Closed matrixbot closed 4 years ago
This seems implemented by now:
How to use it?
Would also like to hear more about this and how we could leverage JWT with an external Identity Provider such as OpenID Connect. Is this possible with synapse as it currently exists?
I find the lack of documentation around identity and logins quite lacking. It seems JWT, oauth2, token is supported but there are no guides on how to set things up.
2018-09-04 07:01:22,850 - synapse.http.server - 101 - ERROR - POST-12- Failed handle request via <function _async_render at 0x7fe44633da28>: <SynapseRequest at 0x7fe43fbe55a8 method='POST' uri='/_matrix/client/r0/login' clientproto='HTTP/1.0' site=8008>: Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/twisted/internet/defer.py", line 1532, in unwindGenerator
return _inlineCallbacks(None, gen, Deferred())
File "/usr/lib/python2.7/dist-packages/twisted/internet/defer.py", line 1386, in _inlineCallbacks
result = g.send(result)
File "/usr/lib/python2.7/dist-packages/synapse/rest/client/v1/login.py", line 145, in on_POST
result = yield self.do_jwt_login(login_submission)
File "/usr/lib/python2.7/dist-packages/twisted/internet/defer.py", line 1532, in unwindGenerator
return _inlineCallbacks(None, gen, Deferred())
--- <exception caught here> ---
File "/usr/lib/python2.7/dist-packages/twisted/internet/defer.py", line 1386, in _inlineCallbacks
result = g.send(result)
File "/usr/lib/python2.7/dist-packages/synapse/rest/client/v1/login.py", line 278, in do_jwt_login
import jwt
exceptions.ImportError: No module named jwt
Are there any docs or manual on how to use JWT for 3-rd party authentication? I'd like to use Keycloak as an Identity Provider and use OpenID + JWT, but have no idea where to start.
@almereyda @markwooff @oliverjanik were you able to use JWT auth? I am trying to integrate with keycloak and have no idea where to start from.
to be clear, I don't think the JWT implementation in synapse is functional. I believe people have successfully integrated with keycloak using SAML.
Most likely you are right. I do see references to successful SAML integration, but not a single line about JWT. However, there is JWT code in synapse like this do_jwt_login function call. The situation in general is quite confusing
@nikriek can you, please, clarify a little, on how this JWT support commit can be used?
I'm going to close this since it is theoretically done already and is a pretty vague issue.
Note that these are non-standard (from a Matrix spec point of view) and you should use the org.matrix.login.jwt
form if you're going to implement this.
CAS and SAML aren't really lightweight as sometimes needed. Therefore I'd like to propose another method for third-party authentication using JavaScript Web Tokens.
The client authentication with an identity provider with it's own flow. The IS provides a signed JWT that includes user information. Using the token we can login at the homeserver in two different ways.
The first approach would break less things, I guess. What do you think?
(Imported from https://matrix.org/jira/browse/SYN-637)
(Reported by Niklas Riekenbrauck)