Skip to content
This repository has been archived by the owner on Sep 10, 2024. It is now read-only.

Element-Web "circles" forever, Synapse error "Failed to introspect token" #1864

Closed
jacotec opened this issue Sep 28, 2023 · 6 comments
Closed

Element-Web "circles" forever, Synapse error "Failed to introspect token" #1864

jacotec opened this issue Sep 28, 2023 · 6 comments

Comments

@jacotec
Copy link

jacotec commented Sep 28, 2023

I've managed to install MAS now on my test server, User registration works, email verification also.

Then a window appears to grant permissions to Element-Web in the login process ... but after confirming I expect Element-Web to log in, instead it's "forever circling".

In the Synapse log I see:

2023-09-28 11:06:06,622 - synapse.api.auth.msc3861_delegated - 259 - ERROR - GET-698371 - Failed to introspect token
Traceback (most recent call last):
  File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/api/auth/msc3861_delegated.py", line 257, in get_user_by_access_token
    introspection_result = await self._introspect_token(token)
  File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/api/auth/msc3861_delegated.py", line 178, in _introspect_token
    response = await self._http_client.request(
  File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/http/client.py", line 369, in request
    logger.debug("Sending request %s %s", method, redact_uri(uri))
  File "/opt/venvs/matrix-synapse/lib/python3.8/site-packages/synapse/http/__init__.py", line 38, in redact_uri
    uri = ACCESS_TOKEN_RE.sub(r"\1<redacted>\3", uri)
TypeError: expected string or bytes-like object
2023-09-28 11:06:06,623 - synapse.http.server - 124 - INFO - GET-698371 - <XForwardedForRequest at 0x7f58c69d47f0 method='GET' uri='/_matrix/client/r0/sync?timeout=30000&since=s429471_57579471_0_692213_121803_42_20186_6828218_0_3&set_presence=offline&filter=%7B%22room%22%3A%7B%22timeline%22%3A%7B%22limit%22%3A50%7D%7D%7D' clientproto='HTTP/1.0' site='8448'> SynapseError: 503 - Unable to introspect the access token
@jacotec jacotec mentioned this issue Sep 28, 2023
Closed
@sandhose
Copy link
Member

This feels like there is a problem between MAS and Synapse, especially to do the introspection request.
When Synapse introspects an incoming token, it will:

  1. Load the OP metadata by doing a GET request to <issuer>/.well-known/openid-configuration, where <issuer> is experimental_features.msc3861.issuer in Synapse configuration. The result is then cached.
  2. From the metadata, get the introspection_endpoint. From MAS' POV, this one is constructed like <public_base>/oauth2/introspect, where <public_base> is http.public_base in MAS' configuration.
  3. Post the access token to the introspection_endpoint

With the error you got, it feels like (1) went fine, but on (2)/(3), the introspection_endpoint was null/not present.

Can you make sure that:

  • Synapse can GET <issuer>/.well-known/openid-configuration
  • Synapse can POST on whatever introspection_endpoint is present in that document

The second error you're pointing out is because that page got reloaded twice and the feedback for this is not the best. I opened an issue specifically for this here: #1865

@jacotec
Copy link
Author

jacotec commented Sep 28, 2023

Seems to be #1775

Is this already in 0.2.0?

@sandhose
Copy link
Member

sandhose commented Sep 28, 2023
edited
Loading

Seems to be #1775

Is this already in 0.2.0?

It's not, so that might actually be related. Can you try and run the latest version, either from the Docker image with the tag sha-a62aa87, or out of the binaries available here: https://github.com/matrix-org/matrix-authentication-service/actions/runs/6312929380

@jacotec
Copy link
Author

jacotec commented Sep 28, 2023
edited
Loading

  • Load the OP metadata by doing a GET request to <issuer>/.well-known/openid-configuration, where <issuer> is experimental_features.msc3861.issuer in Synapse configuration. The result is then cached.
  • From the metadata, get the introspection_endpoint. From MAS' POV, this one is constructed like <public_base>/oauth2/introspect, where <public_base> is http.public_base in MAS' configuration.

There is no "introspection_endpoint" in the well-known, where does it get this from?

image

Can you make sure that:

  • Synapse can GET <issuer>/.well-known/openid-configuration
  • Synapse can POST on whatever introspection_endpoint is present in that document

I have added an "introspection_endpoint" to the well-known, seems this made the job! (In conjunction with your dev binary of mas-cli)

Documentation issue?

@sandhose Can you kindly also point me to the doc how to configure upstream OIDC providers? This is completely missing in the config file description in the docs, and as a next step I need to delegate to my Keycloak.

@jacotec
Copy link
Author

jacotec commented Sep 28, 2023

... Key Backup issue? How is this related to MAS?

MatrixError: [501] Resetting cross signing keys is not yet supported with MSC3861 (https://flairy.de/_matrix/client/unstable/keys/device_signing/upload)

@sandhose
Copy link
Member

I think I captured everything in other issues, which are mostly "improve the docs" and #1942

@matrixbot matrixbot mentioned this issue Sep 9, 2024
Closed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sandhose @jacotec