search

matrix-org / synapse

Synapse: Matrix homeserver written in Python/Twisted.
https://matrix-org.github.io/synapse
Apache License 2.0
11.78k stars 2.13k forks source link

Synapse asks for password even if user is logged in via sso #9605

Closed benkuly closed 3 years ago

benkuly commented 3 years ago

Description

We configured to use synapse both with password and OpenId Connect authentication. It works good until the user needs to confirm it's identity. Then element asks for password.

Steps to reproduce

The Server responds with 401 and the following body:

{
    "session": "<session>",
    "flows": [
        {
            "stages": [
                "m.login.password"
            ]
        },
        {
            "stages": [
                "m.login.sso"
            ]
        }
    ],
    "params": {}
}

I think that cloud be the reason why element asks for password instead of sso login.

Version information

If not matrix.org:

clokep commented 3 years ago

Did the user ever login in using a password (were they upgraded from a "normal" account to an SSO account?)

Some work towards this was done in #8858.

benkuly commented 3 years ago

No, the users with sso didn't ever logged in using a password.

clokep commented 3 years ago

😕 Hmm...the code in #8858 is supposed to exactly protect against that:

https://github.com/matrix-org/synapse/blob/v1.29.0/synapse/handlers/auth.py#L392-L399

It might be worth poking in the database and seeing if they somehow have a password hash? (Maybe they reset their password and set one? (See #9456)

benkuly commented 3 years ago

With "users" I meant all users, logging in via OpenId Connect (four users so far). I've reproduced this issue also with a new test-account. No passwort reset. I will have a look into the database. Thank you for your help :)

clokep commented 3 years ago

With "users" I meant all users, logging in via OpenId Connect (four users so far).

Ah! My misunderstanding. Sorry about that.

Also when you say Element -- do you mean Element Web or one of the mobile apps? (Or all of the above 😄 )

clokep commented 3 years ago

One last question -- I note you say you're doing key backup. I think this is asking for your Security Key, not your account password?

Can you iterate how you're starting the key backup process?

benkuly commented 3 years ago

No, he is asking for account password. Same thing, when I want to change the mail address with the test user. I just tested it with Element Android and there it seems to work. Therefore it could be an Element Web bug? The password-hash column in database is empty for the sso users.

clokep commented 3 years ago

Therefore it could be an Element Web bug?

Are you using https://app.element.io or your own hosted Element? If the latter, is it up-to-date?

benkuly commented 3 years ago

Just tested: same problem with https://app.element.io Selfhosted element is up to date.

benkuly commented 3 years ago

output

richvdh commented 3 years ago

benkuly: do you have any external password/login provider modules configured?

benkuly commented 3 years ago

Just the default matrix-docker-ansible-deploy (therefore no provider I think). Only an external keycloak for sso.

richvdh commented 3 years ago

can you share your config file maybe? be sure to remove any secrets or other confidential settngs.

richvdh commented 3 years ago

also, when you say:

The Server responds with 401 and the following body:

can you confirm how you captured that body, and exactly what the request was?

benkuly commented 3 years ago

Using firefox dev tools:

POST to /_matrix/client/unstable/keys/device_signing/upload with json body containing master_key, self_signing_key, user_signing_key.

