-
-
Notifications
You must be signed in to change notification settings - Fork 277
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Native OIDC #2079
Comments
|
Hi @kfiven, I've opted into MSC3861 which changes synapse's auth system to OIDC in my homeserver.yaml: experimental_features:
msc3861:
enabled: true
client_id: _oidc_client_id_
client_secret: _oidc_client_secret_
issuer: https://_oidc_hostname_ Now synapse responds to To help migration, the Matrix maintainers have released the matrix-authentication-service (MAS) to translate the The matrix maintainers stated in the Matrix 2 announcement that they plan to decommission MAS on matrix.org soon. Given the choice, I'd much rather add native OIDC behaviour to Cinny than get MAS working. At the moment, Cinny only requests the
Using that response, Cinny needs to construct it's own OIDC redirect URL and handle when the OIDC server redirects the user's browser back to Cinny. The redirect URL will contain a code which Cinny can then exchange with the OIDC server for an access token. I'm happy to help if you have any questions with regards to the OIDC redirect login flow. |
If I understand the recent blogpost correctly, this will be the only way to authenticate on matrix.org after February 10 (barely a month away). So this may be a high priority issue. |
Thanks for sharing that blogpost, its nice to get some clarity on the situation:
Based on our discussion above, Cinny should continue to work after Feb 10. However, I believe the intention is to decommission MAS once enough clients perform the OIDC sign-in flow themselves (Native OIDC). |
Describe the problem
Matrix is adopting OpenID Connect (OIDC) for authentication so clients will need to implement "Native OIDC".
Describe the solution you'd like
This means Cinny will need to:
Authorization
header of Matrix API requests.Alternatives considered
No response
Additional context
I have some experience implementing these flows so can provide assistance. However I think it would be best if a maintainer integrates the feature into the codebase.
There's a good overview of the process here: https://areweoidcyet.com/client-implementation-guide/
The text was updated successfully, but these errors were encountered: