matrix-org / matrix-authentication-service

OAuth2.0 + OpenID Provider for Matrix Homeservers
https://matrix-org.github.io/matrix-authentication-service/
Apache License 2.0
112 stars 32 forks source link

base64 secrets don't seem to work as the client secret between MAS and homeserver #2780

Open pontaoski opened 5 months ago

pontaoski commented 5 months ago
May 16 16:54:49 ilo-kulupu mas-cli[4227]: 2024-05-16T16:54:49.222047Z ERROR http.server.request{otel.kind="server" otel.name="POST /oauth2/introspect" network.protocol.name="http" network.protocol.version="1.1" http.request.method="POST" url.path="/oauth2/introspect" url.scheme="http" http.route="/oauth2/introspect" user_agent.original="Synapse/1.105.1"}:handlers.oauth2.introspection.post{client.id="0000000000000000000SYNAPSE"}:verify: mas_axum_utils::client_authorization: error=client secret did not match
2024-05-16 16:54:46,992 - synapse.http.client - 426 - INFO - GET-118 - Received response to POST https://mas.toki.club/oauth2/introspect: 401
2024-05-16 16:54:46,992 - synapse.api.auth.msc3861_delegated - 270 - ERROR - GET-118 - Failed to introspect token
Traceback (most recent call last):
  File "/usr/lib64/python3.12/site-packages/synapse/api/auth/msc3861_delegated.py", line 268, in get_user_by_access_token
    introspection_result = await self._introspect_token(token)
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/site-packages/synapse/api/auth/msc3861_delegated.py", line 204, in _introspect_token
    raise HttpResponseException(
synapse.api.errors.HttpResponseException: 401: Unauthorized
2024-05-16 16:54:46,992 - synapse.http.server - 130 - INFO - GET-118 - <XForwardedForRequest at 0x7fa4bc36af30 method='GET' uri='/_matrix/client/r0/sync?timeout=30000&since=s168251_2124209_53_414898_35093_25_253_319440_0_29&filter=1' clientproto='HTTP/1.1' site='7893'> SynapseError: 503 - Unable to introspect the access token

example secrets that don't work for me: (openssl rand base64)

example secrets that do work for me: (openssl rand hex)

i edited the MAS file as so:

clients:
  - client_id: 0000000000000000000SYNAPSE
    client_auth_method: client_secret_basic
    client_secret: "1234"

and then mas-cli config sync.

i edited the synapse file as so:

experimental_features:
  msc3861:
    enabled: true
    issuer: https://mas.toki.club/
    client_id: "0000000000000000000SYNAPSE"
    client_auth_method: client_secret_basic
    client_secret: "1234"
    admin_token: "..."
    account_management_url: "https://ldap.toki.club"

and then restarted synapse.

matrixbot commented 2 months ago

For your information, this issue has been copied over to the Element fork of matrix-authentication-service: https://github.com/element-hq/matrix-authentication-service/issues/2780