Implement config option sso.update_profile_information

changelog.d/10108.feature

@@ -0,0 +1 @@
+Implement config option sso.update_profile_information to keep a user's profile fields in sync with the values from the SSO ticket (currently display_name).

docs/sample_config.yaml

@@ -2032,6 +2032,14 @@ sso:
     #client_whitelist:
     #  - https://riot.im/develop
     #  - https://my.custom.client/
+    # Keep a user's profile fields in sync with the values from the SSO ticket
+    # (currently display_name). The update is performed on every SSO login.
+    #
+    # Note that enabling this option will override user profile information from
+    # the SSO ticket, regardless of whether users have opted-out of syncing
+    # that information when first signing in. Defaults to false.
+    #
+    #update_profile_information: true
 
     # Directory in which Synapse will try to find the template files below.
     # If not set, or the files named below are not found within the template

synapse/config/sso.py

@@ -74,6 +74,10 @@ def read_config(self, config, **kwargs):
 
         self.sso_client_whitelist = sso_config.get("client_whitelist") or []
 
+        self.sso_update_profile_information = (
+            sso_config.get("update_profile_information") or False
+        )
+
         # Attempt to also whitelist the server's login fallback, since that fallback sets
         # the redirect URL to itself (so it can process the login token then return
         # gracefully to the client). This would make it pointless to ask the user for
@@ -110,6 +114,14 @@ def generate_config_section(self, **kwargs):
             #client_whitelist:
             #  - https://riot.im/develop
             #  - https://my.custom.client/
+            # Keep a user's profile fields in sync with the values from the SSO ticket
+            # (currently display_name). The update is performed on every SSO login.
+            #
+            # Note that enabling this option will override user profile information from
+            # the SSO ticket, regardless of whether users have opted-out of syncing
+            # that information when first signing in. Defaults to false.
+            #
+            #update_profile_information: true
 
             # Directory in which Synapse will try to find the template files below.
             # If not set, or the files named below are not found within the template

synapse/handlers/sso.py

@@ -41,7 +41,12 @@
 from synapse.http import get_request_user_agent
 from synapse.http.server import respond_with_html, respond_with_redirect
 from synapse.http.site import SynapseRequest
-from synapse.types import JsonDict, UserID, contains_invalid_mxid_characters
+from synapse.types import (
+    JsonDict,
+    UserID,
+    contains_invalid_mxid_characters,
+    create_requester,
+)
 from synapse.util.async_helpers import Linearizer
 from synapse.util.stringutils import random_string
 
@@ -185,11 +190,14 @@ def __init__(self, hs: "HomeServer"):
         self._auth_handler = hs.get_auth_handler()
         self._error_template = hs.config.sso_error_template
         self._bad_user_template = hs.config.sso_auth_bad_user_template
+        self._profile_handler = hs.get_profile_handler()
 
         # The following template is shown after a successful user interactive
         # authentication session. It tells the user they can close the window.
         self._sso_auth_success_template = hs.config.sso_auth_success_template
 
+        self._sso_update_profile_information = hs.config.sso_update_profile_information
+
         # a lock on the mappings
         self._mapping_lock = Linearizer(name="sso_user_mapping", clock=hs.get_clock())
 
@@ -458,6 +466,24 @@ async def complete_sso_login_request(
                     request.getClientIP(),
                 )
                 new_user = True
+            else:
+                if self._sso_update_profile_information:
+                    attributes = await self._call_attribute_mapper(
+                        sso_to_matrix_id_mapper
+                    )
+                    if attributes.display_name:
+                        user_id_obj = UserID.from_string(user_id)
+                        profile_display_name = (
+                            await self._profile_handler.get_displayname(user_id_obj)
+                        )
+                        if profile_display_name != attributes.display_name:
+                            requester = create_requester(
+                                user_id,
+                                authenticated_entity=user_id,
+                            )
+                            await self._profile_handler.set_displayname(
+                                user_id_obj, requester, attributes.display_name, True
+                            )
 
         await self._auth_handler.complete_sso_login(
             user_id,