Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Brite
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum
Apps - Status | Demo | Docs | Install
  1. Cloudron Forum
  2. Matrix (Synapse/Element)
  3. Matrix Authentication Service

Matrix Authentication Service

Scheduled Pinned Locked Moved Matrix (Synapse/Element)
2 Posts 2 Posters 37 Views 2 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • jamesJ Offline
    jamesJ Offline
    james
    Staff
    wrote last edited by james
    #1

    Hello @matrix users

    I have looked into the Matrix Authentication Service which is needed for the QR-Code device linking and more.
    Also related to these two forum topics: https://forum.cloudron.io/post/97697 and https://forum.cloudron.io/post/105680 and https://forum.cloudron.io/post/100138

    Matrix Authentication Service for Cloudron

    This will get complicated!

    ⚠️ WARNING ⚠️

    You need Cloudron version 9.1 to follow this guide.

    If you are not comfortable with installing custom apps, tinkering with configurations this is nothing for you.

    ❌ DANGER ❌

    Do not follow this guide with your production matrix synapse server!

    This could lead to a full failure of your synapse server where users will be unable to login.

    You should install an extra Element and Synapse app to follow this guide.

    Please note that the Matrix Authentication Service will be become part of synapse it self at some point =>

    .

    Also from https://areweoidcyet.com/

    At this stage, it is still a separate service, requiring a one-way migration from a classic Synapse deployment. It is designed to be lightweight enough (using Rust) that it will be embedded in Synapse at some point.

    So all this work will become obsolete at some point.

    Install the Matrix Authentication Service app

    Commnuity App

    Use the CloudronVersions.json file to install this Commnuity App:

    https://git.cloudron.io/playground/matrix-authentication-service/-/raw/master/CloudronVersions.json

    Cloudron cli

    1. Clone this repository
    git clone https://git.cloudron.io/playground/matrix-authentication-service.git
cd matrix-authentication-service
    1. Login to your Cloudron server
    cloudron login my.cloudron.dev
    1. Install this app to a location
    cloudron install --location mas

    Configuration of MAS and Synapse

    The Matrix Authentication Service for Cloudron will setup the /app/data/config.yaml on the first run and will not edit it while the /app/data/.initialized file exists.

    The initial generated config is created to ensure that the baseline configuration is correct.

    It also configured the upstream_oauth2 provider for Cloudron so your Cloudron users can use the MAS app.

    Adding other upstream_oauth2 providers is semi supported.
    Each upstream_oauth2 needs a unique ULID which needs to be configured in the CloudronManifest.json - oidc addon section loginRedirectUri

    Regenerating the entire config file will lose secrets and encryption keys.
    This will cause all existing users to be inaccessible!

    Before tinkering with the /app/data/config.yaml create an app backup to ensure that if you make a mistake and cause damage you can revert to the backup.

    Synapse Homeserver

    Needed yaml configuration for the Synapse Homeserver /app/data/configs/homeserver.yaml:

    Example entries:

    # The matrix home server needs to delegate authentication to the MAS
matrix_authentication_service:
  enabled: true
  endpoint: https://mas.cloudron.dev
  secret: "YDudMp7Kq3htKx7Z1lrqExATpQbuhzXZ"
  # Alternatively, using a file:
  # secret_file: /path/to/secret.txt
# Config must disable password config in order to delegate everything to mas
password_config:
  enabled: false
# same with registration
enable_registration: false
# to enable the QR-Code device linking
experimental_features:
  msc4108_enabled: true

    Obtain the secret for the synapse home server from your MAS app with either the Cloudron cli or use the File Manager from the /app/data/config.yaml:

    cloudron exec --app mas -- yq -r '.matrix.secret' /app/data/config.yaml
YDudMp7Kq3htKx7Z1lrqExATpQbuhzXZ

    For the Cloudron Matrix Synapse App app, edit the /app/data/configs/homeserver.yaml manually with the File Manager or use this yq command:

    # Edit these two variables to match your domain and secret from the MAS app
export MAS_ENDPOINT="https://mas.cloudron.dev"
export MAS_SECRET="YDudMp7Kq3htKx7Z1lrqExATpQbuhzXZ"
yq -i '
  .matrix_authentication_service.enabled = true |
  .matrix_authentication_service.endpoint = strenv(MAS_ENDPOINT) |
  .matrix_authentication_service.secret = strenv(MAS_SECRET) |
  .password_config.enabled = false |
  .enable_registration = false |
  .experimental_features.msc4108_enabled = true
' /app/data/configs/homeserver.yaml

    Restart the app to load the changed configuration.

    MAS

    Configure the /app/data/config.yaml with either the Cloudron cli or use the File Manager.

    The full configuration reference can be found here: https://element-hq.github.io/matrix-authentication-service/reference/configuration.html

    The yaml object should look like this in the /app/data/config.yaml:

    matrix:
  kind: synapse
  homeserver: matrix.cloudron.dev
  secret: YDudMp7Kq3htKx7Z1lrqExATpQbuhzXZ
  endpoint: https://matrix.cloudron.dev/

    cloudron exec --tty --app mas
export MATRIX_HOMESERVER_DOMAIN="matrix.cloudron.dev"
export MAS_MATRIX_SECRET="YDudMp7Kq3htKx7Z1lrqExATpQbuhzXZ"
yq -i '
  .matrix.kind = "synapse" |
  .matrix.homeserver = strenv(MATRIX_HOMESERVER_DOMAIN) |
  .matrix.secret = strenv(MAS_MATRIX_SECRET) |
  .matrix.endpoint = "https://" + strenv(MATRIX_HOMESERVER_DOMAIN) + "/"
' /app/data/config.yaml

    Restart the app to load the changed configuration.

    Conclusion

    Now the Matrix Home Server will use the MAS app for authentication.

    This also enables Element to use the Link new device with the QR-Code feature and enables the Element X mobile app to fully work.

    1 Reply Last reply
    1
    • jamesJ james referenced this topic
    • jamesJ james referenced this topic
    • jamesJ james referenced this topic
    • jdaviescoatesJ Offline
      jdaviescoatesJ Offline
      jdaviescoates
      wrote last edited by
      #2

      Many thanks for doing this. Think it's a bit too involved for me though so I'll probably just wait until it's part of Synapse itself.

      I use Cloudron with Gandi & Hetzner

      1 Reply Last reply
      0

      Hello! It looks like you're interested in this conversation, but you don't have an account yet.

      Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.

      With your input, this post could be even better 💗

      Register Login
      Reply
      • Reply as topic
      Log in to reply
      • Oldest to Newest
      • Newest to Oldest
      • Most Votes

      • Login
      • Don't have an account? Register
      • Login or register to search.
      • First post
        Last post
      0
      • Categories
      • Recent
      • Tags
      • Popular
      • Bookmarks
      • Search