feat(auth): add OIDC Provider for Matrix SSO integration

- Add OIDC Provider plugin to Better Auth configuration - Add OIDC database tables (oauth_applications, oauth_access_tokens, oauth_authorization_codes, oauth_consents) - Configure Synapse as OIDC client in homeserver.yaml - Update Element Web config for SSO support - Add seed script for OIDC clients (db:seed:oidc) - Update Cloudflare tunnel config with Matrix URLs This enables Single Sign-On between Mana Core Auth and Matrix/Synapse, allowing users to authenticate via their existing Mana account. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-05-19 11:01:24 +02:00 · 2026-01-28 16:40:33 +01:00 · 2026-01-28 16:40:33 +01:00 · 158aaf7e67
commit 158aaf7e67
parent dbd14f7134
7 changed files with 258 additions and 3 deletions
--- a/docker/matrix/element-config.json
+++ b/docker/matrix/element-config.json
@ -41,7 +41,8 @@
 	"permalink_prefix": "https://element.mana.how",
 	"terms_and_conditions_links": [],
 	"sso_redirect_options": {
-		"immediate": false
+		"immediate": false,
+		"on_welcome_page": true
 	},
 	"posthog": {
 		"disabled": true
--- a/docker/matrix/homeserver.yaml
+++ b/docker/matrix/homeserver.yaml
@ -188,3 +188,36 @@ run_background_tasks_on: synapse
 #   smtp_pass: "${SMTP_PASSWORD}"
 #   require_transport_security: true
 #   notif_from: "ManaCore Matrix <noreply@mana.how>"
+
+# ============================================
+# OIDC / SSO Configuration (Mana Core Auth)
+# ============================================
+
+# Enable SSO via Mana Core Auth OIDC Provider
+oidc_providers:
+  - idp_id: manacore
+    idp_name: "Mana Core"
+    idp_brand: "org.matrix.custom"
+    discover: true
+    issuer: "https://auth.mana.how"
+    client_id: "synapse"
+    client_secret: "${SYNAPSE_OIDC_CLIENT_SECRET}"
+    scopes: ["openid", "profile", "email"]
+    # Map OIDC claims to Matrix user attributes
+    user_mapping_provider:
+      config:
+        subject_claim: "sub"
+        localpart_template: "{{ user.email.split('@')[0] }}"
+        display_name_template: "{{ user.name }}"
+        email_template: "{{ user.email }}"
+    # Allow account linking with existing Matrix accounts
+    allow_existing_users: true
+    # Auto-provision new users from OIDC
+    enable_registration: true
+
+# SSO UI Settings
+sso:
+  # Where to redirect after SSO login
+  client_whitelist:
+    - "https://element.mana.how"
+    - "https://matrix.mana.how"