MAS compatibility issues

[qwertzdenek]

Prerequisites

• Configure Matrix Authentication Service as described in https://matrix-org.github.io/matrix-authentication-service/setup/index.html
• Install Admin

Steps to Reproduce

• sign in with SSO as Admin user
• it fails on 403: M_FORBIDDEN

Problem

MAS doesn't let you get "synapse admin" rights through the legacy auth flow, as the legacy flow doesn't have a way to specify whether the session should have the admin rights or not. Best option would be native OIDC implementation in Synapse-Admin to work with MAS.

Or you can add possibility to use static pre-generated admin token which can be issued using CLI.

mas-cli manage issue-compatibility-token --yes-i-want-to-grant-synapse-admin-privileges [username]

[dklimpel]

It is related to: matrix-org/matrix-authentication-service#2187 (comment)

[jacotec]

Is there any workaround? I can't use synapse-admin on any of my two servers which both use MAS due to Element-X capability. Any way to access them with admin?

[jacotec]

@awesome-manuel I really need to access my server admin panels ... is there any workaround or tweak to log in on a server running MAS?

[CyberPingU]

This is a big issue for me too: I'm not goint into MAS due to the fact I cannot admin the server .

[schwadim]

Is there any workaround? I can't use synapse-admin on any of my two servers which both use MAS due to Element-X capability. Any way to access them with admin?

As soon as the adminAPI responses with the first "You are not a server admin", synapse admin will terminate the session (did not check if this behavior is configurable).

There is quite a dirty workaround:

If you temporary block the adminAPI (either on the client- or the server side), the session will be kept open.
Then one can navigate to the compat_sessions table of the MAS DB and set the Flag is_synapse_admin for the given session to true.
After unblocking the adminAPI, the session should work as intended.

[awesome-manuel]

@schwadim do you have a log of the browser debug console to share?

[schwadim]

@awesome-manuel I am working on a testing environment with lots of issues and moving parts.
Therefore I doubt that my personal browser debug console would be of any help.
But let me know if you want me to provide one anyway.

In essence all I'm doing is:

• install ublock origin addon if not present
• visit the synapse admin interface
• open the ublock logger
• perform a failing login to let ublock logger catch all requests
• in ublock logger:
  • click on a url containing the _synapse/admin path
  • open the URL rule tab
  • click the red button on the left hand side beneath the URL ending with _synapse/admin/
• perform a new login
• do the above mentioned MAS db manipulation
• click once again on the red button in ublock logger to unblock the URL
• enjoy synapse admin

[awesome-manuel]

I need to know the exact answer of synpase that you need to block. Maybe this can be detected to be a MAS request.

[schwadim]

I am blocking all requests towards /_synapse/admin as all of them would be answered with the 403 response: {"errcode":"M_FORBIDDEN","error":"You are not a server admin"}

Receiving such a response, synapse-admin silently performs a logout.

If not blocked, the first request leading to a logout happens to be:
https://my_synapse/_synapse/admin/v2/users?deactivated=false&dir=f&from=0&guests=true&limit=10&order_by=name

So I'm simply gaining time to actually assign the required permissions to the session.
It is just a hacky workaround.

[schwadim]

Instead of tweaking the MAS database, one can also generate a new token via mas-cli and change device_id and access_token in the browser local storage while being logged in with blocked /_synapse/admin path. After reloading and unblocking one is able to work with the new token.

Yet another workaround would be:

• Login as admin against another homeserver not working with MAS
• generate a new token on the homeserver working with MAS using mas-cli
• Open browser local storage and change access_token, base_url, device_id, user_id
• reload

[dklimpel]

A real OIDC login workflow is required for synapse-admin with MAS.
An example could be under certain circumstances

• https://github.com/marmelab/ra-auth-auth0/blob/main/packages/ra-auth-auth0/Readme.md
• https://github.com/marmelab/ra-example-oauth

[jacotec]

@awesome-manuel Just asking if this is genrally planned to be fixed? Would be great to be able to use Synapse-Admin again after 10 months ... ;-)

[dklimpel]

First step is to add identifier to login flow. PR #601

A helpful guide could be: https://areweoidcyet.com/client-implementation-guide/