Make synapse-admin work with matrix-authentication-service

[xundeenergie]

Matrix-authrntication-service (MAS) is a real OIDC authentication system and you could authorize users with optional client-scope urn:synapse:admin:* to gain synapse admin privileges for a session to be able to use synapse-admin when MAS is configerd on a homeserver as auth-service.

Here is a referencing issue, what clients need.
element-hq/matrix-authentication-service#2187

And an upstream issue
Awesome-Technologies/synapse-admin#429

---

updated by maintainers

Temporary workaround - generate a correct access token using MAS CLI and use it with "access token" login in Synapse Admin:

mas-cli manage issue-compatibility-token --yes-i-want-to-grant-synapse-admin-privileges [username]

If you are using MAS with docker, you probably should use the following command (replace the NAME_OR_ID with actual container name/id):

docker exec -it NAME_OR_ID manage issue-compatibility-token --yes-i-want-to-grant-synapse-admin-privileges [username]

[sandhose]

We recently added a client implementation guide on areweoidcyet.com which should greatly help understand how the new login API work: https://areweoidcyet.com/client-implementation-guide/

The general API is very similar to m.login.sso, with some extra steps.
The other difficulty might come from the fact that access tokens have a low TTL (5min by default) and need to be refreshed regularly.

[aine-etke]

Updated the issue's description to include access token workaround

[xundeenergie]

I tried this but the token does not work.
Is there something to know, how to paste the token?
Some quoting or make a json out of the output from mas-cli?

[aine-etke]

@xundeenergie not sure what's wrong, but there are reports this approach with compatibility token works as expected.
Unfortunately, we at etke.cc do not use MAS at all, so we can't help with identifying the room cause, but you may try #synapse-admin:etke.cc - there are people who confirmed it works