Switch matrix authentication to Keycloak

Upstream has documentation for setting up Matrix with Keycloak.

• How do we migrate/switch over existing users?
• Implement Keycloak/Matrix integration

Adding these lines to keycloak.tf creates a client that works but is not restricted to a group or role:

data "external" "vault_matrix" {
  program = ["${path.module}/../misc/get_key.py", "group_vars/all/vault_matrix.yml",
    "vault_matrix_openid_client_secret",
    "--format", "json"]
}

resource "keycloak_openid_client" "openid_matrix" {
  realm_id = "archlinux"
  client_id = "openid_matrix"
  client_secret = data.external.vault_matrix.result.vault_matrix_openid_client_secret

  name = "Arch Linux Matrix Accounts"
  enabled = true
 
  access_type = "CONFIDENTIAL"
  standard_flow_enabled = true
  valid_redirect_uris = [
    "https://matrix.archlinux.org/_synapse/oidc/callback"
  ]
}

AFAIU we need to attach an authorization policy to the client in order to restrict it to a group or role. Unfortunately, the terraform-provider-keycloak docs do not cover this. It's in the examples, though: https://github.com/mrparkers/terraform-provider-keycloak/tree/master/example

assigned to @lambdaclan

Synapse only requests the openid and profile scopes so that's one more thing we could lock down (disabling the default scopes).

added hinthelp-wanted scopesecurity labels

A PR is in progress to allow matching existing users to OIDC users

That's not an PR we need to wait for. I've already found out how to alter Synapse's database in order to associate existing users with OpenID accounts, by inserting rows into the user_external_ids table.

@jelle @heftig @svenstaro

A long overdue update regarding this topic. I have been trying to setup a local environment so that I have a sandbox of sorts to test things out but unfortunately until now it has proven to be quite a hurdle.

I have closely been following the official Synapse documentation regarding OIDC and even got in touch with some of the developers for some pointers but the issue still persists.

The problem might be related to self-signed certificates. As per the documentation:

Note that for an OP to work, it should be served under a secure (HTTPS) origin. A certificate signed with a self-signed, locally trusted CA should work. In that case, start Synapse with a SSL_CERT_FILE environment variable set to the path of the CA.

I have tried using mkcert to generate the certificates on my own as well as out of the box custom DNS servers like traefik.me to avoid messing up with /etc/hosts but none of the options seem to work.

Both Keycloak and Synapse run correctly and are served under secure HTTPS, the problem arises the moment I enable OIDC support in the Synapse homeserver.yaml file.

Keycloak setup:

Synapse setup (OIDC disabled):

enabling OIDC:

oidc_config:
  # Uncomment the following to enable authorization against an OpenID Connect
  # server. Defaults to false.
  #
  enabled: true
  # issuer: "https://172.19.0.3:8443/auth/realms/awesome"
  issuer: "https://keycloak:8443/auth/realms/awesome"
  client_id: "synapse"
  client_secret: "ccac0277-2702-42f2-ac26-fe6a1f68a1c1"
  scopes: ["openid", "profile"]

disabling OIDC:

Things I have tried but did not work:

• copy the custom certificates I made or the ones provided by the custom DNS servers and place them under /etc/ssl/certs in the Synapse container as advised by the devs
• use the SSL_CERT_FILE env variable as described in the docs
• copy the certificates under /usr/local/share/ca-certficates and run an update-ca-certificates

more info:

At this point, I am bit lost on how to continue. Do we raise an issue with upstream? Any of you guys want to give it a shot on your side? I can share the docker-compose file if you want.

Any feedback would be appreciated.

Sorry, I have no experience setting synapse up with docker, or keycloak for that matter.

As I mentioned above, I already managed to get the authentication working. We just need to restrict the client on the keycloak side to only work for team members, not everyone.

As mentioned on IRC a few days ago recent updates in the synapse docker image seem to have eliminated the SSL issue. When the synapse service launches I even get notification from the keycloak service about the self signed cert:

keycloak_1 | 06:52:34,456 WARN [org.jboss.as.domain.management.security] (default I/O-6) WFLYDM0113: Generated self signed certificate at /opt/jboss/keycloak/standalone/configuration/application.keystore. Please note that self signed certificates are not secure, and should only be used for testing purposes. Do not use this self signed certificate in production.

Problem is that synapse still fails with:

Error sending request to GET https://keycloak:8443/auth/realms/awesome/.well-known/openid-configuration: RequestTimedOutError 504: Timeout waiting for response from remote server

I posted a question on the synapse admins matrix channel but unfortunately I did not receive any feedback which makes me think that very few people are trying a docker based setup. I have been messing up with this for quite some time now so I will just go ahead a post a question upstream and hopefully I can get some pointers of what might be wrong.

The problem is that I am not sure if it is a synapse issue or a docker networking setup issue that is causing the error.

I will update the comment once I report the issue upstream.

Issue reported: https://github.com/matrix-org/synapse/issues/8741 I will keep an eye on it and hopefully I get some pointers.

mentioned in commit 0e40f223

mentioned in merge request !348 (merged)

mentioned in commit 3e475457

mentioned in commit afebcd08

closed with merge request !348 (merged)

closed with commit 3e475457