Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

with latest synapse docker image SSO with keycloak does not work #8534

Closed
vidyo-emp opened this issue Oct 13, 2020 · 16 comments
Closed

with latest synapse docker image SSO with keycloak does not work #8534

vidyo-emp opened this issue Oct 13, 2020 · 16 comments
Assignees
Labels
A-SSO Single Sign-On (maybe OIDC) z-regression (Deprecated Label) Z-Upstream-Bug This issue requires a fix in an upstream dependency.

Comments

@vidyo-emp
Copy link

-Description
Synapse Version v1.12.1 (latest docker image) SSO does not work with keycloak
Here is the error msg:
File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7518/_cryptography_backends/_jws.py", line 41, in prepare_key
return RSAKey.import_key(raw_data)
File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7518/_cryptography_backends/_keys.py", line 119, in import_key
b'ssh-rsa', options
File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7518/_cryptography_backends/_keys.py", line 277, in import_key
cls.check_required_fields(raw)
File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7517/models.py", line 120, in check_required_fields
raise ValueError('Missing required field: "{}"'.format(k))
ValueError: Missing required field: "e"

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/synapse/handlers/oidc_handler.py", line 688, in handle_oidc_callback
userinfo = await self._parse_id_token(token, nonce=nonce)
File "/usr/local/lib/python3.7/site-packages/synapse/handlers/oidc_handler.py", line 494, in _parse_id_token
claims_params=claims_params,
File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7519/jwt.py", line 98, in decode
data = self._jws.deserialize_compact(s, load_key, decode_payload)
File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7515/jws.py", line 102, in deserialize_compact
algorithm, key = self._prepare_algorithm_key(jws_header, payload, key)
File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7515/jws.py", line 258, in _prepare_algorithm_key
key = algorithm.prepare_key(key)
File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7518/_cryptography_backends/_jws.py", line 41, in prepare_key
return RSAKey.import_key(raw_data)
File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7518/_cryptography_backends/_keys.py", line 119, in import_key
b'ssh-rsa', options
File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7518/_cryptography_backends/_keys.py", line 277, in import_key
cls.check_required_fields(raw)
File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7517/models.py", line 120, in check_required_fields
raise ValueError('Missing required field: "{}"'.format(k))
ValueError: Missing required field: "e"

With synapse version v1.20.1 works

@clokep
Copy link
Member

clokep commented Oct 13, 2020

It looks like a new version of authlib was released on Oct 10, it might be related to that.

Just to confirm, in the description this says v1.12.1, I think you meant v1.21.1?

@clokep clokep added z-bug (Deprecated Label) p1 z-regression (Deprecated Label) A-SSO Single Sign-On (maybe OIDC) labels Oct 13, 2020
@vidyo-emp
Copy link
Author

vidyo-emp commented Oct 13, 2020 via email

@Rafaeltheraven
Copy link

Not just docker, I'm getting the exact same issue on the Debian package. Luckily already existing sessions are unaffected

@jaywink
Copy link
Member

jaywink commented Oct 14, 2020

Ran into this issue as well. In my case removing the openid scope solved the issue. Could be something wrong with my Keycloak though as well... but it now seems to work.

@clokep
Copy link
Member

clokep commented Oct 14, 2020

From chatter in #synapse:matrix.org we think that this is lepture/authlib#280 which is fixed in v0.15.1 of authlib (which was just released).

@Rafaeltheraven
Copy link

Now that we know a (highly likely) fix, any idea on how long getting a patch could take? This is a huge issue for one of my friends who wipes their browser every time and thus needs to login a lot

@clokep
Copy link
Member

clokep commented Oct 14, 2020

Now that we know a (highly likely) fix, any idea on how long getting a patch could take? This is a huge issue for one of my friends who wipes their browser every time and thus needs to login a lot

If we had confirmation that upgrading the authlib package fixes it, I think we could probably to a 1.21.2 which simply updates the dependency.

@lepture
Copy link

lepture commented Oct 15, 2020

Hi, Authlib has just released v0.15.1 to backward support raw JWKs.

@richvdh
Copy link
Member

richvdh commented Oct 15, 2020

@Rafaeltheraven @jaywink @vidyo-emp are any of you able to install authlib 0.15.1 to confirm if that fixes the issue (should be just a matter of env/bin/pip install --upgrade authlib)?

@jaywink
Copy link
Member

jaywink commented Oct 15, 2020

@Rafaeltheraven @jaywink @vidyo-emp are any of you able to install authlib 0.15.1 to confirm if that fixes the issue (should be just a matter of env/bin/pip install --upgrade authlib)?

