Synapse: with latest synapse docker image SSO with keycloak does not work

Created on 13 Oct 2020 · 16Comments · Source: matrix-org/synapse

-Description
Synapse Version v1.12.1 (latest docker image) SSO does not work with keycloak
Here is the error msg:
File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7518/_cryptography_backends/_jws.py", line 41, in prepare_key
return RSAKey.import_key(raw_data)
File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7518/_cryptography_backends/_keys.py", line 119, in import_key
b'ssh-rsa', options
File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7518/_cryptography_backends/_keys.py", line 277, in import_key
cls.check_required_fields(raw)
File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7517/models.py", line 120, in check_required_fields
raise ValueError('Missing required field: "{}"'.format(k))
ValueError: Missing required field: "e"

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/local/lib/python3.7/site-packages/synapse/handlers/oidc_handler.py", line 688, in handle_oidc_callback
userinfo = await self._parse_id_token(token, nonce=nonce)
File "/usr/local/lib/python3.7/site-packages/synapse/handlers/oidc_handler.py", line 494, in _parse_id_token
claims_params=claims_params,
File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7519/jwt.py", line 98, in decode
data = self._jws.deserialize_compact(s, load_key, decode_payload)
File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7515/jws.py", line 102, in deserialize_compact
algorithm, key = self._prepare_algorithm_key(jws_header, payload, key)
File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7515/jws.py", line 258, in _prepare_algorithm_key
key = algorithm.prepare_key(key)
File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7518/_cryptography_backends/_jws.py", line 41, in prepare_key
return RSAKey.import_key(raw_data)
File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7518/_cryptography_backends/_keys.py", line 119, in import_key
b'ssh-rsa', options
File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7518/_cryptography_backends/_keys.py", line 277, in import_key
cls.check_required_fields(raw)
File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7517/models.py", line 120, in check_required_fields
raise ValueError('Missing required field: "{}"'.format(k))
ValueError: Missing required field: "e"

With synapse version v1.20.1 works

p1 regression sso upstream-bug

Source

vidyo-emp

All 16 comments

It looks like a new version of authlib was released on Oct 10, it might be related to that.

Just to confirm, in the description this says v1.12.1, I think you meant v1.21.1?

clokep on 13 Oct 2020

Yes, you are right it is version 1.21.1

vidyo-emp on 13 Oct 2020

Not just docker, I'm getting the exact same issue on the Debian package. Luckily already existing sessions are unaffected

Rafaeltheraven on 14 Oct 2020

Ran into this issue as well. In my case removing the openid scope solved the issue. Could be something wrong with my Keycloak though as well... but it now seems to work.

jaywink on 14 Oct 2020

From chatter in #synapse:matrix.org we think that this is lepture/authlib#280 which is fixed in v0.15.1 of authlib (which was just released).

clokep on 14 Oct 2020

Now that we know a (highly likely) fix, any idea on how long getting a patch could take? This is a huge issue for one of my friends who wipes their browser every time and thus needs to login a lot

Rafaeltheraven on 14 Oct 2020

Now that we know a (highly likely) fix, any idea on how long getting a patch could take? This is a huge issue for one of my friends who wipes their browser every time and thus needs to login a lot

If we had confirmation that upgrading the authlib package fixes it, I think we could probably to a 1.21.2 which simply updates the dependency.

clokep on 14 Oct 2020

Hi, Authlib has just released v0.15.1 to backward support raw JWKs.

lepture on 15 Oct 2020

👍1

@Rafaeltheraven @jaywink @vidyo-emp are any of you able to install authlib 0.15.1 to confirm if that fixes the issue (should be just a matter of env/bin/pip install --upgrade authlib)?

richvdh on 15 Oct 2020

@Rafaeltheraven @jaywink @vidyo-emp are any of you able to install authlib 0.15.1 to confirm if that fixes the issue (should be just a matter of env/bin/pip install --upgrade authlib)?

Can confirm that for the instance I have upgrading this in the container and restarting fixes the issue :+1:

jaywink on 15 Oct 2020

🎉1

This should be fixed in the v1.21.2 release of Docker / debs. Please shout if there are more issues. (Note that the debs aren't yet uploaded but will be shortly.)

clokep on 15 Oct 2020

@Rafaeltheraven confirmed that this is working on v1.21.2 in #synapse:matrix.org 🎉

clokep on 15 Oct 2020

Does not work for me, I still get this error:

synapse_1     | 2020-10-22 15:21:59,168 - synapse.http.client - 381 - INFO - GET-5 - Received response to POST https://domain.com/auth/realms/internal/protocol/openid-connect/token: 200
synapse_1     | 2020-10-22 15:21:59,168 - synapse.handlers.oidc_handler - 490 - INFO - GET-5 - Reloading JWKS after decode error
synapse_1     | 2020-10-22 15:21:59,173 - synapse.http.client - 381 - INFO - GET-5 - Received response to GET https://domain/auth/realms/internal/.well-known/openid-configuration: 200
synapse_1     | 2020-10-22 15:21:59,174 - synapse.handlers.oidc_handler - 693 - ERROR - GET-5 - Invalid id_token
synapse_1     | Traceback (most recent call last):
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/synapse/handlers/oidc_handler.py", line 487, in _parse_id_token
synapse_1     |     claims_params=claims_params,
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7519/jwt.py", line 99, in decode
synapse_1     |     data = self._jws.deserialize_compact(s, load_key, decode_payload)
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7515/jws.py", line 102, in deserialize_compact
synapse_1     |     algorithm, key = self._prepare_algorithm_key(jws_header, payload, key)
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7515/jws.py", line 258, in _prepare_algorithm_key
synapse_1     |     key = algorithm.prepare_key(key)
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7518/_cryptography_backends/_jws.py", line 41, in prepare_key
synapse_1     |     return RSAKey.import_key(raw_data)
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7518/_cryptography_backends/_keys.py", line 117, in import_key
synapse_1     |     b'ssh-rsa', options
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7518/_cryptography_backends/_keys.py", line 247, in import_key
synapse_1     |     cls.check_required_fields(raw)
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7517/models.py", line 120, in check_required_fields
synapse_1     |     raise ValueError('Missing required field: "{}"'.format(k))
synapse_1     | ValueError: Missing required field: "e"
synapse_1     | 
synapse_1     | During handling of the above exception, another exception occurred:
synapse_1     | 
synapse_1     | Traceback (most recent call last):
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/synapse/handlers/oidc_handler.py", line 691, in handle_oidc_callback
synapse_1     |     userinfo = await self._parse_id_token(token, nonce=nonce)
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/synapse/handlers/oidc_handler.py", line 497, in _parse_id_token
synapse_1     |     claims_params=claims_params,
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7519/jwt.py", line 99, in decode
synapse_1     |     data = self._jws.deserialize_compact(s, load_key, decode_payload)
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7515/jws.py", line 102, in deserialize_compact
synapse_1     |     algorithm, key = self._prepare_algorithm_key(jws_header, payload, key)
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7515/jws.py", line 258, in _prepare_algorithm_key
synapse_1     |     key = algorithm.prepare_key(key)
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7518/_cryptography_backends/_jws.py", line 41, in prepare_key
synapse_1     |     return RSAKey.import_key(raw_data)
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7518/_cryptography_backends/_keys.py", line 117, in import_key
synapse_1     |     b'ssh-rsa', options
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7518/_cryptography_backends/_keys.py", line 247, in import_key
synapse_1     |     cls.check_required_fields(raw)
synapse_1     |   File "/usr/local/lib/python3.7/site-packages/authlib/jose/rfc7517/models.py", line 120, in check_required_fields
synapse_1     |     raise ValueError('Missing required field: "{}"'.format(k))
synapse_1     | ValueError: Missing required field: "e"

could you share your config @Rafaeltheraven ?

Breee on 22 Oct 2020

@Breee If you are not using Docker / apt packages you might have to upgrade the authlib package manually.

clokep on 22 Oct 2020

@clokep I'm using the image matrixdotorg/synapse:latest and also tried matrixdotorg/synapse:v1.22.0rc1

config is:

oidc_config:
  enabled: true
  discover: true
  issuer: "https://xxxxxx/auth/realms/internal"
  client_id: "matrix-client"
  client_secret: "xxxxxxxxxxxx"
  scopes: ["openid", "profile"]

Breee on 22 Oct 2020

Fixed. My user_mapping_provider settings were somehow wrong.

Breee on 22 Oct 2020

Was this page helpful?

0 / 5 - 0 ratings