Closed matrixbot closed 1 month ago
This comment was originally posted by @sandhose at https://github.com/matrix-org/matrix-authentication-service/issues/2773#issuecomment-2111816491.
This feels like MAS can't fetch the JWKS from Authentik. Can you check that:
https://sso.example.com/application/o/mas/.well-known/openid-configuration
jwks_uri
fieldjwks_uri
and this document has a "keys"
fieldThis comment was originally posted by @gregistech at https://github.com/matrix-org/matrix-authentication-service/issues/2773#issuecomment-2111843883.
I can retrieve the jwks url but it's empty: {}
This comment was originally posted by @gregistech at https://github.com/matrix-org/matrix-authentication-service/issues/2773#issuecomment-2111847526.
I added a signing key, now I get: wrong signature alg
I see ES256
alg in the jkws response.
This comment was originally posted by @gregistech at https://github.com/matrix-org/matrix-authentication-service/issues/2773#issuecomment-2111849917.
I had to use Authemtik's self-signed cert with RS256.
I can login now, thanks!
This comment was originally posted by @sandhose at https://github.com/matrix-org/matrix-authentication-service/issues/2773#issuecomment-2111906244.
Glad it now works! MAS does support ES256 keys, you just need to set in the upstream provider config:
token_endpoint_auth_signing_alg: ES256
There is an existing documentation for Authentik here: https://matrix-org.github.io/matrix-authentication-service/setup/sso.html#authentik If something is not accurate here, could you please open a PR to fix the instructions there?
This issue was originally created by @gregistech at https://github.com/matrix-org/matrix-authentication-service/issues/2773.
After login on the SSO page (so from the redirect):
May 15 07:05:34 matrix mas-cli[175]: 2024-05-15T07:05:34.183556Z ERROR http.server.request{otel.kind="server" otel.name="GET /upstream/callback/:provider_id" network.protocol.name="http" network.protocol.version="1.1" http.request.method="GET" url.path="/upstream/callback/01HFRQFT5QFMJFGF01P7JAV2ME" url.scheme="http" http.route="/upstream/callback/:provider_id" url.query="code=62cec9xxxxx4bc7b6a00d762933a757&state=im6xxxxs8wsRTg" user_agent.original="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"}:handlers.upstream_oauth2.callback.get{upstream_oauth_provider.id=xxxx}: mas_handlers::upstream_oauth2::callback: error=missing field "keys" at line 1 column 2
config:
Authentik is my upstream provider.