benkuly commented 3 years ago

The homeserver.yaml

account_threepid_delegates:
    email: http://matrix-ma1sd:8090
    msisdn: http://matrix-ma1sd:8090
account_validity: null
acme: null
alias_creation_rules:
-   action: allow
    alias: '*'
    room_id: '*'
    user_id: '*'
allow_guest_access: false
allow_public_rooms_over_federation: true
allow_public_rooms_without_auth: true
app_service_config_files:
- /matrix-mautrix-telegram-registration.yaml
autocreate_auto_join_rooms: true
caches:
    global_factor: 0.5
    per_cache_factors: null
cas_config: null
database:
    args:
        cp_max: 10
        cp_min: 5
        database: synapse
        host: matrix-postgres
        password: <>
        user: synapse
    name: psycopg2
default_room_version: '6'
email:
    app_name: Matrix
    client_base_url: <>
    enable_notifs: true
    notif_for_new_users: true
    notif_from: Matrix
    require_transport_security: false
    smtp_host: matrix-mailer
    smtp_port: 8025
enable_group_creation: false
enable_metrics: true
enable_registration: false
enable_registration_captcha: false
enable_room_list_search: true
event_cache_size: 100K
federation_rr_transactions_per_room_per_second: 50
form_secret: <>
limit_remote_rooms: null
listeners:
-   bind_addresses:
    - 0.0.0.0
    port: 9100
    type: metrics
-   bind_addresses:
    - '::'
    port: 8008
    resources:
    -   compress: false
        names:
        - client
    tls: false
    type: http
    x_forwarded: true
-   bind_addresses:
    - '::'
    port: 8048
    resources:
    -   compress: false
        names:
        - federation
    tls: false
    type: http
    x_forwarded: true
log_config: /data/<>.log.config
macaroon_secret_key: <>
max_spider_size: 10M
max_upload_size: 50M
media_store_path: /matrix-media-store-parent/media-store
metrics_flags: null
oidc_providers:
-   client_id: synapse
    client_secret: <>
    idp_id: keycloak
    idp_name: <>
    issuer: https://<>/auth/realms/<>
    scopes:
    - openid
    - profile
old_signing_keys: null
opentracing: null
password_config:
    localdb_enabled: true
    pepper: ''
    policy: null
password_providers:
-   config:
        sharedSecret: <>
    module: shared_secret_authenticator.SharedSecretAuthenticator
pid_file: /homeserver.pid
public_baseurl: <>
push:
    include_content: true
rc_admin_redaction:
    burst_count: 50
    per_second: 1
rc_federation:
    concurrent: 3
    reject_limit: 50
    sleep_delay: 500
    sleep_limit: 10
    window_size: 1000
rc_joins:
    local:
        burst_count: 3
        per_second: 0.1
    remote:
        burst_count: 3
        per_second: 0.01
rc_login:
    account:
        burst_count: 3
        per_second: 0.17
    address:
        burst_count: 3
        per_second: 0.17
    failed_attempts:
        burst_count: 3
        per_second: 0.17
rc_message:
    burst_count: 10
    per_second: 0.2
rc_registration:
    burst_count: 3
    per_second: 0.17
recaptcha_private_key: ''
recaptcha_public_key: ''
redaction_retention_period: 7d
redis:
    enabled: false
    host: null
    password: null
    port: 6379
registration_shared_secret: <>
report_stats: false
retention: null
room_list_publication_rules:
-   action: allow
    alias: '*'
    room_id: '*'
    user_id: '*'
saml2_config:
    sp_config: null
    user_mapping_provider:
        config: null
server_name: <>
signing_key_path: /data/<>.signing.key
spam_checker: []
sso:
    client_whitelist:
    - <>
tls_certificate_path: null
tls_private_key_path: null
trusted_key_servers:
-   server_name: matrix.org
turn_allow_guests: false
turn_shared_secret: <>
turn_uris:
- turns:<>?transport=udp
- turns:<>?transport=tcp
- turn:<>?transport=udp
- turn:<>?transport=tcp
ui_auth: null
url_preview_accept_language: null
url_preview_enabled: true
url_preview_ip_range_blacklist:
- 127.0.0.0/8
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
- 100.64.0.0/10
- 192.0.0.0/24
- 169.254.0.0/16
- 192.88.99.0/24
- 198.18.0.0/15
- 192.0.2.0/24
- 198.51.100.0/24
- 203.0.113.0/24
- 224.0.0.0/4
- ::1/128
- fe80::/10
- fc00::/7
- 2001:db8::/32
- ff00::/8
- fec0::/10
use_presence: true
user_directory: null
user_ips_max_age: 28d
richvdh commented 3 years ago

right, this is the problem:

password_providers:
-   config:
        sharedSecret: <>
    module: shared_secret_authenticator.SharedSecretAuthenticator

I don't really know what that is, but it's making synapse present the "password" option to the clients.

benkuly commented 3 years ago

Oh right, I oversaw that password_provider, sorry. It's needed by the telegram-bridge: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-bridge-mautrix-telegram.md#method-1-automatically-by-enabling-shared-secret-auth I will try to disable it.

benkuly commented 3 years ago

It works now, thank you very much!

shreyasajj commented 2 years ago

What did you do to solve this, how did you still use the bridge while removing shared secret login and using sso? Thank you in advanced. Been trying to wrap by brain around this all night

shreyasajj commented 2 years ago

Did you just disable shared secret?

benkuly commented 2 years ago

A described in the last link I sent, there are multiple options for the bridge, so disabling shared secret does not make the bridge unusable.

shreyasajj commented 2 years ago

So there is no way to still have Double Puppeting with method 1 so it happend automatically?

benkuly commented 2 years ago

I honestly don't know

linuxmail commented 1 year ago

hi,

we have Installed: 1.79.0+buster1 and using LDAP for AD (local accounts) and also Azure as SSO provider:

...
password_providers:
 - module: "ldap_auth_provider.LdapAuthProvider"
   config:
     enabled: true
...
oidc_providers:
  - idp_id: microsoft
    idp_name: Microsoft
....

and have the same issue: while generating recovery keys via Element (1.11.31), it will ask for the account password. While recovery keys works for LDAP users, all Azure users have this issue ..

any suggestions ?