base64 secrets don't seem to work as the client secret between MAS and homeserver

[pontaoski]

May 16 16:54:49 ilo-kulupu mas-cli[4227]: 2024-05-16T16:54:49.222047Z ERROR http.server.request{otel.kind="server" otel.name="POST /oauth2/introspect" network.protocol.name="http" network.protocol.version="1.1" http.request.method="POST" url.path="/oauth2/introspect" url.scheme="http" http.route="/oauth2/introspect" user_agent.original="Synapse/1.105.1"}:handlers.oauth2.introspection.post{client.id="0000000000000000000SYNAPSE"}:verify: mas_axum_utils::client_authorization: error=client secret did not match

2024-05-16 16:54:46,992 - synapse.http.client - 426 - INFO - GET-118 - Received response to POST https://mas.toki.club/oauth2/introspect: 401
2024-05-16 16:54:46,992 - synapse.api.auth.msc3861_delegated - 270 - ERROR - GET-118 - Failed to introspect token
Traceback (most recent call last):
  File "/usr/lib64/python3.12/site-packages/synapse/api/auth/msc3861_delegated.py", line 268, in get_user_by_access_token
    introspection_result = await self._introspect_token(token)
                           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib64/python3.12/site-packages/synapse/api/auth/msc3861_delegated.py", line 204, in _introspect_token
    raise HttpResponseException(
synapse.api.errors.HttpResponseException: 401: Unauthorized
2024-05-16 16:54:46,992 - synapse.http.server - 130 - INFO - GET-118 - <XForwardedForRequest at 0x7fa4bc36af30 method='GET' uri='/_matrix/client/r0/sync?timeout=30000&since=s168251_2124209_53_414898_35093_25_253_319440_0_29&filter=1' clientproto='HTTP/1.1' site='7893'> SynapseError: 503 - Unable to introspect the access token

example secrets that don't work for me: (openssl rand base64)

• zk3kKn1QpZgZoKAllMoLXBdpySFflBPM5d4fnKAlgpfzR7c8G/1+Z2RHr7cPqU7+
• Cv+YUm7VLclQTrfcAFeXBb6/HKgYb3jLTmnYkwFk9q+qgDx6LwC0geMcMHY+zhCm
• myCBOIoCeArhQ/EtJDftyVa5q1ah7PjumSb7mwVLyoPbpBMitew2pAMfsoxPTxOp

example secrets that do work for me: (openssl rand hex)

• cb6b76fe4b1cbbc56e18b7486d09997847d6b56370178ea73deed3805700044d1391a36629ed0370002172620f3c2b3b
• e8c337ceaffd0d98a70ee61a31d987d7443174c1b12561232c817ffacfc1135fc70339d5a3c14ce96fb05fda3c4dd31e
• `f1abc758100688ea23198d1b0d5b9713a5c467cb5cacdcab4900065a35102a5c30e492c7e436e39f769b68e972f58a7f``

i edited the MAS file as so:

clients:
  - client_id: 0000000000000000000SYNAPSE
    client_auth_method: client_secret_basic
    client_secret: "1234"

and then mas-cli config sync.

i edited the synapse file as so:

experimental_features:
  msc3861:
    enabled: true
    issuer: https://mas.toki.club/
    client_id: "0000000000000000000SYNAPSE"
    client_auth_method: client_secret_basic
    client_secret: "1234"
    admin_token: "..."
    account_management_url: "https://ldap.toki.club"

and then restarted synapse.

[matrixbot]

For your information, this issue has been copied over to the Element fork of matrix-authentication-service: https://github.com/element-hq/matrix-authentication-service/issues/2780