Use JWT for third-party authentication (SYN-637)

[matrixbot]

CAS and SAML aren't really lightweight as sometimes needed. Therefore I'd like to propose another method for third-party authentication using JavaScript Web Tokens.

The client authentication with an identity provider with it's own flow. The IS provides a signed JWT that includes user information. Using the token we can login at the homeserver in two different ways.

1. The homeserver decrypts the JWT using his private key. If the contained user_id exists in the database, the the homeserver returns an access_token.
2. The JWT replaces matrix own access_token flow. Therefore we would not query the DB for the existence of an access_token, but using the information in the JWT.

The first approach would break less things, I guess. What do you think?

(Imported from https://matrix.org/jira/browse/SYN-637)

(Reported by Niklas Riekenbrauck)

[almereyda]

This seems implemented by now:

• https://github.com/matrix-org/synapse/blob/9bba6ebaa903a81cd94fada114aa71e20b685adb/synapse/config/jwt.py

How to use it?

[markwooff]

Would also like to hear more about this and how we could leverage JWT with an external Identity Provider such as OpenID Connect. Is this possible with synapse as it currently exists?

[oliverjanik]

I find the lack of documentation around identity and logins quite lacking. It seems JWT, oauth2, token is supported but there are no guides on how to set things up.

[oliverjanik]

2018-09-04 07:01:22,850 - synapse.http.server - 101 - ERROR - POST-12- Failed handle request via <function _async_render at 0x7fe44633da28>: <SynapseRequest at 0x7fe43fbe55a8 method='POST' uri='/_matrix/client/r0/login' clientproto='HTTP/1.0' site=8008>: Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/twisted/internet/defer.py", line 1532, in unwindGenerator
    return _inlineCallbacks(None, gen, Deferred())
  File "/usr/lib/python2.7/dist-packages/twisted/internet/defer.py", line 1386, in _inlineCallbacks
    result = g.send(result)
  File "/usr/lib/python2.7/dist-packages/synapse/rest/client/v1/login.py", line 145, in on_POST
    result = yield self.do_jwt_login(login_submission)
  File "/usr/lib/python2.7/dist-packages/twisted/internet/defer.py", line 1532, in unwindGenerator
    return _inlineCallbacks(None, gen, Deferred())
--- <exception caught here> ---
  File "/usr/lib/python2.7/dist-packages/twisted/internet/defer.py", line 1386, in _inlineCallbacks
    result = g.send(result)
  File "/usr/lib/python2.7/dist-packages/synapse/rest/client/v1/login.py", line 278, in do_jwt_login
    import jwt
exceptions.ImportError: No module named jwt

[sunsingerus]

Are there any docs or manual on how to use JWT for 3-rd party authentication? I'd like to use Keycloak as an Identity Provider and use OpenID + JWT, but have no idea where to start.

[sunsingerus]

@almereyda @markwooff @oliverjanik were you able to use JWT auth? I am trying to integrate with keycloak and have no idea where to start from.

[richvdh]

to be clear, I don't think the JWT implementation in synapse is functional. I believe people have successfully integrated with keycloak using SAML.

[sunsingerus]

Most likely you are right. I do see references to successful SAML integration, but not a single line about JWT. However, there is JWT code in synapse like this do_jwt_login function call. The situation in general is quite confusing

[sunsingerus]

@nikriek can you, please, clarify a little, on how this JWT support commit can be used?

[clokep]

671 implemented JWT logins, I'm adding a bunch of documentation in #7776, including:

• How it works.
• How to enable and configure it.
• How to install the required dependencies.

I'm going to close this since it is theoretically done already and is a pretty vague issue.

Note that these are non-standard (from a Matrix spec point of view) and you should use the org.matrix.login.jwt form if you're going to implement this.