search

famedly / uia-proxy

GNU Affero General Public License v3.0
0 stars 0 forks source link

UIA proxy does not advertise it's supported login types correctly #24

Closed famedly-bot closed 1 year ago

famedly-bot commented 2 years ago

In GitLab by @jdreichmann on Aug 10, 2022, 11:48

On GET /login, flows with their stages including the stage type should be advertised so clients know how to, f.ex. initiate an SSO-based flow.

The only loaded flow is also the default flow including only the m.login.sso stage, so uia-proxy is wrongly instructing clients to try the com.famedly.login.msc2835 flow.

Expected advertisement per CS-API v1.2 spec section 11.23.1.1:

{                                                                                                                                      
  "flows": [                                                                                                                           
    {                                                                                                                                  
      "type": "m.login.sso",                                                                                                           
      "identity_providers": [                                                                                                          
        {                                                                                                                              
          "id": "oidc-famedly",                                                                                                             
          "name": "Famedly IDP"                                                                                                      
        }                                                                                                                              
      ]                                                                                                                                
    },                                                                                                                                 
    {                                                                                                                                  
      "type": "m.login.token"                                                                                                          
    },                                                                                                                                 
    {                                                                                                                                  
      "type": "m.login.password"                                                                                                       
    },                                                                                                                                 
    {                                                                                                                                  
      "type": "com.famedly.login.msc2835"                                                                                            
    }                                                                                                                                  
  ]                                                                                                                                    
}

Actual result:

{
  "flows": [
    {
      "type": "com.famedly.login.msc2835"
    }
  ]
}

Configured in uia-proxy is m.login.sso:


uia:                                                       
    default:                                                                                                                           
        flows:                          
        -   stages:                                                                                                                    
            - m.login.sso               
        stages:                                                                                                                        
            m.login.sso:                                                                                                               
                default: oidc-famedly                                                                                                       
                endpoints:                                                                                                             
                    callback: _synapse/client/oidc/callback                                                                            
                    json_redirects: true
                    redirect: _matrix/client/v3/login/sso/redirect                                                                     
                providers:              
                    oidc-famedly:                                                                                                           
                        authorization_endpoint: https://auth.famedly.de/oauth/authorize?prompt=none
                        autodiscover: true                                                                                             
                        client_id: $client_id                                                                          
                        client_secret: $client_secret
                        expected_claims:
                            matrix_allowed_server_names: famedly.de
                        introspect: true
                        issuer: https://auth.famedly.de/oidc/ 
                        name_claim: name                                                                                               
                        scopes: openid profile matrix/servers
                        subject_claim: sub
famedly-bot commented 2 years ago

In GitLab by @jdreichmann on Aug 10, 2022, 11:52

marked this issue as related to famedly/company/devops/meta#451

famedly-bot commented 2 years ago

In GitLab by @agraven on Aug 10, 2022, 12:01

This is a deliberate deviation of the spec, however, if it's needed for compatibility reasons then I could potentially add so that it's displayed if there's a login flow with that as the only stage, and the sso initiation endpoint has been set to a synapse-compatible path

famedly-bot commented 2 years ago

In GitLab by @jdreichmann on Aug 11, 2022, 10:52

deliberate as in - from UIA proxies PoV..?

famedly-bot commented 2 years ago

In GitLab by @agraven on Aug 11, 2022, 10:57

Yes, UIA Proxy was never intended to be compatible with regular /login in any other regard than m.login.password being compatible by coincidence, as I understand it