search

element-hq / element-android

A Matrix collaboration client for Android.
https://element.io/
GNU Affero General Public License v3.0
3.33k stars 708 forks source link

POST after talking to OIDC SSO server goes to server address, not base_url of homeserver where the API lives #8283

Open zqad opened 1 year ago

zqad commented 1 year ago

Steps to reproduce

  1. Have a setup with SSO, and a .well-known/matrix/client endpoint on the server name URL (example.tld) that points to a home server API URL (https://homeserver.example.tld).
  2. Try to login. Observe the client correctly finding the .well-known configuration file (http log), and then observe it using the base_url of the homeserver when requesting /_matrix/client/version and /_matrix/client/r0/login/sso/redirect/oidc-keycloak (http log)
  3. Have the client authenticate with keycloak (in this example)
  4. Observe Keycloak instructing the client to redirect back to the same homeserver URL (homeserver.example.tld) as is configured in the .well-known config file (keycloak event log)
  5. Fail: Observe the client POST to /_matrix/client/r0/login end up on the server name URL (example.tld), instead of the base_url that is supplied in the .well-known file (homeserver.example.tld), and by Keycloak.

Outcome

What did you expect?

Client to use either redirect URL from OIDC communication with Keycloak, or at least the URL from the .well-known/matrix/client endpoint when POSTing auth info to /_matrix/client/r0/login.

What happened instead?

OIDC POST callback went to server name URL (example.tld) instead of API endpoint URL (https://homeserver.example.tld).

However, entering the server name as homeserver.example.tld into the app makes the flow work well. This seems to be a workaround for now.

Your phone model

Pixel 3a and other tried

Operating system version

Android 12 and others

Application version and app store

1.5.26 [40105262] (G-f6379963) (Play Store latest) / SDK 1.5.26 (f6379963)

Homeserver

Synapse 1.79.0

Will you send logs?

No

Are you willing to provide a PR?

No

zqad commented 1 year ago

Confirmed the same behavior in latest beta on Play Store (1.5.28)

zqad commented 1 year ago

After some more experimentation, I have more info:

I'm redirecting /_matrix/* from the server name domain (example.tld) to the homeserver (homeserver.example.tld). I tried dropping this redirect to see what would happen, and now I'm getting the message "This is not a valid Matrix server address", much like in https://github.com/vector-im/element-android/issues/7813 , so these might be duplicates.

The client will access these URLs in succession:

  1. https://example.tld/.well-known/matrix/client (200)
  2. https://homeserver.example.tld/_matrix/client/versions (200)
  3. https://example.tld/_matrix/client/versions (404, used to be 301 to https://homeserver.example.tld/_matrix/client/versions)
  4. https://example.tld/config.example.tld.json (404)

All in all, the API URL detection seems to be broken somehow. I've also tried Fluffychat that implements the detection correctly and connects without issues.

Checking the same paths on matrix.org hints that a workaround is in place:

I am unable to expose the _matrix api on the apex domain, so I hope this can be resolved easily. I've tried to look into the code myself, but being terrible with Java and completely incompetent with Kotlin, it turned out to be quite hard.

zqad commented 1 year ago

I should also add that this used to work well before, so it might be due to a change in how the client is handling the redirects (the core issue with SSO is that the client will POST after the SSO flow to the login endpoint of the apex domain instead of the api domain, get redirected, and do a GET instead which makes sense to not risk leaking tokens); or that there is a regression in how the API domain is detected.