Can confirm that for the instance I have upgrading this in the container and restarting fixes the issue 👍

@clokep clokep added Z-Upstream-Bug This issue requires a fix in an upstream dependency. and removed z-bug (Deprecated Label) labels Oct 15, 2020
@clokep
Copy link
Member

clokep commented Oct 15, 2020

This should be fixed in the v1.21.2 release of Docker / debs. Please shout if there are more issues. (Note that the debs aren't yet uploaded but will be shortly.)

@clokep clokep closed this as completed Oct 15, 2020
@clokep clokep self-assigned this Oct 15, 2020
@clokep
Copy link
Member

clokep commented Oct 15, 2020

@Rafaeltheraven confirmed that this is working on v1.21.2 in #synapse:matrix.org 🎉

netbsd-srcmastr pushed a commit to NetBSD/pkgsrc that referenced this issue Oct 17, 2020
Synapse 1.21.2 (2020-10-15)
===========================

Debian packages and Docker images have been rebuilt using the latest versions of dependency libraries, including authlib 0.15.1. Please see bugfixes below.

Security advisory
-----------------

* HTML pages served via Synapse were vulnerable to cross-site scripting (XSS)
  attacks. All server administrators are encouraged to upgrade.
  ([\#8444](matrix-org/synapse#8444))
  ([CVE-2020-26891](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26891))

  This fix was originally included in v1.21.0 but was missing a security advisory.

  This was reported by [Denis Kasak](https://github.com/dkasak).

Bugfixes
--------

- Fix rare bug where sending an event would fail due to a racey assertion. ([\#8530](matrix-org/synapse#8530))
- An updated version of the authlib dependency is included in the Docker and Debian images to fix an issue using OpenID Connect. See [\#8534](matrix-org/synapse#8534) for details.


Synapse 1.21.1 (2020-10-13)
===========================

This release fixes a regression in v1.21.0 that prevented debian packages from being built.
It is otherwise identical to v1.21.0.

Synapse 1.21.0 (2020-10-12)
===========================

No significant changes since v1.21.0rc3.

As [noted in
v1.20.0](https://github.com/matrix-org/synapse/blob/release-v1.21.0/CHANGES.md#synapse-1200-2020-09-22),
a future release will drop support for accessing Synapse's
[Admin API](https://github.com/matrix-org/synapse/tree/master/docs/admin_api) under the
`/_matrix/client/*` endpoint prefixes. At that point, the Admin API will only
be accessible under `/_synapse/admin`.


Synapse 1.21.0rc3 (2020-10-08)
==============================

Bugfixes
--------

- Fix duplication of events on high traffic servers, caused by PostgreSQL `could not serialize access due to concurrent update` errors. ([\#8456](matrix-org/synapse#8456))


Internal Changes
----------------

- Add Groovy Gorilla to the list of distributions we build `.deb`s for. ([\#8475](matrix-org/synapse#8475))


Synapse 1.21.0rc2 (2020-10-02)
==============================

Features
--------

- Convert additional templates from inline HTML to Jinja2 templates. ([\#8444](matrix-org/synapse#8444))

Bugfixes
--------

- Fix a regression in v1.21.0rc1 which broke thumbnails of remote media. ([\#8438](matrix-org/synapse#8438))
- Do not expose the experimental `uk.half-shot.msc2778.login.application_service` flow in the login API, which caused a compatibility problem with Element iOS. ([\#8440](matrix-org/synapse#8440))
- Fix malformed log line in new federation "catch up" logic. ([\#8442](matrix-org/synapse#8442))
- Fix DB query on startup for negative streams which caused long start up times. Introduced in [\#8374](matrix-org/synapse#8374). ([\#8447](matrix-org/synapse#8447))


