We need the Matrix Authentication Service (MAS)
-
@jdaviescoates
@nebulon also attended the matrix talk in FOSDEM and they mentioned MAS is the way forward. It's in our internal task list, let's see when @vladimir.d can get to it.@girish said in We need the Matrix Authentication Service (MAS):
It's in our internal task list, let's see when @vladimir.d can get to it.
Great! Looking forward to it!
-
@vladimir.d , @girish , is there any possible estimate on that? Would you be open to accept any help on that?
-
https://git.cloudron.io/packages/synapse-app is the package and MRs are welcome . (don't have an ETA myself)
@joseph thank you.
I'm quite limited in time to make the transition, guess I will eject the Synapse service to run it separately then: from what I've read, a separate service required to do the MAS and as the works hasn't been started yet, I guess it will take quite some time to make it to the production on Cloudron (understandable to keep things stable).
-
@joseph thank you.
I'm quite limited in time to make the transition, guess I will eject the Synapse service to run it separately then: from what I've read, a separate service required to do the MAS and as the works hasn't been started yet, I guess it will take quite some time to make it to the production on Cloudron (understandable to keep things stable).
@potemkin_ai yeah, we will implement this soon enough. we use matrix for company chat ourselves. matrix.org also switched to mas per https://matrix.org/blog/2025/04/matrix-auth-service/ . matter of time @vladimir.d gets to it
-
P potemkin_ai referenced this topic on
-
I believe I assembled a first version, but got stuck with OpenID auth on Cloudron side: https://forum.cloudron.io/topic/13648/openid-uri-configuration-issue-for-synapse-s-mas
I would appreciate any help here - it would be beneficial for the work to be done by @vladimir.d or whoever would be solving the same task.
-
I believe I assembled a first version, but got stuck with OpenID auth on Cloudron side: https://forum.cloudron.io/topic/13648/openid-uri-configuration-issue-for-synapse-s-mas
I would appreciate any help here - it would be beneficial for the work to be done by @vladimir.d or whoever would be solving the same task.
@potemkin_ai Where is your code? Not an expert but I'm willing to take a look
-
@jdaviescoates
@nebulon also attended the matrix talk in FOSDEM and they mentioned MAS is the way forward. It's in our internal task list, let's see when @vladimir.d can get to it.@girish said in We need the Matrix Authentication Service (MAS):
@jdaviescoates
@nebulon also attended the matrix talk in FOSDEM and they mentioned MAS is the way forward. It's in our internal task list, let's see when @vladimir.d can get to it.Any update on this?
I just realised 1.0.0 was released two days ago!
https://github.com/element-hq/matrix-authentication-service/releases/tag/v1.0.0
BTW, I just noticed that in my Cloudron Dashboard is says "login with dedicated account":
But it's actually using OIDC:
What's going on there?
Either way, I'm hoping we can have MAS soon and that that will make Element X work with my instance
-
Yeah, MAS jumped from all of the sudden from 0.2.something to 1.0 - very well... And that is all with 136 issues opened, including the issue when the user won't be created as it should.
I've ejected Synapse from Cloudron and run it independently - it is kind of working (if you don't mind get your hands dirty in the database), but if you don't need Element Calls - I can't see no real benefits.
Not sure if the question was anyhow directed on me, but I hope that rant might be of some use anyway
-
N nottheend referenced this topic on
-
@jdaviescoates
@nebulon also attended the matrix talk in FOSDEM and they mentioned MAS is the way forward. It's in our internal task list, let's see when @vladimir.d can get to it.@girish said in We need the Matrix Authentication Service (MAS):
@jdaviescoates
@nebulon also attended the matrix talk in FOSDEM and they mentioned MAS is the way forward. It's in our internal task list, let's see when @vladimir.d can get to it.@ntnsndr FYI I think this is the latest (saw you commented on the related thread about Element X)
-
Hey, I assume there are no news about this topic? I have one user, that is not able to see chats in the classic/legacy apps but only on Element X. But this comes with the downside og not being able to make calls
(Besides that the classic apps are barely getting any updates anymore) -
I did some digging, this is what I think is needed:
The current package uses:
- Synapse
v1.144.0(which is compatible - MAS requires v1.136.0+) - Cloudron OIDC for SSO (traditional OIDC provider approach)
- PostgreSQL as the database
- Standard Matrix authentication endpoints
What MAS Integration Requires
MAS is fundamentally different from traditional OIDC - it's not just another identity provider, but a complete replacement for Synapse's internal authentication system per MSC3861. It needs:1. MAS Service Deployment
- MAS needs to run as a separate service (not just a config change)
- It requires its own separate PostgreSQL database
- It needs its own domain/subdomain (e.g., auth.matrix.example.com)
- Docker image: ghcr.io/element-hq/matrix-authentication-service:latest
2. MAS Configuration Requirements
- Encryption secrets and signing keys (RSA minimum)
- Connection to Synapse via shared secret
- Database configuration for its own PostgreSQL database
- HTTP listener configuration
- Email configuration for password recovery
- Policy configuration (WASM file)
3. Synapse Configuration Changes
Replace traditional OIDC with matrix_authentication_service section:matrix_authentication_service: enabled: true endpoint: http://mas-internal:8080/ secret: "SharedSecretWithMAS"4. Reverse Proxy Changes
These Matrix endpoints must be routed to MAS (not Synapse):/_matrix/client/*/login/_matrix/client/*/logout/_matrix/client/*/refresh
5. User Migration (For Existing Deployments)
MAS includessyn2mastool to migrate:- Existing password hashes (bcrypt → argon2id)
- Sessions and devices
- Access tokens
- Upstream IdP mappings
- Synapse
