-
Notifications
You must be signed in to change notification settings - Fork 562
Improve SSO/delegated authentication worker docs #19752
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: develop
Are you sure you want to change the base?
Changes from all commits
defd7c3
06f007c
f0d7eb8
f6b33b6
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| Document the paths that can be handled on workers with stabilised delegated authentication. | ||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1 @@ | ||
| Improve documentation around endpoints that can be enabled with MSC3861. | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Where is this change spawning from? I assume you ran into this foot-gun somewhere
Member
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. element-hq/ess-helm#1278 and backlinks in both that issue and here |
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -290,6 +290,9 @@ information. | |
| # Unstable MSC4140 support | ||
| ^/_matrix/client/unstable/org.matrix.msc4140/delayed_events(/.*/restart)?$ | ||
|
|
||
| # Stabilised Delegated Authentication support (`matrix_authentication_service.enabled: true`) | ||
| ^/_synapse/mas/ | ||
|
Comment on lines
+293
to
+294
Member
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Documented up here rather than next to the |
||
|
|
||
| Additionally, the following REST endpoints can be handled for GET requests: | ||
|
|
||
| # Push rules requests | ||
|
|
@@ -314,7 +317,7 @@ for the room are in flight: | |
|
|
||
| Additionally, the following endpoints should be included if Synapse is configured | ||
| to use SSO (you only need to include the ones for whichever SSO provider you're | ||
| using): | ||
| using) and delegated authentication isn't enabled: | ||
|
Member
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I've made the assertion here that none of these paths are useful in delegated auth world (be it experimental config or stabilised) |
||
|
|
||
| # for all SSO providers | ||
| ^/_matrix/client/(api/v1|r0|v3|unstable)/login/sso/redirect | ||
|
|
@@ -343,7 +346,11 @@ set to `true`), the following endpoints can be handled by the worker: | |
| ^/_synapse/admin/v2/users/[^/]+$ | ||
| ^/_synapse/admin/v1/username_available$ | ||
| ^/_synapse/admin/v1/users/[^/]+/_allow_cross_signing_replacement_without_uia$ | ||
| ^/_synapse/admin/v1/users/[^/]+/devices$ | ||
| ^/_synapse/admin/v2/users/[^/]+/devices(/|$) | ||
|
|
||
| Do note that these endpoints can't be handled by workers if the stabilised delegated | ||
| authentication support is enabled (`matrix_authentication_service.enabled` set to | ||
| `true`). | ||
|
Comment on lines
+351
to
+353
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. How do you know? Why is this the case?
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. From #19752 (comment), it seems like it doesn't matter whether these are handled. It just isn't necessary. Which means the phrasing of these updates should change. Or perhaps, isn't necessary to call this out at all. You can handle whatever with workers.
Member
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
https://github.com/element-hq/synapse/pull/18759/changes#diff-21eb1b3b6455b7011ccbffc74b0279d87d5c69752d62d0196479b1bbc0bdbee3R274-R278 and discussion with @sandhose
My comment above is about the main block of paths. I think that the sentence I'm commenting is accurate and the additional assertion I've made (not useful with delegated auth) holds given Synapse won't be receiving any OIDC/SAML/CAS callbacks or doing any of the SSO dance. These paths here can't be be put on a worker at all if the stabilised MAS configuration is used
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
I feel like it doesn't matter. As far as I know, when MAS is enabled, it disables all of the relevant endpoints.
Member
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. https://github.com/element-hq/synapse/blob/v1.153.0/synapse/rest/admin/__init__.py#L391-L401 these still appear enabled on workers with the experimental MAS configuration. Just not with the stable MAS configuration (or without MAS). |
||
|
|
||
| Note that a [HTTP listener](usage/configuration/config_documentation.md#listeners) | ||
| with `client` and `federation` `resources` must be configured in the | ||
|
|
||
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this PR should be reviewed by someone else from @element-hq/mas-maintainers for accuracy.
I can't seem to select the team as a reviewer