Synapse 1.21.0rc1 (2020-10-01)
==============================

Features
--------

- Require the user to confirm that their password should be reset after clicking the email confirmation link. ([\#8004](matrix-org/synapse#8004))
- Add an admin API `GET /_synapse/admin/v1/event_reports` to read entries of table `event_reports`. Contributed by @dklimpel. ([\#8217](matrix-org/synapse#8217))
- Consolidate the SSO error template across all configuration. ([\#8248](matrix-org/synapse#8248), [\#8405](matrix-org/synapse#8405))
- Add a configuration option to specify a whitelist of domains that a user can be redirected to after validating their email or phone number. ([\#8275](matrix-org/synapse#8275), [\#8417](matrix-org/synapse#8417))
- Add experimental support for sharding event persister. ([\#8294](matrix-org/synapse#8294), [\#8387](matrix-org/synapse#8387), [\#8396](matrix-org/synapse#8396), [\#8419](matrix-org/synapse#8419))
- Add the room topic and avatar to the room details admin API. ([\#8305](matrix-org/synapse#8305))
- Add an admin API for querying rooms where a user is a member. Contributed by @dklimpel. ([\#8306](matrix-org/synapse#8306))
- Add `uk.half-shot.msc2778.login.application_service` login type to allow appservices to login. ([\#8320](matrix-org/synapse#8320))
- Add a configuration option that allows existing users to log in with OpenID Connect. Contributed by @BBBSnowball and @OmmyZhang. ([\#8345](matrix-org/synapse#8345))
- Add prometheus metrics for replication requests. ([\#8406](matrix-org/synapse#8406))
- Support passing additional single sign-on parameters to the client. ([\#8413](matrix-org/synapse#8413))
- Add experimental reporting of metrics on expensive rooms for state-resolution. ([\#8420](matrix-org/synapse#8420))
- Add experimental prometheus metric to track numbers of "large" rooms for state resolutiom. ([\#8425](matrix-org/synapse#8425))
- Add prometheus metrics to track federation delays. ([\#8430](matrix-org/synapse#8430))


Bugfixes
--------

- Fix a bug in the media repository where remote thumbnails with the same size but different crop methods would overwrite each other. Contributed by @deepbluev7. ([\#7124](matrix-org/synapse#7124))
- Fix inconsistent handling of non-existent push rules, and stop tracking the `enabled` state of removed push rules. ([\#7796](matrix-org/synapse#7796))
- Fix a longstanding bug when storing a media file with an empty `upload_name`. ([\#7905](matrix-org/synapse#7905))
- Fix messages not being sent over federation until an event is sent into the same room. ([\#8230](matrix-org/synapse#8230), [\#8247](matrix-org/synapse#8247), [\#8258](matrix-org/synapse#8258), [\#8272](matrix-org/synapse#8272), [\#8322](matrix-org/synapse#8322))
- Fix a longstanding bug where files that could not be thumbnailed would result in an Internal Server Error. ([\#8236](matrix-org/synapse#8236), [\#8435](matrix-org/synapse#8435))
- Upgrade minimum version of `canonicaljson` to version 1.4.0, to fix an unicode encoding issue. ([\#8262](matrix-org/synapse#8262))
- Fix longstanding bug which could lead to incomplete database upgrades on SQLite. ([\#8265](matrix-org/synapse#8265))
- Fix stack overflow when stderr is redirected to the logging system, and the logging system encounters an error. ([\#8268](matrix-org/synapse#8268))
- Fix a bug which cause the logging system to report errors, if `DEBUG` was enabled and no `context` filter was applied. ([\#8278](matrix-org/synapse#8278))
- Fix edge case where push could get delayed for a user until a later event was pushed. ([\#8287](matrix-org/synapse#8287))
- Fix fetching malformed events from remote servers. ([\#8324](matrix-org/synapse#8324))
- Fix `UnboundLocalError` from occuring when appservices send a malformed register request. ([\#8329](matrix-org/synapse#8329))
- Don't send push notifications to expired user accounts. ([\#8353](matrix-org/synapse#8353))
- Fix a regression in v1.19.0 with reactivating users through the admin API. ([\#8362](matrix-org/synapse#8362))
- Fix a bug where during device registration the length of the device name wasn't limited. ([\#8364](matrix-org/synapse#8364))
- Include `guest_access` in the fields that are checked for null bytes when updating `room_stats_state`. Broke in v1.7.2. ([\#8373](matrix-org/synapse#8373))
- Fix theoretical race condition where events are not sent down `/sync` if the synchrotron worker is restarted without restarting other workers. ([\#8374](matrix-org/synapse#8374))
- Fix a bug which could cause errors in rooms with malformed membership events, on servers using sqlite. ([\#8385](matrix-org/synapse#8385))
- Fix "Re-starting finished log context" warning when receiving an event we already had over federation. ([\#8398](matrix-org/synapse#8398))
- Fix incorrect handling of timeouts on outgoing HTTP requests. ([\#8400](matrix-org/synapse#8400))
- Fix a regression in v1.20.0 in the `synapse_port_db` script regarding the `ui_auth_sessions_ips` table. ([\#8410](matrix-org/synapse#8410))
- Remove unnecessary 3PID registration check when resetting password via an email address. Bug introduced in v0.34.0rc2. ([\#8414](matrix-org/synapse#8414))


