SSO with Element not working
-
Is anyone else experiencing problems with SSO with matrix? Upon clicking "log in with X" there seem to be various redicts which end up either in an SSL error or the message
Too many redirects occurred trying to open “https://matrix.tld.com/_matrix/client/v3/login/sso/redirect/oidc-cloudron?redirectUrl=https%3A%2F%2Fchat.tld.com%2F&org.matrix.msc3824.action=login”. This might occur if you open a page that is redirected to open another page which then is redirected to open the original page.depending on the client used.
-
@joseph I am also. But regular auto works without problems. This is not working on the regular element apps on mobile or web.
-
Seems to work here at least, do you have any extra proxy or so in front of the instance which might interfere here? If the browser login also fails, do you see in the inspector who issues those redirects somehow? Also anything interesting from the app logs (maybe both element and synapse)
-
Seems to work here at least, do you have any extra proxy or so in front of the instance which might interfere here? If the browser login also fails, do you see in the inspector who issues those redirects somehow? Also anything interesting from the app logs (maybe both element and synapse)
@nebulon DNS hosted on cloudflare but not proxied. Unfortunately logs fill up so quickly it’s hard to keep track. It’s over 200MB, I’ll try to download them later. You can try yourself here: chat.due.ren
-
I can see the redirects on your server here as well. So this is synapse redirecting to itself endlessly. Maybe something off in your config file there?
@nebulon I couldn't find any issues:
# https://github.com/element-hq/synapse/blob/master/docs/sample_config.yaml # if you change this, change the auto_join_rooms below as well server_name: "due.ren" pid_file: /run/synapse/homeserver.pid public_baseurl: https://matrix.due.ren push: enabled: true include_content: false group_unread_count_by_room: true # jitter_delay: "10s" experimental_features: msc3266_enabled: true forget_rooms_on_leave: true forgotten_room_retention_period: 7d enable_metrics: true listeners: - port: 8008 type: http bind_addresses: ['0.0.0.0'] # Ensure it’s not just localhost if Prometheus is on a different machine/container resources: - names: [client, federation, metrics] compress: false database: name: "psycopg2" args: # Path to the database user: xxx password: xxx database: xxx host: postgresql cp_min: 5 cp_max: 10 background_updates: background_update_duration_ms: 100 sleep_enabled: true sleep_duration_ms: 1000 min_batch_size: 1 default_batch_size: 100 email: smtp_host: mail smtp_port: 2525 smtp_user: "matrix.app@due.ren" smtp_pass: "xxx" require_transport_security: false app_name: matrix.due.ren notif_from: "Matrix <matrix.app@due.ren>" enable_notifs: true notif_for_new_users: true client_base_url: "https://matrix.due.ren" validation_token_lifetime: 15m invite_client_location: https://chat.due.ren subjects: message_from_person_in_room: "[%(app)s] You have a message on %(app)s from %(person)s in the %(room)s room..." message_from_person: "[%(app)s] You have a message on %(app)s from %(person)s..." messages_from_person: "[%(app)s] You have messages on %(app)s from %(person)s..." messages_in_room: "[%(app)s] You have messages on %(app)s in the %(room)s room..." messages_in_room_and_others: "[%(app)s] You have messages on %(app)s in the %(room)s room and others..." messages_from_person_and_others: "[%(app)s] You have messages on %(app)s from %(person)s and others..." invite_from_person_to_room: "[%(app)s] %(person)s has invited you to join the %(room)s room on %(app)s..." invite_from_person: "[%(app)s] %(person)s has invited you to chat on %(app)s..." password_reset: "[%(server_name)s] Password reset" email_validation: "[%(server_name)s] Validate your email" turn_uris: - turn:turn.due.ren:5349?transport=udp - turn:turn.due.ren:5349?transport=tcp - turns:turn.due.ren:5349?transport=udp - turns:turn.due.ren:5349?transport=tcp