Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MAS compatibility issues #429

Open
qwertzdenek opened this issue Nov 9, 2023 · 13 comments
Open

MAS compatibility issues #429

qwertzdenek opened this issue Nov 9, 2023 · 13 comments
Labels
enhancement New feature or request

Comments

@qwertzdenek
Copy link

Prerequisites

Steps to Reproduce

  • sign in with SSO as Admin user
  • it fails on 403: M_FORBIDDEN

Problem

MAS doesn't let you get "synapse admin" rights through the legacy auth flow, as the legacy flow doesn't have a way to specify whether the session should have the admin rights or not. Best option would be native OIDC implementation in Synapse-Admin to work with MAS.

Or you can add possibility to use static pre-generated admin token which can be issued using CLI.

mas-cli manage issue-compatibility-token --yes-i-want-to-grant-synapse-admin-privileges [username]
@dklimpel
Copy link
Contributor

It is related to: matrix-org/matrix-authentication-service#2187 (comment)

@awesome-manuel awesome-manuel added the enhancement New feature or request label Feb 7, 2024
@jacotec
Copy link

jacotec commented Feb 16, 2024

Is there any workaround? I can't use synapse-admin on any of my two servers which both use MAS due to Element-X capability. Any way to access them with admin?

@jacotec
Copy link

jacotec commented Feb 20, 2024

@awesome-manuel I really need to access my server admin panels ... is there any workaround or tweak to log in on a server running MAS?

@CyberPingU
Copy link

This is a big issue for me too: I'm not goint into MAS due to the fact I cannot admin the server .

@schwadim
Copy link

Is there any workaround? I can't use synapse-admin on any of my two servers which both use MAS due to Element-X capability. Any way to access them with admin?

As soon as the adminAPI responses with the first "You are not a server admin", synapse admin will terminate the session (did not check if this behavior is configurable).

There is quite a dirty workaround:

If you temporary block the adminAPI (either on the client- or the server side), the session will be kept open.
Then one can navigate to the compat_sessions table of the MAS DB and set the Flag is_synapse_admin for the given session to true.
After unblocking the adminAPI, the session should work as intended.

@awesome-manuel
Copy link
Member

@schwadim do you have a log of the browser debug console to share?

@schwadim
Copy link

@awesome-manuel I am working on a testing environment with lots of issues and moving parts.
Therefore I doubt that my personal browser debug console would be of any help.
But let me know if you want me to provide one anyway.

In essence all I'm doing is:

  • install ublock origin addon if not present
  • visit the synapse admin interface
  • open the ublock logger
  • perform a failing login to let ublock logger catch all requests
  • in ublock logger:
    • click on a url containing the _synapse/admin path
    • open the URL rule tab
    • click the red button on the left hand side beneath the URL ending with _synapse/admin/
  • perform a new login
  • do the above mentioned MAS db manipulation
  • click once again on the red button in ublock logger to unblock the URL
  • enjoy synapse admin

@awesome-manuel
Copy link
Member

I need to know the exact answer of synpase that you need to block. Maybe this can be detected to be a MAS request.

@schwadim
Copy link

I am blocking all requests towards /_synapse/admin as all of them would be answered with the 403 response: {"errcode":"M_FORBIDDEN","error":"You are not a server admin"}

Receiving such a response, synapse-admin silently performs a logout.

If not blocked, the first request leading to a logout happens to be:
https://my_synapse/_synapse/admin/v2/users?deactivated=false&dir=f&from=0&guests=true&limit=10&order_by=name

So I'm simply gaining time to actually assign the required permissions to the session.
It is just a hacky workaround.

@schwadim
Copy link

Instead of tweaking the MAS database, one can also generate a new token via mas-cli and change device_id and access_token in the browser local storage while being logged in with blocked /_synapse/admin path. After reloading and unblocking one is able to work with the new token.

Yet another workaround would be:

  • Login as admin against another homeserver not working with MAS
  • generate a new token on the homeserver working with MAS using mas-cli
  • Open browser local storage and change access_token, base_url, device_id, user_id
  • reload

@dklimpel
Copy link
Contributor

A real OIDC login workflow is required for synapse-admin with MAS.
An example could be under certain circumstances

@jacotec
Copy link

jacotec commented Sep 4, 2024

@awesome-manuel Just asking if this is genrally planned to be fixed? Would be great to be able to use Synapse-Admin again after 10 months ... ;-)

@xundeenergie xundeenergie mentioned this issue Sep 23, 2024
Open
@dklimpel
Copy link
Contributor

dklimpel commented Oct 7, 2024

First step is to add identifier to login flow. PR #601

A helpful guide could be: https://areweoidcyet.com/client-implementation-guide/

@aine-etke aine-etke mentioned this issue Oct 18, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@qwertzdenek @CyberPingU @jacotec @dklimpel @awesome-manuel @schwadim