Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

OpenID Connect #411

Open
Thatoo opened this issue Sep 27, 2023 · 11 comments · May be fixed by #439
Open

OpenID Connect #411

Thatoo opened this issue Sep 27, 2023 · 11 comments · May be fixed by #439

Comments

@Thatoo
Copy link

Thatoo commented Sep 27, 2023

Extract from matrix.org blog :

Finally, last but not least, we’re proud to announce that the project to replace Matrix’s venerable existing authentication APIs with industry-standard Open ID Connect in Matrix 2.0 has taken a huge leap forwards today, with matrix-authentication-service now being available to add Native OIDC support to Synapse, as well as Element X now implementing account registration, login and management via Native OIDC (with legacy support only for login/logout).

This is a critical step forwards in improving the security and maintainability for Matrix’s authentication, and you can read all about it in this dedicated post, explaining the rationale for adopting OpenID Connect for all forms of authentication throughout Matrix, and what you need to know about the transition.

Will it work with yunohost sso and ldap functionality?

@aibosss
Copy link

aibosss commented Sep 29, 2023

+1

@Thatoo
Copy link
Author

Thatoo commented Nov 15, 2023

Maybe an easy way would be to install automatically https://github.com/YunoHost-Apps/dex_ynh along synapse to use Yunohost LDAP through OIDC in synapse?

@Josue-T
Copy link

Josue-T commented Nov 21, 2023

Well after some investigation dex or something else will be needed to link user with LDAP but it will be not enough as we also will need to manage user which was authenticated without yunohost (and is not in LDAP). For this we will need the matrix-authentication-service.

But I really think installing dex+matrix-authentication-service+sliding_proxy all on the same yunohost package make it a bit heavy.
For me ideally the yunohost SSO "should" provide a solution to connect the matrix-authentication-service (OAuth 2.0/OIDC) as it's not the only app which need this. Many app probably already need this and in long term more and more app will need this.

There are already many discussion about this here: https://github.com/YunoHost/issues/issues?q=is%3Aissue+openid

@Thatoo
Copy link
Author

Thatoo commented Nov 21, 2023

I agree with you about integrating openid to Yunohost's sso system.

For what I understood, sliding sync proxy will be merged into synapse package at some point. In the mean time, it is possible to add it separately but I wonder if we have the ressources to focus on this temporary work just to benefit a faster app for thoose who are using Element X app before synapse integrate it.

I think that working on integrating openid in SSO is a much more important long run investment.

@Josue-T
Copy link

Josue-T commented Nov 21, 2023

For me it's not urgent to add sliding proxy support until elementX is merged into element. It's nice to have it but it's not mandatory.

On the openid side for me idealy we should migrate the authentication system on the same time than sliding proxy as it's all liked to the new matrix spec. But yes on other side on yunohost side there are some work to integrate oidc. Maybe it could be integrated into the work of the new yunohost portail.

Anyway for me all of this (sliding proxy and oidc) are big project which will take time to integrate. Synapse package a used by many people so we can't release unstable things. We had many regression since some last PR and we really should avoid this.

@Thatoo
Copy link
Author

Thatoo commented Feb 21, 2024

[info] Element has now a native oidc support : https://github.com/element-hq/element-web/releases/tag/v1.11.59-rc.0
I guess that all plateforme (desktop and smartphone) have at least one version working with oidc now (not yet the case for sliding-sync though).

@Josue-T
Copy link

Josue-T commented Feb 21, 2024

The main issue about this is that yunohost don't support natively oidc cf YunoHost/issues#676

@Josue-T Josue-T linked a pull request Feb 26, 2024 that will close this issue
7 tasks
@Thatoo
Copy link
Author

Thatoo commented Oct 4, 2024

Does MAS change anything or the issue remain the same, "yunohost don't support natively oidc" ?

@Josue-T
Copy link

Josue-T commented Oct 4, 2024

MAS require a OIDC server to migrate to the "new" standard of matrix with a MAS server.

To me we have theses 2 possibilities:

  • Fork MAS and add LDAP and auth HEADER support (it will probably be a quite big work and we will need to maintain in long term which is not great, I use to do it with element to have the SSO and it wasn't good, so if we can avoid to have again this issue it's great).
  • Implement OIDC in Yunohost cf Use YunoHost as an identity provider? YunoHost/issues#676. I also agree that It will be also a big work but this will probably be useful for many apps as it's a standard implemented on many apps.

@Thatoo
Copy link
Author

Thatoo commented Oct 8, 2024

I guess the second option would be better.
I wonder if in the meantime (waiting for Yunohost to become an OIDC provider), admins could have the choice between keeping using ldap only (as it is, no MAS) or using MAS with dex, for this they should install dex and then fill some fields in synapse config panel in the admin web GUI.

@Josue-T
Copy link

Josue-T commented Oct 8, 2024

Well I'm not convinced by the idea to use dex, because if we will end with 2 different configuration to maintains and this for a undefined time. But yes it's a possibility to use dex even if don't really like this idea. I would really prefer to have correct implementation, as one day we more and more client will needed it and it don't make sense to say: by default it's not supported to need install an other app and than configure synapse to use it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants