OpenID URI configuration issue (for Synapse's MAS)

potemkin_ai

Guess that would be of use to Cloudron as well - I'm configuring MAS now (as a follow up from https://forum.cloudron.io/topic/13140/we-need-the-matrix-authentication-service-mas/9) and I'm facing the following error:

redirect_uri did not match any of the client's registered redirect_uris

I've registered the client cid-ge9eaf52aaff129a8df85b168330e582 with callback URL: https://auth.mydomain.com/upstream/callback/

Decoded URL of the page where I see the error is:
https://my.mydomain.com/openid/auth?response_type=code&client_id=cid-ge9eaf52aaff129a8df85b168330e582&redirect_uri=https://auth.mydomain.com/upstream/callback/02JRTE26ER59ZCVR8P81GHD2V5&scope=email+openid+profile&state=IvtPGE8sYTtD0u1a&nonce=8u6Ijs0z7dDwGriu&code_challenge_method=S256&code_challenge=hnG2HcdLQBrJO3DYUCg3OcapcvYxElAu5AO_28MLpg5

So, redirect_uri == https://auth.mydomain.com/upstream/callback/02JRTE26ER59ZCVR8P81GHD2V5... which looks to be in line with https://auth.mydomain.com/upstream/callback/ that I've registered (and so does client id).

Unless, cloudron expect to see exactly the same URL? If so - is there any quick way to resolve that?
I'm ready to patch some files directly if required, if that would be added in the coming release.

potemkin_ai

Element's MAS requirements are as follow:

create an OAuth 2.0/OIDC client on the provider's side, using the following parameters:

• redirect_uri: https://<auth-service-domain>/upstream/callback/<id>
• response_type: code
• response_mode: query
• grant_type: authorization_code

potemkin_ai

That looks to be an error produced by oidc-provider module in use of Cloudron (InvalidRedirectUri exception), looks like it is raised by /home/yellowtent/box/src/oidc.js.

oidc-provider module provides information how to use wildcard redirect_uri, warming that is shall not be used in production: https://github.com/panva/node-oidc-provider/blob/main/recipes/redirect_uri_wildcards.md

It looks to me like oidc.js logic has to be altered in a way to let wildcard at the end of the redirect_uri, as otherwise Synapse's MAS won't work.

Unless I'm missing something.

joseph

Not an expert on this, I suspect one has to try it out to know what the issue is . But https://git.cloudron.io/packages/synapse-app/-/blob/master/start.sh?ref_type=heads#L73 is how we configure OIDC in the existing synapse and that of course works .

potemkin_ai

@joseph I believe it's a question of support still - as I'm trying to figure out to configure Cloudron's OpenID to work with external app, which Cloudron is about to repackage on it's own.

The link you've provided - is related to configuring Synapse server, while the issue is with Cloudron's OpenID and the way it handles redirect_uri.

Please, let me know if I shall not expect any reasonable and prompt support on that - if that is the case, I will have to replace the Cloudron functionality as a platform, and for that I will need quite some time.

I would be happy to work with someone from the team however, to keep Cloudron in my perimeter and share everything I will work on, so that you would be able to merge Synapse MAS and Element Call into the platform easily.

potemkin_ai

From Cloudron manifest file I can see that you use callback as a static rule:

"loginRedirectUri": "/_synapse/client/oidc/callback"

Which is pretty much in line with what I wrote earlier -> Cloudron OpenID component needs improvements in order for Synapse's MAS to work.

potemkin_ai

Negative. Please, disregard what have been said earlier: OpenID from Cloudron could be used as is.

Happy to share my findings on setting up the service with @vladimir.d or whoever will be doing this configuration for everyone on Cloudron.

james

We looked into this, created a community app and documented everything here:
https://forum.cloudron.io/topic/15225/matrix-authentication-service