Skip to content

MSC4190 login fails with MAS, due to unnecessarily checking for login flows #177

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
meson800 opened this issue Apr 16, 2025 · 2 comments · May be fixed by #178
Open

MSC4190 login fails with MAS, due to unnecessarily checking for login flows #177

meson800 opened this issue Apr 16, 2025 · 2 comments · May be fixed by #178
Labels
bug Something isn't working

Comments

@meson800
Copy link

Synopsis

If you enable MSC4190 on the master branch here on a homeserver that is using OIDC delegation (in this case, to MAS), the call to get_login_flows fails. However, this call is unnecessary (AFAIK) in the case when MSC4190 is in use.

Error logs:

When using a bridge built against the bleeding-edge master of this library, you get this error because the bridge tries to hit _matrix/client/v3/login even though MSC4190 is enabled (and enabled in bridge config)

[[email protected]] req #5: GET http://synapse/_matrix/client/v3/login None
[[email protected]] req #5 (/v3/login) completed in 1.6ms with status 404
[[email protected]] Unexpected error in main event loop
 Traceback (most recent call last):
  File "/usr/lib/python3.11/site-packages/mautrix/util/program.py", line 211, in _run
    self.loop.run_until_complete(self.start())
  File "/usr/lib/python3.11/asyncio/base_events.py", line 654, in run_until_complete
     return future.result()
            ^^^^^^^^^^^^^^^
   File "/usr/lib/python3.11/site-packages/mautrix_googlechat/__main__.py", line 84, in start
     await super().start()
   File "/usr/lib/python3.11/site-packages/mautrix/bridge/bridge.py", line 254, in start
     await self.matrix.init_encryption()
   File "/usr/lib/python3.11/site-packages/mautrix/bridge/matrix.py", line 299, in init_encryption
     await self.e2ee.start()
   File "/usr/lib/python3.11/site-packages/mautrix/bridge/e2ee.py", line 250, in start
     flows = await self.client.get_login_flows()
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   File "/usr/lib/python3.11/site-packages/mautrix/client/api/authentication.py", line 46, in get_login_flows
     resp = await self.api.request(Method.GET, Path.v3.login)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/mautrix/api.py", line 425, in request
     resp_data, resp = await self._send(
                       ^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/mautrix/api.py", line 265, in _send
    raise make_request_error(
 mautrix.errors.request.MUnrecognized: Unrecognized request

This happens because the _matrix/client/v3/login endpoint is reverse proxied to MAS, which, in my deploy, is outside of my docker containers.

Fix

Luckily, this call to get_login_flows is unneeded. In the mautrix-go library, if MSC4190 support is enabled, the GetLoginFlows call is skipped.

I will submit a pull request today with the reordered version of the equivalent call in the library, after I confirm that the logic from the Go library works in the Python library, and works for this bridge.
@meson800 meson800 added the bug Something isn't working label Apr 16, 2025
@tulir
Copy link
Member

tulir commented Apr 16, 2025

That sounds like your setup is broken. GET /_matrix/client/v3/login still works with MAS. See matrix.org for example: https://matrix-client.matrix.org/_matrix/client/v3/login (you can tell it's MAS from the presence of org.matrix.msc3824.delegated_oidc_compatibility)

@meson800
Copy link
Author

meson800 commented Apr 16, 2025
edited
Loading

My bridges live within a docker bridge network and connect to Synapse without a reverse proxy, so yeah I suppose from the bridge perspective this is (now) broken. Externally, I have a reverse proxy that points the /_matrix/client/*/login to the MAS container, and other endpoints to the Synapse container, so connecting from any client, including Element X works great.

I guess I could stand up a reverse proxy within Docker just for this purpose, but I still think it's still unnecessary though to make the login flows call if MSC4190 is enabled? I'm running a lot of the mautrix go bridgev2 bridges which work fine under MSC4190 and they don't make login calls.

As in, the flows variable is unused in the Python bridge if MSC4190 is enabled right now.

meson800 added a commit to meson800/mautrix-python that referenced this issue Apr 16, 2025
@meson800
Check login flows only if MSC4190 is not enabled
1eeabd4 
Currently, the homeserver login flows are checked even if MSC4190 is
enabled. However, the `flows` variable is unused when MSC4190 is
enabled.

This is an unnecessary network call, and also e.g. requires a
reverse proxy soley for this purpose if bridges would otherwise
directly connect to a homeserver that is delegating OIDC authentication.

Closes mautrix#177.
@meson800 meson800 linked a pull request Apr 16, 2025 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Check login flows only if MSC4190 is not enabled meson800/mautrix-python
2 participants
@meson800 @tulir