Sender | Message | Time |
---|---|---|
7 Nov 2024 | ||
bgt lover | well, because people at matrix conf talked a lot about that kind of stuff, and then occasionally other people go to homeserver admins and recommend us MAS, because it's the new auth, it'll be soon present in synapse and all other homeservers as the default auth API, but then some of the use cases matrix also was suited well for aren't so well workable anymore, aka anything without a web browser, anything which does automated signing in, for example IOT devices. So, the issue where I can't properly manage users and such when MAS is on is fixed? very good! I turned MAS off because it broke my bridges, but when that'll be fixed, it's good that the hurdles with synapse admin aren't gonna happen when this stuff gets out of beta. | 23:11:42 |
MTRNord (they/them) | but oauth does support service accounts? so bots and stuff works just fine as always. Also MAS already provides password login compatibility APIs... | 23:12:50 |
MTRNord (they/them) | (and yes I know that at this time MAS has no service account support. Oauth however does support it and I am sure MAS people are aware of bots and bridges) | 23:13:25 |
Aine [don't DM] | In reply to @bgtlover:stealthy.clubUnderstandable | 23:13:39 |
Aine [don't DM] | In reply to @mtrnord:midnightthoughts.spaceNot yet - there are a lot of problems currently: https://github.com/spantaleev/matrix-docker-ansible-deploy/blob/master/docs/configuring-playbook-matrix-authentication-service.md#expectations | 23:15:38 |
MTRNord (they/them) | well I said that in my second message | 23:16:31 |
Aine [don't DM] | In reply to @mtrnord:midnightthoughts.spaceMy point is that apart from service accounts there are other limitations | 23:17:36 |
Emma [it/its] | i still dont like the concept of separating service accounts from regular accounts | 23:20:50 |
MTRNord (they/them) | In reply to @emma:rory.gayThere is no seperation. Service account in OAuth2 is just a preshared crypto cert for login. | 23:21:28 |
Emma [it/its] | ah | 23:21:42 |
bgt lover | In reply to @mtrnord:midnightthoughts.spaceit does? when I installed it and turned it on, imediately all my devices signed out, one copy of element, I think element X, was stuck there, showing older messages, and I had no way of manually signing it out, because I can't find the settings button on the screen, perhaps it's not in the accessibility tree. I dk why, could have been a glitch, hopefully it didn't happen to anyone else. Service accounts, yeah, I think that's what I'm looking for indeed, if MAS supports most oauth features, that'd be even better. Personally, can't wait for it to no longer break my bridges and sign me out of all my devices, and also two factor authentication with an authenticator app would be awesome. O yeah, and I dk who noticed, but if I go and use a legacy client while MAS is enabled, then go to the sessions list, MAS will put a cryptic device id instead of the device name the client set, for example this happens with fractal | 23:22:16 |
MTRNord (they/them) | In reply to @bgtlover:stealthy.club
that sounds like a broken migration. I did not have that experience. All existing devices still existed (which actually breaks ElementX ^^ due to invisible crypto being not user friendly but thats a different topic). 2FA at least with authentik works nicely :) But thats technically not MAS but rather authentik doing it :D | 23:23:57 |
bgt lover | In reply to @aine:etke.cchow did you know that's the guide I followed? spot on! lol | 23:24:05 |
Aine [don't DM] | In reply to @bgtlover:stealthy.clubBecause... We wrote it :) I'm one of the etke.cc devs, MDAD is our project | 23:25:40 |
MTRNord (they/them) | (on that note: I have to correct myself. "Service Accounts" is a name google uses. I dont know what exactly the oauth2 name of it is but I am 80% sure it was an oauth2 spec. Either way oauth does have a mode for non interactive auth) | 23:26:23 |
Aine [don't DM] | In reply to @bgtlover:stealthy.club* Because... We wrote it :) Slavi did a great job tackling MAS together, thanks to MAS dev who guided the whole process in the MDAD room (sorry, I don't remember the name) | 23:27:32 |
bgt lover | In reply to @mtrnord:midnightthoughts.spacehow do I even enable 2fa though? the MAS account page was pretty spartan. O yeah, and qr code login was also disabled, not that I would have used it, but still. More auth methods should be implemented, like logging in with a code you manually type into something instead of a username and a password or a qr code, like whatsapp does for linking devices, I think that's another flow in oidc if I'm not mistaken | 23:27:50 |
MTRNord (they/them) | In reply to @bgtlover:stealthy.clubIts done on the oidc provider side. MAS itself doesnt have that feature with password auth. Though I guess the better place to ask is #matrix-auth:matrix.org for that | 23:28:37 |
bgt lover | In reply to @aine:etke.ccawesome! so then, you probably saw in realtime how stuff happened, I think I documented it all in the mdad room, willingly or not, most of it probably was a desperate ask for help. Also, syn2mas should just ignore guest accounts and accounts generated by appservices, not fail the migration, yet still migrate some accounts, the important ones, but still | 23:29:35 |
MTRNord (they/them) | I believe service accounts in reality are https://datatracker.ietf.org/doc/html/rfc8705 but someone with actual oauth2 knowledge probably can correct me on that | 23:29:56 |
bgt lover | In reply to @mtrnord:midnightthoughts.spacehang on, do I have to put something else infront of MAS? would that work now that I have stuff already in the MAS database and not in, say, keycloke? | 23:32:42 |
Aine [don't DM] | In reply to @bgtlover:stealthy.club Currently there are few people who really know all the nuances and workarounds with MAS, alas. So, you're an early bird :) That will change in future, but for now installing MAS feels like you're a pioneer that come to a place where no human was before :D | 23:33:15 |
MTRNord (they/them) | In reply to @bgtlover:stealthy.cluba) I think we should move to #matrix-auth:matrix.org at this point :) b) Yes keycloak can be linked after the fact. Though the UI is still waiting on me to find the time to finish the PR for that. The link to do that however is trivial to make by hand. | 23:33:47 |
bgt lover | ok, joining there now | 23:34:21 |
Aine [don't DM] | In reply to @mtrnord:midnightthoughts.spaceThey probably use it with Synapse only, without an external provider | 23:34:54 |
MTRNord (they/them) | In reply to @aine:etke.ccyeah. Then 2fa is not available with MAS | 23:35:16 |
Jack joined the room. | 23:39:58 | |
bgt lover | MTRNord (they/them): I just posted what I think is a summary of the discussion in here over there, just so you know | 23:40:51 |
8 Nov 2024 | ||
kitsune | TWIM:
Quaternion 0.0.97 betaThis is the first 0.0.97 pre-release primarily focused on migration to libQuotient 0.9. Not much to talk about aside from this. The release notes and some prebuit binaries can be found at the usual place. | 06:53:21 |
TWIM | ✅ Thanks for the report kitsune, I'll store your update! | 06:53:22 |