Hi!
I’m running a matrix-synapse server and authentication directly with oidc and keycloak works best for a long time.
There exists an administration-frontend for matrix-synapse called “synapse-admin”
Admin console for synapse Matrix homeserver
This one supports login via OIDC also as synapse directly, but with more finegrained permissions.
To user MAS, you have to deactivate all authentification-mechanisms in synapse. All authentication and authorization runs via oidc and MAS-Server.
After migrating to MAS, i can not login to the admin-dashboard synapse-admin anymore.
When i debugged the problem i found, that something is wrong with the oidc-token.
Look, here is the description:
opened 02:10AM - 10 Sep 24 UTC
closed 02:10AM - 10 Sep 24 UTC
A-Documentation
A-GraphQL
A-Policy
*This issue was originally created by [**@sandhose**](https://github.com/sandhos… e) at <https://github.com/matrix-org/matrix-authentication-service/issues/2187>.*
The default policy is not documented at all, but it is especially tricky to understand how admin scopes (`urn:synapse:admin:*` and `urn:mas:admin`) interact with it. This needs to be documented
A few informations to include, in a very brain-dumpy format:
- There are three main ways to get an access token:
- Interactively, through an authorisation code grant, in which case the token has a user attached to it. *This is regulated by the policy engine*
- Programatically, through a client credentials grant, in which case the token has no user attached to it, only an OAuth client. *This is regulated by the policy engine*
- Programatically, through MAS' GraphQL API, using the `createOauth2Session` mutation. This is completely unregulated, arbitrary (including non-existing) scopes can be granted through this. The only restriction is that the token making the API call needs to be admin (= has the `urn:mas:admin` scope)
- The `urn:synapse:admin:*` scope grants access to `/_synapse/admin/*`. Because of some Synapse subtlety, this scope has to be linked to a user, so it can't be requested through the client credentials grant
- The `urn:mas:admin` scope grants admin access to MAS' GraphQL API, which lets it request and edit resources of other users than the current one, and access a few privileged mutations. When requesting this scope, the `urn:mas:graphql:*` scope should be requested as well.
- With the default policy, a user [can request the `urn:synapse:admin:*` scope](https://github.com/matrix-org/matrix-authentication-service/blob/bd42916309d3237f1523066a6238d520c4cd6f73/policies/authorization_grant.rego#L34-L38) or the [`urn:mas:admin` scope](https://github.com/matrix-org/matrix-authentication-service/blob/bd42916309d3237f1523066a6238d520c4cd6f73/policies/authorization_grant.rego#L44-L47) if:
- [their *username* (aka. localpart of the MXID) is listed in `policy.data.admin_users`](https://github.com/matrix-org/matrix-authentication-service/blob/bd42916309d3237f1523066a6238d520c4cd6f73/policies/authorization_grant.rego#L15-L19)
- or if [their account has the `can_request_admin` flag in the database set to true](https://github.com/matrix-org/matrix-authentication-service/blob/bd42916309d3237f1523066a6238d520c4cd6f73/policies/authorization_grant.rego#L22-L24) (see below about toggling that flag)
- With the default policy, [a client can request the `urn:mas:admin` scope if their client ID is listed in `policy.data.admin_clients`](https://github.com/matrix-org/matrix-authentication-service/blob/bd42916309d3237f1523066a6238d520c4cd6f73/policies/authorization_grant.rego#L50-L54)
- The [GraphQL schema is self-documented](https://github.com/matrix-org/matrix-authentication-service/blob/bd42916309d3237f1523066a6238d520c4cd6f73/frontend/schema.graphql). A playground can be found in MAS itself, for example: https://auth-oidc.lab.element.dev/graphql/playground
- The URL of the GraphQL endpoint can be discovered with the `org.matrix.matrix-authentication-service.graphql_endpoint` property [in the OIDC discovery document](https://auth-oidc.lab.element.dev/.well-known/openid-configuration)
- The `can_request_admin` flag can be found on the `users` table in the database, and can be dynamically toggled using the [`setCanRequestAdmin` mutation](https://github.com/matrix-org/matrix-authentication-service/blob/bd42916309d3237f1523066a6238d520c4cd6f73/frontend/schema.graphql#L665-L671). This mutation [requires a `userId`](https://github.com/matrix-org/matrix-authentication-service/blob/bd42916309d3237f1523066a6238d520c4cd6f73/frontend/schema.graphql#L1054-L1066), which can be found on users using the [`userByUsername`](https://github.com/matrix-org/matrix-authentication-service/blob/bd42916309d3237f1523066a6238d520c4cd6f73/frontend/schema.graphql#L888-L892) query method
(for admin-permissions on the MAS-server itself a scope urn:mas:admin:* has to be added to the token)
And i have NO idea, what i should configure in my keycloak to get this working. The docs from MAS are still very… simple.
so i created an issue there: How to configure keycloak to get admin-rights on synapse server · Issue #3211 · element-hq/matrix-authentication-service · GitHub
But i think, it’s a keycloak-issue…
Please can someone give me an advise, what i have to do here or point me to the place, to get this issue resolved?
Thank you very much
Jakob