Enable QR code login (MSC4108) support for Synapse when Matrix Authentication Service is enabled

Related to 8a6b822bbd Related to https://github.com/matrix-org/matrix-spec-proposals/pull/4108 Potential (unconfirmed) fix for https://github.com/spantaleev/matrix-docker-ansible-deploy/issues/3749
1 год назад · 509542ccaf
--- a/group_vars/matrix_servers
+++ b/group_vars/matrix_servers
@@ -4769,6 +4769,8 @@ matrix_synapse_experimental_features_msc3861_client_secret: "{{ '%s' | format(ma
 matrix_synapse_experimental_features_msc3861_admin_token: "{{ matrix_authentication_service_config_matrix_secret if matrix_authentication_service_enabled else '' }}"
 matrix_synapse_experimental_features_msc3861_account_management_url: "{{ matrix_authentication_service_account_management_url if matrix_authentication_service_enabled else '' }}"
 matrix_synapse_experimental_features_msc4108_enabled: "{{ matrix_authentication_service_enabled and not matrix_authentication_service_migration_in_progress }}"
 # Disable password authentication when delegating authentication to Matrix Authentication Service.
 # Unless this is done, Synapse fails on startup with:
 # > Error in configuration at 'password_config.enabled':
--- a/roles/custom/matrix-synapse/defaults/main.yml
+++ b/roles/custom/matrix-synapse/defaults/main.yml
@@ -1180,6 +1180,10 @@ matrix_synapse_experimental_features_msc3861_admin_token: ''
 # URL to advertise to clients where users can self-manage their account.
 matrix_synapse_experimental_features_msc3861_account_management_url: ''
 # Controls whether to enable the "QR code login" experimental feature.
 # Enabling this requires that MSC3861 (see `matrix_synapse_experimental_features_msc3861_enabled`) is also enabled.
 matrix_synapse_experimental_features_msc4108_enabled: false
 ################################################################################
 #
 # /Next-generation auth for Matrix, based on OAuth 2.0/OIDC
--- a/roles/custom/matrix-synapse/tasks/validate_config.yml
+++ b/roles/custom/matrix-synapse/tasks/validate_config.yml
@@ -154,3 +154,8 @@
  ansible.builtin.fail:
    msg: "When Synapse is delegating authentication to Matrix Authentication Service, it doesn't make sense to enable the password config (`matrix_synapse_password_config_enabled: true`), because it is not Synapse that is handling authentication. Please remove your `matrix_synapse_password_config_enabled: true` setting before enabling Matrix Authentication Service integration for Synapse. Synapse will refuse to start otherwise."
  when: matrix_synapse_experimental_features_msc3861_enabled and matrix_synapse_password_config_enabled
 - name: Fail if QR code login (MSC4108) is enabled while Next-Gen Auth (MSC3861) is not
  ansible.builtin.fail:
    msg: "When Synapse QR code login is enabled (MSC4108 via `matrix_synapse_experimental_features_msc4108_enabled`), Next-Gen auth (MSC3861 via `matrix_synapse_experimental_features_msc3861_enabled`) must also be enabled."
  when: matrix_synapse_experimental_features_msc4108_enabled and not matrix_synapse_experimental_features_msc3861_enabled
--- a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2
+++ b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2
@@ -2987,5 +2987,8 @@ experimental_features:
    admin_token: {{ matrix_synapse_experimental_features_msc3861_admin_token | to_json }}
    account_management_url: {{ matrix_synapse_experimental_features_msc3861_account_management_url | to_json }}
  {% endif %}
  {% if matrix_synapse_experimental_features_msc4108_enabled %}
  msc4108_enabled: true
  {% endif %}
 # vim:ft=yaml