Improved Documentation
----------------------

- Add `/_synapse/client` to the reverse proxy documentation. ([\#8227](matrix-org/synapse#8227))
- Add note to the reverse proxy settings documentation about disabling Apache's mod_security2. Contributed by Julian Fietkau (@jfietkau). ([\#8375](matrix-org/synapse#8375))
- Improve description of `server_name` config option in `homserver.yaml`. ([\#8415](matrix-org/synapse#8415))


Deprecations and Removals
-------------------------

- Drop support for `prometheus_client` older than 0.4.0. ([\#8426](matrix-org/synapse#8426))


Internal Changes
----------------

- Fix tests on distros which disable TLSv1.0. Contributed by @danc86. ([\#8208](matrix-org/synapse#8208))
- Simplify the distributor code to avoid unnecessary work. ([\#8216](matrix-org/synapse#8216))
- Remove the `populate_stats_process_rooms_2` background job and restore functionality to `populate_stats_process_rooms`. ([\#8243](matrix-org/synapse#8243))
- Clean up type hints for `PaginationConfig`. ([\#8250](matrix-org/synapse#8250), [\#8282](matrix-org/synapse#8282))
- Track the latest event for every destination and room for catch-up after federation outage. ([\#8256](matrix-org/synapse#8256))
- Fix non-user visible bug in implementation of `MultiWriterIdGenerator.get_current_token_for_writer`. ([\#8257](matrix-org/synapse#8257))
- Switch to the JSON implementation from the standard library. ([\#8259](matrix-org/synapse#8259))
- Add type hints to `synapse.util.async_helpers`. ([\#8260](matrix-org/synapse#8260))
- Simplify tests that mock asynchronous functions. ([\#8261](matrix-org/synapse#8261))
- Add type hints to `StreamToken` and `RoomStreamToken` classes. ([\#8279](matrix-org/synapse#8279))
- Change `StreamToken.room_key` to be a `RoomStreamToken` instance. ([\#8281](matrix-org/synapse#8281))
- Refactor notifier code to correctly use the max event stream position. ([\#8288](matrix-org/synapse#8288))
- Use slotted classes where possible. ([\#8296](matrix-org/synapse#8296))
- Support testing the local Synapse checkout against the [Complement homeserver test suite](https://github.com/matrix-org/complement/). ([\#8317](matrix-org/synapse#8317))
- Update outdated usages of `metaclass` to python 3 syntax. ([\#8326](matrix-org/synapse#8326))
- Move lint-related dependencies to package-extra field, update CONTRIBUTING.md to utilise this. ([\#8330](matrix-org/synapse#8330), [\#8377](matrix-org/synapse#8377))
- Use the `admin_patterns` helper in additional locations. ([\#8331](matrix-org/synapse#8331))
- Fix test logging to allow braces in log output. ([\#8335](matrix-org/synapse#8335))
- Remove `__future__` imports related to Python 2 compatibility. ([\#8337](matrix-org/synapse#8337))
- Simplify `super()` calls to Python 3 syntax. ([\#8344](matrix-org/synapse#8344))
- Fix bad merge from `release-v1.20.0` branch to `develop`. ([\#8354](matrix-org/synapse#8354))
- Factor out a `_send_dummy_event_for_room` method. ([\#8370](matrix-org/synapse#8370))
- Improve logging of state resolution. ([\#8371](matrix-org/synapse#8371))
- Add type annotations to `SimpleHttpClient`. ([\#8372](matrix-org/synapse#8372))
- Refactor ID generators to use `async with` syntax. ([\#8383](matrix-org/synapse#8383))
- Add `EventStreamPosition` type. ([\#8388](matrix-org/synapse#8388))
- Create a mechanism for marking tests "logcontext clean". ([\#8399](matrix-org/synapse#8399))
- A pair of tiny cleanups in the federation request code. ([\#8401](matrix-org/synapse#8401))
- Add checks on startup that PostgreSQL sequences are consistent with their associated tables. ([\#8402](matrix-org/synapse#8402))
- Do not include appservice users when calculating the total MAU for a server. ([\#8404](matrix-org/synapse#8404))
- Typing fixes for `synapse.handlers.federation`. ([\#8422](matrix-org/synapse#8422))
- Various refactors to simplify stream token handling. ([\#8423](matrix-org/synapse#8423))
- Make stream token serializing/deserializing async. ([\#8427](matrix-org/synapse#8427))
@Breee
Copy link

Breee commented Oct 22, 2020

Does not work for me, I still get this error:

synapse_1     | 2020-10-22 15:21:59,168 - synapse.http.client - 381 - INFO - GET-5 - Received response to POST https://domain.com/auth/realms/internal/protocol/openid-connect/token: 200
synapse_1     | 2020-10-22 15:21:59,168 - synapse.handlers.oidc_handler - 490 - INFO - GET-5 - Reloading JWKS after decode error
synapse_1     | 2020-10-22 15:21:59,173 - synapse.http.client - 381 - INFO - GET-5 - Received response to GET https://domain/auth/realms/internal/.well-known/openid-configuration: 200
synapse_1     | 2020-10-22 15:21:59,174 - synapse.handlers.oidc_handler - 693 - ERROR - GET-5 - Invalid id_token
synapse_1     | Traceback (most recent call last):
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/synapse/handlers/oidc_handler.py", line 487, in _parse_id_token
synapse_1     |     claims_params=claims_params,
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7519/jwt.py", line 99, in decode
synapse_1     |     data = self._jws.deserialize_compact(s, load_key, decode_payload)
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7515/jws.py", line 102, in deserialize_compact
synapse_1     |     algorithm, key = self._prepare_algorithm_key(jws_header, payload, key)
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7515/jws.py", line 258, in _prepare_algorithm_key
synapse_1     |     key = algorithm.prepare_key(key)
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7518/_cryptography_backends/_jws.py", line 41, in prepare_key
synapse_1     |     return RSAKey.import_key(raw_data)
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7518/_cryptography_backends/_keys.py", line 117, in import_key
synapse_1     |     b'ssh-rsa', options
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7518/_cryptography_backends/_keys.py", line 247, in import_key
synapse_1     |     cls.check_required_fields(raw)
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7517/models.py", line 120, in check_required_fields
synapse_1     |     raise ValueError('Missing required field: "{}"'.format(k))
synapse_1     | ValueError: Missing required field: "e"
synapse_1     | 
synapse_1     | During handling of the above exception, another exception occurred:
synapse_1     | 
synapse_1     | Traceback (most recent call last):
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/synapse/handlers/oidc_handler.py", line 691, in handle_oidc_callback
synapse_1     |     userinfo = await self._parse_id_token(token, nonce=nonce)
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/synapse/handlers/oidc_handler.py", line 497, in _parse_id_token
synapse_1     |     claims_params=claims_params,
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7519/jwt.py", line 99, in decode
synapse_1     |     data = self._jws.deserialize_compact(s, load_key, decode_payload)
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7515/jws.py", line 102, in deserialize_compact
synapse_1     |     algorithm, key = self._prepare_algorithm_key(jws_header, payload, key)
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7515/jws.py", line 258, in _prepare_algorithm_key
synapse_1     |     key = algorithm.prepare_key(key)
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7518/_cryptography_backends/_jws.py", line 41, in prepare_key
synapse_1     |     return RSAKey.import_key(raw_data)
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7518/_cryptography_backends/_keys.py", line 117, in import_key
synapse_1     |     b'ssh-rsa', options
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7518/_cryptography_backends/_keys.py", line 247, in import_key
synapse_1     |     cls.check_required_fields(raw)
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7517/models.py", line 120, in check_required_fields
synapse_1     |     raise ValueError('Missing required field: "{}"'.format(k))
synapse_1     | ValueError: Missing required field: "e"

could you share your config @Rafaeltheraven ?

@clokep
Copy link
Member

clokep commented Oct 22, 2020

@Breee If you are not using Docker / apt packages you might have to upgrade the authlib package manually.

@Breee
Copy link

Breee commented Oct 22, 2020

@clokep I'm using the image matrixdotorg/synapse:latest and also tried matrixdotorg/synapse:v1.22.0rc1

config is:

oidc_config:
  enabled: true
  discover: true
  issuer: "https://xxxxxx/auth/realms/internal"
  client_id: "matrix-client"
  client_secret: "xxxxxxxxxxxx"
  scopes: ["openid", "profile"]

@Breee
Copy link

Breee commented Oct 22, 2020

Fixed. My user_mapping_provider settings were somehow wrong.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
A-SSO Single Sign-On (maybe OIDC) z-regression (Deprecated Label) Z-Upstream-Bug This issue requires a fix in an upstream dependency.
Projects
None yet
Development

No branches or pull requests

7 participants