!QQpfJfZvqxbCfeDgCj:matrix.org

This Week in Matrix (TWIM)

1382 Members
A new edition of TWIM every Friday! Please submit details of your Matrix projects here before/on Friday! | Guide on how to write a twim entry is at https://matrix.org/twim-guide | Find all previous issues at https://matrix.org/twim | Offtopic in #twim-offtopic-continuation:bpulse.org plz536 Servers

Load older messages


SenderMessageTime
7 Nov 2024
@bgtlover:stealthy.clubbgt loverwell, because people at matrix conf talked a lot about that kind of stuff, and then occasionally other people go to homeserver admins and recommend us MAS, because it's the new auth, it'll be soon present in synapse and all other homeservers as the default auth API, but then some of the use cases matrix also was suited well for aren't so well workable anymore, aka anything without a web browser, anything which does automated signing in, for example IOT devices. So, the issue where I can't properly manage users and such when MAS is on is fixed? very good! I turned MAS off because it broke my bridges, but when that'll be fixed, it's good that the hurdles with synapse admin aren't gonna happen when this stuff gets out of beta.23:11:42
@mtrnord:midnightthoughts.spaceMTRNord (they/them)but oauth does support service accounts? so bots and stuff works just fine as always. Also MAS already provides password login compatibility APIs...23:12:50
@mtrnord:midnightthoughts.spaceMTRNord (they/them)(and yes I know that at this time MAS has no service account support. Oauth however does support it and I am sure MAS people are aware of bots and bridges)23:13:25
@aine:etke.ccAine [don't DM]
In reply to @bgtlover:stealthy.club
well, because people at matrix conf talked a lot about that kind of stuff, and then occasionally other people go to homeserver admins and recommend us MAS, because it's the new auth, it'll be soon present in synapse and all other homeservers as the default auth API, but then some of the use cases matrix also was suited well for aren't so well workable anymore, aka anything without a web browser, anything which does automated signing in, for example IOT devices. So, the issue where I can't properly manage users and such when MAS is on is fixed? very good! I turned MAS off because it broke my bridges, but when that'll be fixed, it's good that the hurdles with synapse admin aren't gonna happen when this stuff gets out of beta.
Understandable
23:13:39
@aine:etke.ccAine [don't DM]
In reply to @mtrnord:midnightthoughts.space
but oauth does support service accounts? so bots and stuff works just fine as always. Also MAS already provides password login compatibility APIs...
Not yet - there are a lot of problems currently: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-matrix-authentication-service.md#expectations
23:15:38
@mtrnord:midnightthoughts.spaceMTRNord (they/them)well I said that in my second message23:16:31
@aine:etke.ccAine [don't DM]
In reply to @mtrnord:midnightthoughts.space
well I said that in my second message
My point is that apart from service accounts there are other limitations
23:17:36
@emma:rory.gayEmma [it/its]i still dont like the concept of separating service accounts from regular accounts23:20:50
@mtrnord:midnightthoughts.spaceMTRNord (they/them)
In reply to @emma:rory.gay
i still dont like the concept of separating service accounts from regular accounts
There is no seperation. Service account in OAuth2 is just a preshared crypto cert for login.
23:21:28
@emma:rory.gayEmma [it/its]ah23:21:42
@bgtlover:stealthy.clubbgt lover
In reply to @mtrnord:midnightthoughts.space
but oauth does support service accounts? so bots and stuff works just fine as always. Also MAS already provides password login compatibility APIs...
it does? when I installed it and turned it on, imediately all my devices signed out, one copy of element, I think element X, was stuck there, showing older messages, and I had no way of manually signing it out, because I can't find the settings button on the screen, perhaps it's not in the accessibility tree. I dk why, could have been a glitch, hopefully it didn't happen to anyone else. Service accounts, yeah, I think that's what I'm looking for indeed, if MAS supports most oauth features, that'd be even better. Personally, can't wait for it to no longer break my bridges and sign me out of all my devices, and also two factor authentication with an authenticator app would be awesome. O yeah, and I dk who noticed, but if I go and use a legacy client while MAS is enabled, then go to the sessions list, MAS will put a cryptic device id instead of the device name the client set, for example this happens with fractal
23:22:16
@mtrnord:midnightthoughts.spaceMTRNord (they/them)
In reply to @bgtlover:stealthy.club
it does? when I installed it and turned it on, imediately all my devices signed out, one copy of element, I think element X, was stuck there, showing older messages, and I had no way of manually signing it out, because I can't find the settings button on the screen, perhaps it's not in the accessibility tree. I dk why, could have been a glitch, hopefully it didn't happen to anyone else. Service accounts, yeah, I think that's what I'm looking for indeed, if MAS supports most oauth features, that'd be even better. Personally, can't wait for it to no longer break my bridges and sign me out of all my devices, and also two factor authentication with an authenticator app would be awesome. O yeah, and I dk who noticed, but if I go and use a legacy client while MAS is enabled, then go to the sessions list, MAS will put a cryptic device id instead of the device name the client set, for example this happens with fractal

