Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

getting server admin API tokens #2913

Open
matrixbot opened this issue Sep 10, 2024 · 2 comments
Open

getting server admin API tokens #2913

matrixbot opened this issue Sep 10, 2024 · 2 comments

Comments

@matrixbot
Copy link
Collaborator

This issue was originally created by @joepitt91 at matrix-org/matrix-authentication-service#2913.

I've got some automation scripts which use the _synapse/admin/... API endpoints, which need a authentication token.

Before MAS

Previously I:

  1. Set admin to 1 for my users in the Synapse DB,
  2. Log into Element Desktop, and
  3. Use token from advanced settings page.

With MAS

Since switching to MAS this method no longer works, as per the docs, with this error:

{"errcode":"M_FORBIDDEN","error":"You are not a server admin"}

While the docs say that Synapse will no longer manage who is an admin, I couldn't see anything about how to manage this in MAS.

Workaround

As a workaround I've:

  1. Set can_request_admin to true for my user in users in the MAS DB,
  2. Log into Element Desktop,
  3. Find my token in advance settings,
  4. Find the associated compat_session_id in compat_access_tokens based on access_token (surprised tokens are stored in plain-text not salted and hashed - by design?),
  5. Update is_synapse_admin to true in compat_sessions for my compat_session_id,
  6. Use token from Element Desktop.

Proposed Solution

This feels very hacky, the sort of flow that I think would be ideal is:

  1. Log in to MAS web UI.
  2. is_synapse_admin is updated on the fly based on a configurable OIDC role attestation (maybe a CLI option to toggle as a fallback).
  3. Click a button to generate a token.
  4. Dialog opens to:
    1. Set a friendly name,
    2. Toggle a checkbox for if it should be an admin token (only shown for users where is_synapse_admin is true), and
    3. Optionally, set a expiry period.
  5. The new Token is shown once then unrecoverable through the UI.
  6. Web UI has a tab for tokens, just like sessions and browsers, to allow manual revocation before expiry.

Questions

  1. Is there a better way than my workaround to do this currently?
  2. Would it be possible to get my proposed solution on the backlog - appreciate it may not be a high priority?

Thanks
@matrixbot
Copy link
Collaborator Author

This comment was originally posted by @dklimpel at matrix-org/matrix-authentication-service#2913 (comment).

Related to:

@matrixbot matrixbot mentioned this issue Sep 10, 2024
Open
@xundeenergie
Copy link

I would expect to set some scope in keycloak, which gains mas and/or synapse admin permissions for a user.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xundeenergie @matrixbot