search

element-hq / matrix-authentication-service

https://element-hq.github.io/matrix-authentication-service/
GNU Affero General Public License v3.0
22 stars 5 forks source link

missing field `keys`... #2773

Closed matrixbot closed 1 month ago

matrixbot commented 1 month ago

This issue was originally created by @gregistech at https://github.com/matrix-org/matrix-authentication-service/issues/2773.

After login on the SSO page (so from the redirect): May 15 07:05:34 matrix mas-cli[175]: 2024-05-15T07:05:34.183556Z ERROR http.server.request{otel.kind="server" otel.name="GET /upstream/callback/:provider_id" network.protocol.name="http" network.protocol.version="1.1" http.request.method="GET" url.path="/upstream/callback/01HFRQFT5QFMJFGF01P7JAV2ME" url.scheme="http" http.route="/upstream/callback/:provider_id" url.query="code=62cec9xxxxx4bc7b6a00d762933a757&state=im6xxxxs8wsRTg" user_agent.original="Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"}:handlers.upstream_oauth2.callback.get{upstream_oauth_provider.id=xxxx}: mas_handlers::upstream_oauth2::callback: error=missing field "keys" at line 1 column 2

config:

database:
  host: postgresql.example.com
  username: mas
  password: pass
  database: mas

secrets:
  encryption: xxx
  keys:
  - kid: xxx
    key: |
      -----BEGIN RSA PRIVATE KEY-----
      xxxx
      -----END RSA PRIVATE KEY-----
  - kid: kmURjfc5ev
    key: |
      -----BEGIN EC PRIVATE KEY-----
      xxxx
      -----END EC PRIVATE KEY-----
  - kid: Tzh02OYJ5f
    key: |
      -----BEGIN EC PRIVATE KEY-----
     xxxx
      -----END EC PRIVATE KEY-----
  - kid: xxxx
    key: |
      -----BEGIN EC PRIVATE KEY-----
      xxxx
      -----END EC PRIVATE KEY-----

matrix:
  homeserver: example.com
  secret: xxxxx
  endpoint: http://localhost:8008/

clients:
  - client_id: 0000000000000000000SYNAPSE
    client_auth_method: client_secret_basic
    client_secret: "xxxx"

upstream_oauth2:
  providers:
  - id: xxxxx
    human_name: xxxx
    issuer: "https://sso.example.com/application/o/mas/"
    client_id: "xxxx"
    client_secret: "xxxx"    
    scope: "openid profile email"
    claims_imports:
      localpart:
        action: require
        template: "{{ user.preferred_username }}"
      displayname:
        action: suggest
        template: "{{ user.name }}"
      email:
        action: suggest
        template: "{{ user.email }}"
        set_email_verification: always
    token_endpoint_auth_method: client_secret_post

http:
  listeners:
  - name: web
    resources:
    - name: discovery
    - name: human
    - name: oauth
    - name: compat
    - name: graphql
      playground: true
    - name: assets
    binds:
    - address: '0.0.0.0:8080'
    proxy_protocol: false
  trusted_proxies:
  - 192.168.1.0/24
  public_base: https://auth.matrix.example.com/
  issuer: https://example.com/

passwords:
  enabled: false

Authentik is my upstream provider.

matrixbot commented 1 month ago

This comment was originally posted by @sandhose at https://github.com/matrix-org/matrix-authentication-service/issues/2773#issuecomment-2111816491.

This feels like MAS can't fetch the JWKS from Authentik. Can you check that:

matrixbot commented 1 month ago

This comment was originally posted by @gregistech at https://github.com/matrix-org/matrix-authentication-service/issues/2773#issuecomment-2111843883.

I can retrieve the jwks url but it's empty: {}

matrixbot commented 1 month ago

This comment was originally posted by @gregistech at https://github.com/matrix-org/matrix-authentication-service/issues/2773#issuecomment-2111847526.

I added a signing key, now I get: wrong signature alg

I see ES256 alg in the jkws response.

matrixbot commented 1 month ago

This comment was originally posted by @gregistech at https://github.com/matrix-org/matrix-authentication-service/issues/2773#issuecomment-2111849917.

I had to use Authemtik's self-signed cert with RS256.

I can login now, thanks!

matrixbot commented 1 month ago

This comment was originally posted by @sandhose at https://github.com/matrix-org/matrix-authentication-service/issues/2773#issuecomment-2111906244.

Glad it now works! MAS does support ES256 keys, you just need to set in the upstream provider config:

token_endpoint_auth_signing_alg: ES256

There is an existing documentation for Authentik here: https://matrix-org.github.io/matrix-authentication-service/setup/sso.html#authentik If something is not accurate here, could you please open a PR to fix the instructions there?