when I installed it and turned it on, imediately all my devices signed out, one copy of element, I think element X, was stuck there, showing older messages, and I had no way of manually signing it out, because I can't find the settings button on the screen,

that sounds like a broken migration. I did not have that experience. All existing devices still existed (which actually breaks ElementX ^^ due to invisible crypto being not user friendly but thats a different topic).

2FA at least with authentik works nicely :) But thats technically not MAS but rather authentik doing it :D

23:23:57
@bgtlover:stealthy.clubbgt lover
In reply to @aine:etke.cc
Not yet - there are a lot of problems currently: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-matrix-authentication-service.md#expectations
how did you know that's the guide I followed? spot on! lol
23:24:05
@aine:etke.ccAine [don't DM]
In reply to @bgtlover:stealthy.club
how did you know that's the guide I followed? spot on! lol
Because... We wrote it :)
I'm one of the etke.cc devs, MDAD is our project
23:25:40
@mtrnord:midnightthoughts.spaceMTRNord (they/them)(on that note: I have to correct myself. "Service Accounts" is a name google uses. I dont know what exactly the oauth2 name of it is but I am 80% sure it was an oauth2 spec. Either way oauth does have a mode for non interactive auth)23:26:23
@aine:etke.ccAine [don't DM]
In reply to @bgtlover:stealthy.club
how did you know that's the guide I followed? spot on! lol
*

Because... We wrote it :)
I'm one of the etke.cc devs, MDAD is our project

Slavi did a great job tackling MAS together, thanks to MAS dev who guided the whole process in the MDAD room (sorry, I don't remember the name)

23:27:32
@bgtlover:stealthy.clubbgt lover
In reply to @mtrnord:midnightthoughts.space

when I installed it and turned it on, imediately all my devices signed out, one copy of element, I think element X, was stuck there, showing older messages, and I had no way of manually signing it out, because I can't find the settings button on the screen,

that sounds like a broken migration. I did not have that experience. All existing devices still existed (which actually breaks ElementX ^^ due to invisible crypto being not user friendly but thats a different topic).

2FA at least with authentik works nicely :) But thats technically not MAS but rather authentik doing it :D

how do I even enable 2fa though? the MAS account page was pretty spartan. O yeah, and qr code login was also disabled, not that I would have used it, but still. More auth methods should be implemented, like logging in with a code you manually type into something instead of a username and a password or a qr code, like whatsapp does for linking devices, I think that's another flow in oidc if I'm not mistaken
23:27:50
@mtrnord:midnightthoughts.spaceMTRNord (they/them)
In reply to @bgtlover:stealthy.club
how do I even enable 2fa though? the MAS account page was pretty spartan. O yeah, and qr code login was also disabled, not that I would have used it, but still. More auth methods should be implemented, like logging in with a code you manually type into something instead of a username and a password or a qr code, like whatsapp does for linking devices, I think that's another flow in oidc if I'm not mistaken
Its done on the oidc provider side. MAS itself doesnt have that feature with password auth. Though I guess the better place to ask is #matrix-auth:matrix.org for that
23:28:37
@bgtlover:stealthy.clubbgt lover
In reply to @aine:etke.cc