turn_shared_secret: "xxx" turn_allow_guests: true turn_user_lifetime: 86400000 federation_ip_range_blacklist: - '127.0.0.0/8' - '10.0.0.0/8' - '172.16.0.0/12' - '192.168.0.0/16' - '100.64.0.0/10' - '169.254.0.0/16' - '::1/128' - 'fe80::/64' - 'fc00::/7' enable_registration: false enable_registration_without_verification: false registration_shared_secret: "xxx" allow_guest_access: false enable_group_creation: true report_stats: false auto_accept_invites: enabled: true only_for_direct_messages: true only_from_local_users: true worker_to_run_on: "worker_1" signing_key_path: "/app/data/configs/signing.key" url_preview_enabled: true url_preview_ip_range_blacklist: - '127.0.0.0/8' - '10.0.0.0/8' - '172.16.0.0/12' - '192.168.0.0/16' - '100.64.0.0/10' - '169.254.0.0/16' - '::1/128' - 'fe80::/64' - 'fc00::/7' media_store_path: "/app/data/data/media_store" max_upload_size: 200M max_image_pixels: "32M" dynamic_thumbnails: true app_service_config_files: - /app/data/configs/registration.yaml server_notices: system_mxid_localpart: notices system_mxid_display_name: "Server Notices" system_mxid_avatar_url: "https://static.due.ren/site/logo.png" room_name: "Server Notices" room_avatar_url: "https://static.due.ren/site/logo.png" room_topic: "Room used by your server admin to notice you of important information" auto_join: true trusted_key_servers: [] password_config: enabled: true localdb_enabled: true log_config: /app/data/configs/log.config presence: enabled: true delete_stale_devices_after: 12w admin_contact: 'mailto:admin@due.ren' thumbnail_sizes: - width: 32 height: 32 method: crop - width: 96 height: 96 method: crop - width: 320 height: 240 method: scale - width: 640 height: 480 method: scale - width: 800 height: 600 method: scale serve_server_wellknown: true user_directory: enabled: true search_all_users: true prefer_local_users: true web_client_location: https://chat.due.ren/ oidc_providers: - idp_id: cloudron idp_name: due.ren issuer: https://my.due.ren/openid client_id: xxx client_secret: xxx scopes: - openid - email - profile authorization_endpoint: https://my.due.ren/openid/auth token_endpoint: https://my.due.ren/openid/token userinfo_endpoint: https://my.due.ren/openid/me allow_existing_users: true skip_verification: true user_mapping_provider: config: localpart_template: '{{ user.sub }}' display_name_template: '{{ user.name }}' -
If you install a fresh instance, do you see the same behavior just with a different subdomain then? That would at least mean that this is not the app configs but something related to the system setup
@nebulon hmm fresh installation (chat.as.ci) seems to work
Now I gotta see what’s different -
I figured it out, here's what was happening:
The client was trying to access the SSO redirect URL with HTTP, but my server was configured to use HTTPS:
Requested URI http://matrix.due.ren/_matrix/client/r0/login/sso/redirect/oidc-cloudron?redirectUrl=element://connect?transaction_id=m2111693422.2 is not canonical: redirecting to https://matrix.due.ren/_matrix/client/r0/login/sso/redirect/oidc-cloudron?redirectUrl=element://connect?transaction_id=m2111693422.2This redirection kept happening repeatedly (as shown by the multiple identical log entries with different request IDs), creating a loop. Synapse didn't properly handle the protocol conversion between HTTP and HTTPS.
Here's how I fixed the issue:
Added the x_forwarded: true setting to my configuration's listeners section:listeners: - port: 8008 type: http bind_addresses: ['0.0.0.0'] x_forwarded: true # Added this line resources: - names: [client, federation, metrics] compress: false -
N nebulon marked this topic as a question on
-
N nebulon has marked this topic as solved on
-
Good find. I wonder why it was no set in that instance. The configs from the package should have it since 5 years https://git.cloudron.io/packages/synapse-app/-/blame/master/homeserver.yaml.template?ref_type=heads#L14
@nebulon not sure. Maybe I accidentally removed it when I set up Prometheus
