OpenID Connect

[Thatoo]

Extract from matrix.org blog :

Finally, last but not least, we’re proud to announce that the project to replace Matrix’s venerable existing authentication APIs with industry-standard Open ID Connect in Matrix 2.0 has taken a huge leap forwards today, with matrix-authentication-service now being available to add Native OIDC support to Synapse, as well as Element X now implementing account registration, login and management via Native OIDC (with legacy support only for login/logout).

This is a critical step forwards in improving the security and maintainability for Matrix’s authentication, and you can read all about it in this dedicated post, explaining the rationale for adopting OpenID Connect for all forms of authentication throughout Matrix, and what you need to know about the transition.

Will it work with yunohost sso and ldap functionality?

[aibosss]

+1

[Thatoo]

Maybe an easy way would be to install automatically https://github.com/YunoHost-Apps/dex_ynh along synapse to use Yunohost LDAP through OIDC in synapse?

[Josue-T]

Well after some investigation dex or something else will be needed to link user with LDAP but it will be not enough as we also will need to manage user which was authenticated without yunohost (and is not in LDAP). For this we will need the matrix-authentication-service.

But I really think installing dex+matrix-authentication-service+sliding_proxy all on the same yunohost package make it a bit heavy. For me ideally the yunohost SSO "should" provide a solution to connect the matrix-authentication-service (OAuth 2.0/OIDC) as it's not the only app which need this. Many app probably already need this and in long term more and more app will need this.

There are already many discussion about this here: https://github.com/YunoHost/issues/issues?q=is%3Aissue+openid

[Thatoo]

I agree with you about integrating openid to Yunohost's sso system.

For what I understood, sliding sync proxy will be merged into synapse package at some point. In the mean time, it is possible to add it separately but I wonder if we have the ressources to focus on this temporary work just to benefit a faster app for thoose who are using Element X app before synapse integrate it.

I think that working on integrating openid in SSO is a much more important long run investment.

[Josue-T]

For me it's not urgent to add sliding proxy support until elementX is merged into element. It's nice to have it but it's not mandatory.

On the openid side for me idealy we should migrate the authentication system on the same time than sliding proxy as it's all liked to the new matrix spec. But yes on other side on yunohost side there are some work to integrate oidc. Maybe it could be integrated into the work of the new yunohost portail.

Anyway for me all of this (sliding proxy and oidc) are big project which will take time to integrate. Synapse package a used by many people so we can't release unstable things. We had many regression since some last PR and we really should avoid this.

[Thatoo]

[info] Element has now a native oidc support : https://github.com/element-hq/element-web/releases/tag/v1.11.59-rc.0 I guess that all plateforme (desktop and smartphone) have at least one version working with oidc now (not yet the case for sliding-sync though).

[Josue-T]

The main issue about this is that yunohost don't support natively oidc cf https://github.com/YunoHost/issues/issues/676