Add JWT documentation and improve sample config #7776
Conversation
docs/dev/jwt.md
Outdated
| (Note that this differs from the token based logins which return a | ||
| `403 Forbidden` and an error code of `M_FORBIDDEN` if an error occurs.) |
There was a problem hiding this comment.
I think we should probably update the code to be the same as this, but I wanted to keep this PR to documentation only.
| # password database. | ||
| # | ||
| # Each JSON Web Token needs to contain a "sub" (subject) claim, which is | ||
| # used as the localpart of the mxid. |
There was a problem hiding this comment.
There's no guarantee the sub will meet mxid character restrictions. How do we map under this scenario?
There was a problem hiding this comment.
Currently it is assumed that it meets the restrictions.
There was a problem hiding this comment.
I looked at this again since I wasn't 100% sure this was true and the string just gets jammed into one of our UserID objects:
synapse/synapse/rest/client/v1/login.py
Lines 376 to 380 in 21a212f
So yeah, this is essentially completely unchecked. 😢
|
|
||
| The `jwt` should encode the local part of the user ID as the standard `sub` | ||
| claim. In the case that the token is not valid, the homeserver must respond with | ||
| `401 Unauthorized` and an error code of `M_UNAUTHORIZED`. |
There was a problem hiding this comment.
I am somewhat tempted to cheekily change this to a 400. If we ever move login to be more UIA like we won't be able to use 401
There was a problem hiding this comment.
Yeah so similar to my comment:
I think we should probably update the code to be the same as this, but I wanted to keep this PR to documentation only.
Doing this likely makes sense, but the first step was to document what is going on.
Indeed. It makes me very happy to see this documented so clearly. |
| secret: "my-secret-token" | ||
| algorithm: "HS256" |
There was a problem hiding this comment.
I should note also that I did test this using a private key / public key pair, but for testing using the shared secret is much simpler.
* commit '43726783e': (22 commits) 1.17.0rc1 Fix some spelling mistakes / typos. (#7811) `update_membership` declaration: now always returns an event id. (#7809) Improve stacktraces from exceptions in background processes (#7808) Fix `can only concatenate list (not "tuple") to list` exception (#7810) Pass original request headers from workers to the main process. (#7797) Generate real events when we reject invites (#7804) Add `HomeServer.signing_key` property (#7805) Revert "Update the installation docs on apt-transport-https (#7801)" Do not use simplejson in Synapse. (#7800) Stop passing bytes when dumping JSON (#7799) Update the installation docs on apt-transport-https (#7801) shuffle changelog slightly Change Caddy links (old is deprecated) (#7789) Stop populating unused table `local_invites`. (#7793) Refactor getting replication updates from database v2. (#7740) Add libwebp dependency to Dockerfile (#7791) Add documentation for JWT login type and improve sample config. (#7776) Convert the appservice handler to async/await. (#7775) Don't ignore `set_tweak` actions with no explicit `value`. (#7766) ...
This does a few somewhat related things:
docs/jwt.mdin this PR.do_jwt_loginanddo_token_loginmethods private (to match_do_other_login).