maxidorius
commented
5 years ago TL;DR:
- Out of scope of mxisd and not something we wish to support as part of the public project.
- We offer consultancy services via Kamax Sarl, our for-profit where we'll be happy to build such custom feature.
There has been some discussions internally about this, and a few requests over the years for something like this. I'll use this issue as a reference for our stand on this specific matter.
mxisd is an identity server and as such does not actually authenticate. It is used as a password provider with the REST password provider external module and only in the case of synapse. mxisd doesn't actually have any control in the authentication/authorization process even if it may look like it. We provide advanced integration with authentication but only in a way that fits within mxisd purpose (3PID <-> Matrix ID) and before the request hits the homeserver. Once it has, there is nothing mxisd can do anymore except checking that a password is valid for a given username, and returning true or false.
Over time, we have added ways to interact with the Synapse DB but not as a direct integration. Rather, the correct queries are directly configured and the SQL Identity Store is actually used. This is read-only and we do not want to perform any write operations in Identity stores for the the time being.
On the matter of sessions: those are bound to access tokens. Access tokens are opaque elements which are arbitrarly created, checked and managed by the Homeserver. There is no standard way to interact with those at the specification level, therefore no way for mxisd to deal with them in a way which will ensure consistency for the Homeserver setup. Compatbility with the spec and with the broad ecosystem is one of our core values. Performing operations that can only work with synapse is something we will not work towards or support as part of the mxisd project.
Finally, synapse itself has caching mechanisms which would need to be dealt with. Even if you were to remove the access token from the DB, it would still be cached. The only way to make it work is to use the admin API, which has specific requirements far out of scope of this project.
Bottom line is that this is out of scope of what mxisd does, or the values of the project which is to build an Identity server and extra features based on the Matrix specification and be implementation agnostic.
While we work on this project as per our Libre/Open source initiative, we also offer consultancy services exactly for this kind of requests. If you would be interested, you can:
- See our officlal Contact page
- Send me an email directly using the email on my Github profile
- Send me a direct message on Matrix at @max:kamax.io
- Join the #kamax-matrix:kamax.io room
We'll be happy to discuss your needs further.
MarisOnPremises
We like the Mxisd LDAP solution by being able to search users directly from MS AD. The user solution should work as follows: At least 1x a day (configurable time) checks the list of synapse active users, if any of the MS AD users are blocked, deleted, or changed their password, all existing sessions with this user must be stopped (user must be logout).
Our goal is to prevent users with invalid access from using the system.
We are currently using: Mxisd 1.2.2. Synapse 0.99.0 Riot-web 0.17.9