Closed benkuly closed 3 years ago
Did the user ever login in using a password (were they upgraded from a "normal" account to an SSO account?)
Some work towards this was done in #8858.
No, the users with sso didn't ever logged in using a password.
😕 Hmm...the code in #8858 is supposed to exactly protect against that:
https://github.com/matrix-org/synapse/blob/v1.29.0/synapse/handlers/auth.py#L392-L399
It might be worth poking in the database and seeing if they somehow have a password hash? (Maybe they reset their password and set one? (See #9456)
With "users" I meant all users, logging in via OpenId Connect (four users so far). I've reproduced this issue also with a new test-account. No passwort reset. I will have a look into the database. Thank you for your help :)
With "users" I meant all users, logging in via OpenId Connect (four users so far).
Ah! My misunderstanding. Sorry about that.
Also when you say Element -- do you mean Element Web or one of the mobile apps? (Or all of the above 😄 )
One last question -- I note you say you're doing key backup. I think this is asking for your Security Key, not your account password?
Can you iterate how you're starting the key backup process?
No, he is asking for account password. Same thing, when I want to change the mail address with the test user. I just tested it with Element Android and there it seems to work. Therefore it could be an Element Web bug? The password-hash column in database is empty for the sso users.
Therefore it could be an Element Web bug?
Are you using https://app.element.io or your own hosted Element? If the latter, is it up-to-date?
Just tested: same problem with https://app.element.io Selfhosted element is up to date.
benkuly: do you have any external password/login provider modules configured?
Just the default matrix-docker-ansible-deploy (therefore no provider I think). Only an external keycloak for sso.
can you share your config file maybe? be sure to remove any secrets or other confidential settngs.
also, when you say:
The Server responds with 401 and the following body:
can you confirm how you captured that body, and exactly what the request was?
Using firefox dev tools:
POST to /_matrix/client/unstable/keys/device_signing/upload with json body containing master_key, self_signing_key, user_signing_key.
The homeserver.yaml
account_threepid_delegates:
email: http://matrix-ma1sd:8090
msisdn: http://matrix-ma1sd:8090
account_validity: null
acme: null
alias_creation_rules:
- action: allow
alias: '*'
room_id: '*'
user_id: '*'
allow_guest_access: false
allow_public_rooms_over_federation: true
allow_public_rooms_without_auth: true
app_service_config_files:
- /matrix-mautrix-telegram-registration.yaml
autocreate_auto_join_rooms: true
caches:
global_factor: 0.5
per_cache_factors: null
cas_config: null
database:
args:
cp_max: 10
cp_min: 5
database: synapse
host: matrix-postgres
password: <>
user: synapse
name: psycopg2
default_room_version: '6'
email:
app_name: Matrix
client_base_url: <>
enable_notifs: true
notif_for_new_users: true
notif_from: Matrix
require_transport_security: false
smtp_host: matrix-mailer
smtp_port: 8025
enable_group_creation: false
enable_metrics: true
enable_registration: false
enable_registration_captcha: false
enable_room_list_search: true
event_cache_size: 100K
federation_rr_transactions_per_room_per_second: 50
form_secret: <>
limit_remote_rooms: null
listeners:
- bind_addresses:
- 0.0.0.0
port: 9100
type: metrics
- bind_addresses:
- '::'
port: 8008
resources:
- compress: false
names:
- client
tls: false
type: http
x_forwarded: true
- bind_addresses:
- '::'
port: 8048
resources:
- compress: false
names:
- federation
tls: false
type: http
x_forwarded: true
log_config: /data/<>.log.config
macaroon_secret_key: <>
max_spider_size: 10M
max_upload_size: 50M
media_store_path: /matrix-media-store-parent/media-store
metrics_flags: null
oidc_providers:
- client_id: synapse
client_secret: <>
idp_id: keycloak
