search

element-hq / synapse

Synapse: Matrix homeserver written in Python/Twisted.
https://element-hq.github.io/synapse
GNU Affero General Public License v3.0
1.62k stars 203 forks source link

Support unsigned id_tokens for OIDC providers #9250

Open matrixbot opened 11 months ago

matrixbot commented 11 months ago

This issue has been migrated from #9250.

Description

I enable OpenID Connect in Synapse to login with user accounts located in an OpenID Connect provider.

I'm testing my server configuration using the client on https://app.element.io.

The following happen:

 There was an error during authentication:
unsupported_algorithm:

If you are seeing this page after clicking a link sent to you via email, make sure you only click the confirmation link once, and that you open the validation link in the same client you're logging in from.

Try logging in again from your Matrix client and if the problem persists please contact the server's administrator.

Error: invalid_token

in the following in the log:

2021-01-28 14:10:36,898 - synapse.http.client - 429 - INFO - GET-7 - Received response to POST https://intra.atelier-medias.org:443/xwiki/oidc/token: 200
2021-01-28 14:10:36,899 - synapse.handlers.oidc_handler - 671 - ERROR - GET-7 - Invalid id_token
Traceback (most recent call last):
  File "/opt/venvs/matrix-synapse/lib/python3.5/site-packages/synapse/handlers/oidc_handler.py", line 669, in handle_oidc_callback
    userinfo = await self._parse_id_token(token, nonce=nonce)
  File "/opt/venvs/matrix-synapse/lib/python3.5/site-packages/synapse/handlers/oidc_handler.py", line 459, in _parse_id_token
    claims_params=claims_params,
  File "/opt/venvs/matrix-synapse/lib/python3.5/site-packages/authlib/jose/rfc7519/jwt.py", line 99, in decode
    data = self._jws.deserialize_compact(s, load_key, decode_payload)
  File "/opt/venvs/matrix-synapse/lib/python3.5/site-packages/authlib/jose/rfc7515/jws.py", line 102, in deserialize_compact
    algorithm, key = self._prepare_algorithm_key(jws_header, payload, key)
  File "/opt/venvs/matrix-synapse/lib/python3.5/site-packages/authlib/jose/rfc7515/jws.py", line 249, in _prepare_algorithm_key
    raise UnsupportedAlgorithmError()
authlib.jose.errors.UnsupportedAlgorithmError: unsupported_algorithm:

I'm not fully sure what it exactly means by "unsupported_algorithm" but this OpenID Connect provider returns plain tokens (not encrypted or signed tokens) which is perfectly valid from OpenID Connect protocol point of view, but maybe it's related ? Just in case, I tried to set skip_verification: true but it does not seems to help.

Version information

Synapse 1.26 installed with matrix-synapse-py3 on Debian Stretch. Python 3.5 (I noticed a warning about the Python version but that's the version I got on Debian Stretch, so I hope it's not related...)

bjoerns1983 commented 10 months ago

Stumbles upon that issue just today. Would love to see a config value so that unsigned ID_tokens could be used.