OIDC migration
-
seems like many scripts automations, bots & official sdk no longer works with OIDC - I have to use token for that but I can no longer get token automatically; or I didn't find yet
here is a specific isolated use case that is braking now:
curl -XPOST -d '{"type": "m.login.password", "identifier": {"user": "monitoring.bot", "type": "m.id.user"}, "password": "<reducted>"}' "https://server.com/_matrix/client/r0/login" -
@potemkin_ai good point, let me research this a bit and get back.
-
Thank you
-
H humptydumpty referenced this topic on
-
Thanks. The whole Matrix/Element is now in rebuild now, so I don't believe that would be handled soon...
-
So, I have no idea why it's so hard to find out how to use matrix API. It's not obvious or clear to me. There's many documents in various states ...
Anyway, matrix supports multiple auth providers. So you have to enable the normal username/password login provider. There are some issues upstream like https://github.com/matrix-org/synapse/issues/11886 which maybe helps you figure auth with OIDC itself.
- First, you can enable the older username/password login like this in
config/homeserver.yaml(synapse app):
enable_registration: true password_config: enabled: true localdb_enabled: true pepper: "axcs6cnnY2SG"-
Then, I registered a new user with a password in the element app.
-
Then, I disabled registration by setting
enable_registration: falsein homeserver.yaml. -
I can login as the bot user I registered
$ curl -X POST 'https://matrix.domain.com/_matrix/client/r0/login' -d '{"type":"m.login.password", "user": "bot", "password": "bwu2KZzzdA0V"}' {"user_id":"@bot:domain.com","access_token":"syt_Ym90_iNnBLgIZkTrSyodNDfTJ_3Hwiy3","home_server":"domain.com","device_id":"FFIVMYIGDP","well_known":{"m.homeserver":{"base_url":"https://matrix.domain.com/"}}} - First, you can enable the older username/password login like this in
-
Ideal case for me would be to leave LDAP as is or at least to offer some compatibility mode. I have centralized user directory in Cloudron and quite happy to keep things as is.
Messing with Synapse config might not be a good idea - I did once, ended up with losing the whole instance basically.
I'm aware that many apps require OIDC, it's a better approach, more secure, etc. But, it feels like it's breaking some very specific use case that is working right now.
-
I found out that my matrix instances has been already migrated to SSO, so I had to look for a more straight-forward approach and it seems to be the following:
pip install matrix-commander matrix-commander --login sso cat credentials.jsonWill give token without a need to use a client, especially in a cases where client is not a preferred options - like for bots.
-
As a side note: Cloudron's SSO completely ignores whitelabeling settings.
