OpenID URI configuration issue (for Synapse's MAS)

Reply to OpenID URI configuration issue (for Synapse's MAS) on Fri, 13 Mar 2026 12:47:57 GMT

james — Fri, 13 Mar 2026 12:47:57 GMT

We looked into this, created a community app and documented everything here:
https://forum.cloudron.io/topic/15225/matrix-authentication-service

Reply to OpenID URI configuration issue (for Synapse's MAS) on Wed, 16 Apr 2025 09:52:24 GMT

potemkin_ai — Wed, 16 Apr 2025 09:52:24 GMT

Negative. Please, disregard what have been said earlier: OpenID from Cloudron could be used as is.

Happy to share my findings on setting up the service with @vladimir.d or whoever will be doing this configuration for everyone on Cloudron.

Reply to OpenID URI configuration issue (for Synapse's MAS) on Wed, 16 Apr 2025 08:25:13 GMT

potemkin_ai — Wed, 16 Apr 2025 08:25:13 GMT

From Cloudron manifest file I can see that you use callback as a static rule:

"loginRedirectUri": "/_synapse/client/oidc/callback"

Which is pretty much in line with what I wrote earlier -> Cloudron OpenID component needs improvements in order for Synapse's MAS to work.

Reply to OpenID URI configuration issue (for Synapse's MAS) on Wed, 16 Apr 2025 08:22:24 GMT

potemkin_ai — Wed, 16 Apr 2025 08:22:24 GMT

@joseph I believe it's a question of support still - as I'm trying to figure out to configure Cloudron's OpenID to work with external app, which Cloudron is about to repackage on it's own.

The link you've provided - is related to configuring Synapse server, while the issue is with Cloudron's OpenID and the way it handles redirect_uri.

Please, let me know if I shall not expect any reasonable and prompt support on that - if that is the case, I will have to replace the Cloudron functionality as a platform, and for that I will need quite some time.

I would be happy to work with someone from the team however, to keep Cloudron in my perimeter and share everything I will work on, so that you would be able to merge Synapse MAS and Element Call into the platform easily.

Reply to OpenID URI configuration issue (for Synapse's MAS) on Wed, 16 Apr 2025 07:12:06 GMT

joseph — Wed, 16 Apr 2025 07:12:06 GMT

Not an expert on this, I suspect one has to try it out to know what the issue is . But https://git.cloudron.io/packages/synapse-app/-/blob/master/start.sh?ref_type=heads#L73 is how we configure OIDC in the existing synapse and that of course works .

Reply to OpenID URI configuration issue (for Synapse's MAS) on Tue, 15 Apr 2025 09:57:33 GMT

potemkin_ai — Tue, 15 Apr 2025 09:57:33 GMT

That looks to be an error produced by oidc-provider module in use of Cloudron (InvalidRedirectUri exception), looks like it is raised by /home/yellowtent/box/src/oidc.js.

oidc-provider module provides information how to use wildcard redirect_uri, warming that is shall not be used in production: https://github.com/panva/node-oidc-provider/blob/main/recipes/redirect_uri_wildcards.md

It looks to me like oidc.js logic has to be altered in a way to let wildcard at the end of the redirect_uri, as otherwise Synapse's MAS won't work.

Unless I'm missing something.

Reply to OpenID URI configuration issue (for Synapse's MAS) on Mon, 14 Apr 2025 22:29:56 GMT

potemkin_ai — Mon, 14 Apr 2025 22:29:56 GMT

Element's MAS requirements are as follow:

create an OAuth 2.0/OIDC client on the provider's side, using the following parameters:

redirect_uri: https:///upstream/callback/

response_type: code

response_mode: query

grant_type: authorization_code