idp_name: <>
issuer: https://<>/auth/realms/<>
scopes:
- openid
- profile
old_signing_keys: null
opentracing: null
password_config:
localdb_enabled: true
pepper: ''
policy: null
password_providers:
- config:
sharedSecret: <>
module: shared_secret_authenticator.SharedSecretAuthenticator
pid_file: /homeserver.pid
public_baseurl: <>
push:
include_content: true
rc_admin_redaction:
burst_count: 50
per_second: 1
rc_federation:
concurrent: 3
reject_limit: 50
sleep_delay: 500
sleep_limit: 10
window_size: 1000
rc_joins:
local:
burst_count: 3
per_second: 0.1
remote:
burst_count: 3
per_second: 0.01
rc_login:
account:
burst_count: 3
per_second: 0.17
address:
burst_count: 3
per_second: 0.17
failed_attempts:
burst_count: 3
per_second: 0.17
rc_message:
burst_count: 10
per_second: 0.2
rc_registration:
burst_count: 3
per_second: 0.17
recaptcha_private_key: ''
recaptcha_public_key: ''
redaction_retention_period: 7d
redis:
enabled: false
host: null
password: null
port: 6379
registration_shared_secret: <>
report_stats: false
retention: null
room_list_publication_rules:
- action: allow
alias: '*'
room_id: '*'
user_id: '*'
saml2_config:
sp_config: null
user_mapping_provider:
config: null
server_name: <>
signing_key_path: /data/<>.signing.key
spam_checker: []
sso:
client_whitelist:
- <>
tls_certificate_path: null
tls_private_key_path: null
trusted_key_servers:
- server_name: matrix.org
turn_allow_guests: false
turn_shared_secret: <>
turn_uris:
- turns:<>?transport=udp
- turns:<>?transport=tcp
- turn:<>?transport=udp
- turn:<>?transport=tcp
ui_auth: null
url_preview_accept_language: null
url_preview_enabled: true
url_preview_ip_range_blacklist:
- 127.0.0.0/8
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 100.64.0.0/10
- 192.0.0.0/24
- 169.254.0.0/16
- 192.88.99.0/24
- 198.18.0.0/15
- 192.0.2.0/24
- 198.51.100.0/24
- 203.0.113.0/24
- 224.0.0.0/4
- ::1/128
- fe80::/10
- fc00::/7
- 2001:db8::/32
- ff00::/8
- fec0::/10
use_presence: true
user_directory: null
user_ips_max_age: 28d
right, this is the problem:
password_providers:
- config:
sharedSecret: <>
module: shared_secret_authenticator.SharedSecretAuthenticator
I don't really know what that is, but it's making synapse present the "password" option to the clients.
Oh right, I oversaw that password_provider, sorry. It's needed by the telegram-bridge: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-bridge-mautrix-telegram.md#method-1-automatically-by-enabling-shared-secret-auth I will try to disable it.
It works now, thank you very much!
What did you do to solve this, how did you still use the bridge while removing shared secret login and using sso? Thank you in advanced. Been trying to wrap by brain around this all night
Did you just disable shared secret?
A described in the last link I sent, there are multiple options for the bridge, so disabling shared secret does not make the bridge unusable.
So there is no way to still have Double Puppeting with method 1 so it happend automatically?
I honestly don't know
hi,
we have Installed: 1.79.0+buster1 and using LDAP for AD (local accounts) and also Azure as SSO provider:
...
password_providers:
- module: "ldap_auth_provider.LdapAuthProvider"
config:
enabled: true
...
oidc_providers:
- idp_id: microsoft
idp_name: Microsoft
....
and have the same issue: while generating recovery keys via Element (1.11.31), it will ask for the account password. While recovery keys works for LDAP users, all Azure users have this issue ..
any suggestions ?
Description
We configured to use synapse both with password and OpenId Connect authentication. It works good until the user needs to confirm it's identity. Then element asks for password.
Steps to reproduce
The Server responds with 401 and the following body:
I think that cloud be the reason why element asks for password instead of sso login.
Version information
If not matrix.org:
Version: 1.29.0
Install method: matrix-docker-ansible-deploy
Platform: Ubuntu 20.04 VM