Synapse: CAS validation issue with synapse
Hello,
Description
It seems there is a problem with how CAS validation is handled in login.py#L420.
Steps to reproduce
- Install and configure CAS 5.1.x (I didn't try with earlier ones)
- Install matrix-synapse
- Configure matrix-synapse to use CAS to connect with
service_url: https://matrix.domain - Try to login!
You'll see it doesn't work and if I'm not mistaken it is because in login.py#L397 we ask for a ticket with a service in the form of https://matrix.domain/_matrix/client/api/v1/login/cas/ticket?redirectUrl=***.
But when we validate the ticket, we only send cas_service_url which lacks the /_matrix/client/api/v1/login/cas/ticket?redirectUrl=*** part so CAS fails the validation saying the ticket was used for another service than the one it was created for.
I don't know if earlier versions were more lenient on validation, but I got it to work by replacing line 420 by this line:
"service": self.cas_service_url + request.uri[:request.uri.find("&ticket")]
But I'm sure there's a better way to do it...
I believe #2404 may be related to this problem.
Version information
- Homeserver: local homeserver
If not matrix.org:
- Version: matrix-synapse 0.24.1-1
- Install method: Debian repository
- Platform: VM on Debian9
tyxieblub
All 11 comments
same issue
johappel
on 25 Jan 2019
The problem still exists in matrix-synapse-py3 0.99.2+stretch1
matrix-synapse-0.99.2-CAS-fix.diff.gz
The service URL given to CAS is not supposed to change as long as synapse configuration stays the same, so we can have CasRedirectServlet store the url somewhere and later get it back in CasTicketServlet
mijutu
on 10 Mar 2019
This ticket is s old. I came across the same problem. So how are others using cas. It seems impossible to me, or can there be a less strict validation on the cas side?
we should implement the patch though! thanks @mijutu
quorak
on 13 Mar 2019
I had the same problem. I can confirm the patch works.
mikifus
on 22 Mar 2019
// EDIT:
After we implemented JSON in our CAS Server, it seems to be working BUT we had to disable the service url validation in our case to get this working. So this Bug is still there.
Why is no one fixing it or applying the provided workaround/fix?
SeaLife
on 25 Oct 2019
The old patch didn't apply, so I made a new one.
mijutu
on 7 Nov 2019
so somebody opened a pull request with @mijutu's patch at https://github.com/matrix-org/synapse/pull/5044; however I had questions about it which were never answered so we had to close the PR.
@mijutu: perhaps you could open a PR so that we can work on landing your changes?
richvdh
on 7 Nov 2019
We had a pull request and there richvdh commented that the solution I used was wrong. I think he is correct. If two CAS logins happen at the same time, then users might end up at a wrong url.
Probability of two simultaneous CAS logins is small because CAS is used only at the initial login. Browsers remember access tokens and CAS is rarely used.
Homeserver owners might be able to use my patch for months or years without having issues, but if it's wrong, then it's wrong and shouldn't be merged.
mijutu
on 9 Dec 2019
matrix-synapse-1.7.2-CAS-fix.diff.gz
Here is a better fix for the problem. CasTicketServlet generates the service parameter from synapse config and redirectUrl parameter of the request.
mijutu
on 31 Dec 2019
@mijutu please could you open a PR with your patch so that we can read and discuss it?
richvdh
on 2 Jan 2020
fixed by #6634. Thanks @Naugrimm!
richvdh
on 24 Mar 2020
Related issues
babolivier
·
3Comments
cuibonobo
·
5Comments
matrixbot
·
5Comments
williamkray
·
3Comments
ukcb
·
4Comments
Most helpful comment
The problem still exists in matrix-synapse-py3 0.99.2+stretch1
matrix-synapse-0.99.2-CAS-fix.diff.gz
The service URL given to CAS is not supposed to change as long as synapse configuration stays the same, so we can have CasRedirectServlet store the url somewhere and later get it back in CasTicketServlet