OpenID URI configuration issue (for Synapse's MAS)
-
Guess that would be of use to Cloudron as well - I'm configuring MAS now (as a follow up from https://forum.cloudron.io/topic/13140/we-need-the-matrix-authentication-service-mas/9) and I'm facing the following error:
redirect_uri did not match any of the client's registered redirect_urisI've registered the client
cid-ge9eaf52aaff129a8df85b168330e582with callback URL: https://auth.mydomain.com/upstream/callback/Decoded URL of the page where I see the error is:
https://my.mydomain.com/openid/auth?response_type=code&client_id=cid-ge9eaf52aaff129a8df85b168330e582&redirect_uri=https://auth.mydomain.com/upstream/callback/02JRTE26ER59ZCVR8P81GHD2V5&scope=email+openid+profile&state=IvtPGE8sYTtD0u1a&nonce=8u6Ijs0z7dDwGriu&code_challenge_method=S256&code_challenge=hnG2HcdLQBrJO3DYUCg3OcapcvYxElAu5AO_28MLpg5So,
redirect_uri == https://auth.mydomain.com/upstream/callback/02JRTE26ER59ZCVR8P81GHD2V5...which looks to be in line withhttps://auth.mydomain.com/upstream/callback/that I've registered (and so does client id).Unless, cloudron expect to see exactly the same URL? If so - is there any quick way to resolve that?
I'm ready to patch some files directly if required, if that would be added in the coming release. -
P potemkin_ai referenced this topic
-
Element's MAS requirements are as follow:
create an OAuth 2.0/OIDC client on the provider's side, using the following parameters:
- redirect_uri: https://<auth-service-domain>/upstream/callback/<id>
- response_type: code
- response_mode: query
- grant_type: authorization_code
-
That looks to be an error produced by
oidc-providermodule in use of Cloudron (InvalidRedirectUriexception), looks like it is raised by/home/yellowtent/box/src/oidc.js.oidc-provider module provides information how to use wildcard redirect_uri, warming that is shall not be used in production: https://github.com/panva/node-oidc-provider/blob/main/recipes/redirect_uri_wildcards.md
It looks to me like
oidc.jslogic has to be altered in a way to let wildcard at the end of the redirect_uri, as otherwise Synapse's MAS won't work.Unless I'm missing something.
-
J joseph marked this topic as a question
-
-
J joseph moved this topic from Support
-
Not an expert on this, I suspect one has to try it out to know what the issue is . But https://git.cloudron.io/packages/synapse-app/-/blob/master/start.sh?ref_type=heads#L73 is how we configure OIDC in the existing synapse and that of course works .
@joseph I believe it's a question of support still - as I'm trying to figure out to configure Cloudron's OpenID to work with external app, which Cloudron is about to repackage on it's own.
The link you've provided - is related to configuring Synapse server, while the issue is with Cloudron's OpenID and the way it handles
redirect_uri.Please, let me know if I shall not expect any reasonable and prompt support on that - if that is the case, I will have to replace the Cloudron functionality as a platform, and for that I will need quite some time.
I would be happy to work with someone from the team however, to keep Cloudron in my perimeter and share everything I will work on, so that you would be able to merge Synapse MAS and Element Call into the platform easily.
-
From Cloudron manifest file I can see that you use callback as a static rule:
"loginRedirectUri": "/_synapse/client/oidc/callback"Which is pretty much in line with what I wrote earlier -> Cloudron OpenID component needs improvements in order for Synapse's MAS to work.
-
Negative. Please, disregard what have been said earlier: OpenID from Cloudron could be used as is.
Happy to share my findings on setting up the service with @vladimir.d or whoever will be doing this configuration for everyone on Cloudron.