add config for upstream oidc provider for mas

2026-04-08 13:02:22 +02:00
parent cf30cebf8e
commit dd92cd4bd7
3 changed files with 63 additions and 0 deletions
--- a/.env.sample
+++ b/.env.sample
@ -78,6 +78,18 @@ ENABLE_REGISTRATION=false
 # PEM private key: abra cannot generate this format — insert only (e.g. openssl genrsa 2048 | abra app secret insert …)
 #SECRET_MAS_SIGNING_RSA_VERSION=v1 # generate=false

+#### MAS upstream OIDC provider (e.g. Authentik)
+# See mas-authentik-and-roadmap.md for migration procedure.
+# Create a new OAuth2 app in your IdP with redirect URI: https://<DOMAIN>/upstream/callback/<MAS_UPSTREAM_PROVIDER_ID>
+#COMPOSE_FILE="$COMPOSE_FILE:compose.mas-upstream.yml"
+#MAS_UPSTREAM_PROVIDER_ID=          # ULID, e.g. 01JSHPZHAXC50QBKH67MH33TNF — generate at https://www.ulidtools.com
+#MAS_UPSTREAM_ISSUER=               # e.g. https://auth.example.com/application/o/matrix-mas/
+#MAS_UPSTREAM_CLIENT_ID=
+#MAS_UPSTREAM_HUMAN_NAME=Authentik
+# For migration from previous direct Keycloud-style config: set to oidc-<your old KEYCLOAK_ID> so syn2mas maps users correctly.
+#MAS_UPSTREAM_SYNAPSE_IDP_ID=
+#SECRET_MAS_UPSTREAM_CLIENT_SECRET_VERSION=v1
+
 ### Shared secret auth (bridges / automation)

 #COMPOSE_FILE="$COMPOSE_FILE:compose.shared_secret_auth.yml"