Because... We wrote it :)
I'm one of the etke.cc devs, MDAD is our project

Slavi did a great job tackling MAS together, thanks to MAS dev who guided the whole process in the MDAD room (sorry, I don't remember the name)

awesome! so then, you probably saw in realtime how stuff happened, I think I documented it all in the mdad room, willingly or not, most of it probably was a desperate ask for help. Also, syn2mas should just ignore guest accounts and accounts generated by appservices, not fail the migration, yet still migrate some accounts, the important ones, but still
23:29:35
@mtrnord:midnightthoughts.spaceMTRNord (they/them)I believe service accounts in reality are https://datatracker.ietf.org/doc/html/rfc8705 but someone with actual oauth2 knowledge probably can correct me on that23:29:56
@bgtlover:stealthy.clubbgt lover
In reply to @mtrnord:midnightthoughts.space
Its done on the oidc provider side. MAS itself doesnt have that feature with password auth. Though I guess the better place to ask is #matrix-auth:matrix.org for that
hang on, do I have to put something else infront of MAS? would that work now that I have stuff already in the MAS database and not in, say, keycloke?
23:32:42
@aine:etke.ccAine [don't DM]
In reply to @bgtlover:stealthy.club
awesome! so then, you probably saw in realtime how stuff happened, I think I documented it all in the mdad room, willingly or not, most of it probably was a desperate ask for help. Also, syn2mas should just ignore guest accounts and accounts generated by appservices, not fail the migration, yet still migrate some accounts, the important ones, but still

Currently there are few people who really know all the nuances and workarounds with MAS, alas. So, you're an early bird :)

That will change in future, but for now installing MAS feels like you're a pioneer that come to a place where no human was before :D

23:33:15
@mtrnord:midnightthoughts.spaceMTRNord (they/them)
In reply to @bgtlover:stealthy.club
hang on, do I have to put something else infront of MAS? would that work now that I have stuff already in the MAS database and not in, say, keycloke?
a) I think we should move to #matrix-auth:matrix.org at this point :)
b) Yes keycloak can be linked after the fact. Though the UI is still waiting on me to find the time to finish the PR for that. The link to do that however is trivial to make by hand.
23:33:47
@bgtlover:stealthy.clubbgt loverok, joining there now23:34:21
@aine:etke.ccAine [don't DM]
In reply to @mtrnord:midnightthoughts.space
a) I think we should move to #matrix-auth:matrix.org at this point :)
b) Yes keycloak can be linked after the fact. Though the UI is still waiting on me to find the time to finish the PR for that. The link to do that however is trivial to make by hand.
They probably use it with Synapse only, without an external provider
23:34:54
@mtrnord:midnightthoughts.spaceMTRNord (they/them)
In reply to @aine:etke.cc
They probably use it with Synapse only, without an external provider
yeah. Then 2fa is not available with MAS
23:35:16
@i27gie0ba31hfh4t:matrix.orgJack joined the room.23:39:58
@bgtlover:stealthy.clubbgt lover MTRNord (they/them): I just posted what I think is a summary of the discussion in here over there, just so you know 23:40:51
8 Nov 2024
@kitsune:matrix.orgkitsune TWIM:

Quaternion 0.0.97 beta


This is the first 0.0.97 pre-release primarily focused on migration to libQuotient 0.9. Not much to talk about aside from this. The release notes and some prebuit binaries can be found at the usual place.
06:53:21
@this-week-in:matrix.orgTWIM✅ Thanks for the report kitsune, I'll store your update!06:53:22

Show newer messages


Back to Room ListRoom Version: 9