request(request),
+            "deactivate your account",
         )
         result = await self._deactivate_account_handler.deactivate_account(
             requester.user.to_string(), erase, id_server=body.get("id_server")
@@ -669,7 +678,11 @@ async def on_POST(self, request):
         assert_valid_client_secret(client_secret)
 
         await self.auth_handler.validate_user_via_ui_auth(
-            requester, request, body, self.hs.get_ip_from_request(request),
+            requester,
+            request,
+            body,
+            self.hs.get_ip_from_request(request),
+            "add a third-party identifier to your account",
         )
 
         validation_session = await self.identity_handler.validate_threepid_session(

synapse/rest/client/v2_alpha/auth.py

@@ -140,7 +140,7 @@ def on_GET(self, request, stagetype):
             sso_redirect_url = self._saml_handler.handle_redirect_request(
                 client_redirect_url, session
             )
-            html = self.auth_handler.start_sso_ui_auth(sso_redirect_url)
+            html = self.auth_handler.start_sso_ui_auth(sso_redirect_url, session)
         else:
             raise SynapseError(404, "Unknown auth stage type")
 

synapse/rest/client/v2_alpha/devices.py

@@ -81,7 +81,11 @@ async def on_POST(self, request):
         assert_params_in_dict(body, ["devices"])
 
         await self.auth_handler.validate_user_via_ui_auth(
-            requester, request, body, self.hs.get_ip_from_request(request),
+            requester,
+            request,
+            body,
+            self.hs.get_ip_from_request(request),
+            "remove device(s) from your account",
         )
 
         await self.device_handler.delete_devices(
@@ -127,7 +131,11 @@ async def on_DELETE(self, request, device_id):
                 raise
 
         await self.auth_handler.validate_user_via_ui_auth(
-            requester, request, body, self.hs.get_ip_from_request(request),
+            requester,
+            request,
+            body,
+            self.hs.get_ip_from_request(request),
+            "remove a device from your account",
         )
 
         await self.device_handler.delete_device(requester.user.to_string(), device_id)

synapse/rest/client/v2_alpha/keys.py

@@ -263,7 +263,11 @@ async def on_POST(self, request):
         body = parse_json_object_from_request(request)
 
         await self.auth_handler.validate_user_via_ui_auth(
-            requester, request, body, self.hs.get_ip_from_request(request),
+            requester,
+            request,
+            body,
+            self.hs.get_ip_from_request(request),
+            "add a device signing key to your account",
         )
 
         result = await self.e2e_keys_handler.upload_signing_keys_for_user(user_id, body)

synapse/rest/client/v2_alpha/register.py

@@ -505,6 +505,7 @@ async def on_POST(self, request):
             request,
             body,
             self.hs.get_ip_from_request(request),
+            "log into your account",
         )
 
         # Check that we're not trying to register a denied 3pid.