SSO Login

[llitz]

Any way to work with SSO logins or leverage a token from a different session?

[immanuelfodor]

What do you mean, how would you imagine such scenario? How would it work if implemented?

[llitz]

Not sure how it should work, but ideally the application would need a cookie provided to it so that works. My instance only has SSO logins available.

Anyway, for now, I managed to bypass this by login through the web and provide the matrix token directly to the client, creating the credentials.json file based on the source code hints.

Let me try to help and order a few ideas:

• adding a hint about how to write the credentials.json could be helpful
• MATRIX_PASSWORD is provided, don't try to login.

For SSO

• it is possible to perform SSO login with Curl and use that information to do the initial login on element, leveraging the TOKEN afterwards.
• This is slightly complex and involves following several URLs and could be something very complex. I did it for a side project and I still dislike it.
• Providing the token directly to the program is a valid alternative
• Some products will open up a browser for login and use the token later on themselves (similar to what I did with curl and shell script, but that was hard-coded for one specific place)

[immanuelfodor]

Do you have SSO enabled and registrations enabled, too? Because even if registrations are disabled, you can add a new user through the homeserver's CLI, and so you could create a technical user just for the bridge.

What I'd think of is a way to be able to login with the technical user with password auth and only expose SSO registration/login to real users (maybe there is an Element config to only show the SSO login fields but no user/pass fields).

Implementing such login feature in the bridge and creating an SSO technical user on your end seems to be a bigger effort and it would create a never-ever used user in the auth provider system (e.g. an unnecessary and never-used account in Nextcloud, LDAP, Gitlab, etc). Plus my Matrix server doesn't have SSO, so I might not even be able to test it :grinning:

You might be able to hack your way in to the bridge auth through the credentials.json, indeed. It would need some grokking of the nio documentation and maybe a proof of concept "SSO client" that could write one credentials.json for you. From that point, the bridge might be able to use that from there on. But I'm not sure if nio can do oauth and how, you probably need to ask the devs (https://github.com/poljar/matrix-nio/issues/192).

To sum up, you either find a workaround for pass auth or find a way to implement SSO login with nio. Just after a quick look at the nio repo (https://github.com/poljar/matrix-nio), I couldn't find an SSO/OAuth example, so it seems to be an uncharted territory for me, you would first need to understand how the lib works. This is much larger effort and time that I can spend right now but should you find any answer, I'm happy to merge a PR for this use case.

[llitz]

Thanks for taking the time to look into it. I have logins outside of SSO disabled on my system, so there's no way to login without going through the SSO system.

For now, the hacked credentials.json is working fine, I think adding the format of the file to the README.md would be enough, as that is all that I required to get it working.

[immanuelfodor]

I'm on mobile right now but luckily, I've added some comments here before: https://github.com/immanuelfodor/matrix-encrypted-webhooks/blob/main/src/E2EEClient.py#L33

The url and user are trivial to get, but device ID and access token could be grabbed from an Element session, I think, at least it's worth a try. You should log into Element with SSO in a private browser window, copy these, then close the window without logging out, so the destroyed window's session will be the bridge's session. You shouldn't use your regular session as it might cause problems if two devices use the same login.

Update: Here is a guide how to obtain it properly: https://t2bot.io/docs/access_tokens/

When setting up bots, it is common for the bot to require an "access token" in order to work. Access tokens authenticate bots to the server so that they can function. Access tokens should be kept secret and never shared.

• In a private/incognito browser window, open Element.
• Log in to the account you want to get the access token for, such as the bot's account.
• Click on the bot's name in the top left corner then "Settings".
• (Optional) Set your bot's display name and avatar.
• Click the "Help & About" tab (left side of the dialog).
• Scroll to the bottom and click the <click to reveal> part of Access Token: <click to reveal>.
• Copy your access token to a safe place, like the bot's configuration file.
• Do not log out. Instead, just close the window. If you used a private browsing session, you should be able to still use Element for your own account. Logging out deletes the access token from the server, making the bot unable to use it.