We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
When using the official guides to connect Synapse to authentik (https://element-hq.github.io/synapse/latest/openid.html#authentik and https://docs.goauthentik.io/integrations/services/matrix-synapse/) Synapse raises a JSONDecodeError when trying to login.
JSONDecodeError
Steps to reproduce:
[...] synapse-1 | 2024-11-03T17:23:17.988935881Z 2024-11-03 17:23:17,988 - synapse.rest.client.login - 682 - INFO - GET-7 - Redirecting to https://auth.REDACTED.de/application/o/authorize/?response_type=code&client_id=WRKvT2yhGvUeSGf9AJshP3vjhgwR6tj2BtYbDVHF&redirect_uri=https%3A%2F%2Fmatrix.REDACTED.de%2F_synapse%2Fclient%2Foidc%2Fcallback&scope=openid+profile+email&state=uw0yDmOCuR1lW4dBL9BjLTBCZfSnr6&nonce=0nbfV9h07yVd9emtq54HVqrDfEs8Vy&code_challenge_method=S256&code_challenge=colWx9z0kYx1YX8ceBteeAiEVm7PAdZfXa-Ko_Iizy0 synapse-1 | 2024-11-03T17:23:17.989612259Z 2024-11-03 17:23:17,989 - synapse.access.http.8008 - 473 - INFO - GET-7 - 172.18.0.1 - 8008 - {None} Processed request: 0.004sec/-0.000sec (0.004sec, 0.000sec) (0.000sec/0.000sec/0) 0B 302 "GET /_matrix/client/v3/login/sso/redirect/oidc-authentik?redirectUrl=https%3A%2F%2Felement.REDACTED.de%2F&org.matrix.msc3824.action=login HTTP/1.1" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.1 Safari/605.1.15" [0 dbevts] synapse-1 | 2024-11-03T17:23:18.659634171Z 2024-11-03 17:23:18,659 - synapse.handlers.oidc - 259 - INFO - GET-8 - Received OIDC callback for IdP oidc-authentik synapse-1 | 2024-11-03T17:23:19.140305318Z 2024-11-03 17:23:19,137 - synapse.http.client - 428 - INFO - GET-8 - Received response to POST https://auth.REDACTED.de/application/o/token/: 405 synapse-1 | 2024-11-03T17:23:19.152399538Z 2024-11-03 17:23:19,138 - synapse.http.server - 221 - ERROR - GET-8 - Failed handle request <XForwardedForRequest at 0x7fa30e5098d0 method='GET' uri='/_synapse/client/oidc/callback?code=570eb483fd9242f5b1be01f2ba70002c&state=uw0yDmOCuR1lW4dBL9BjLTBCZfSnr6' clientproto='HTTP/1.1' site='8008'> synapse-1 | 2024-11-03T17:23:19.152457450Z Traceback (most recent call last): synapse-1 | 2024-11-03T17:23:19.152466090Z File "/usr/local/lib/python3.11/site-packages/synapse/http/server.py", line 332, in _async_render_wrapper synapse-1 | 2024-11-03T17:23:19.152473300Z callback_return = await self._async_render(request) synapse-1 | 2024-11-03T17:23:19.152480002Z ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ synapse-1 | 2024-11-03T17:23:19.152486398Z File "/usr/local/lib/python3.11/site-packages/synapse/http/server.py", line 364, in _async_render synapse-1 | 2024-11-03T17:23:19.152493234Z callback_return = await raw_callback_return synapse-1 | 2024-11-03T17:23:19.152499662Z ^^^^^^^^^^^^^^^^^^^^^^^^^ synapse-1 | 2024-11-03T17:23:19.152506064Z File "/usr/local/lib/python3.11/site-packages/synapse/rest/synapse/client/oidc/callback_resource.py", line 42, in _async_render_GET synapse-1 | 2024-11-03T17:23:19.152512890Z await self._oidc_handler.handle_oidc_callback(request) synapse-1 | 2024-11-03T17:23:19.152520274Z File "/usr/local/lib/python3.11/site-packages/synapse/handlers/oidc.py", line 276, in handle_oidc_callback synapse-1 | 2024-11-03T17:23:19.152527014Z await oidc_provider.handle_oidc_callback(request, session_data, code) synapse-1 | 2024-11-03T17:23:19.152533634Z File "/usr/local/lib/python3.11/site-packages/synapse/handlers/oidc.py", line 1094, in handle_oidc_callback synapse-1 | 2024-11-03T17:23:19.152540384Z token = await self._exchange_code( synapse-1 | 2024-11-03T17:23:19.152546618Z ^^^^^^^^^^^^^^^^^^^^^^^^^^ synapse-1 | 2024-11-03T17:23:19.152552859Z File "/usr/local/lib/python3.11/site-packages/synapse/handlers/oidc.py", line 787, in _exchange_code synapse-1 | 2024-11-03T17:23:19.152559212Z resp = json_decoder.decode(resp_body.decode("utf-8")) synapse-1 | 2024-11-03T17:23:19.152565486Z ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ synapse-1 | 2024-11-03T17:23:19.152571802Z File "/usr/local/lib/python3.11/json/decoder.py", line 337, in decode synapse-1 | 2024-11-03T17:23:19.152578139Z obj, end = self.raw_decode(s, idx=_w(s, 0).end()) synapse-1 | 2024-11-03T17:23:19.152584650Z ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ synapse-1 | 2024-11-03T17:23:19.152590962Z File "/usr/local/lib/python3.11/json/decoder.py", line 355, in raw_decode synapse-1 | 2024-11-03T17:23:19.152597458Z raise JSONDecodeError("Expecting value", s, err.value) from None synapse-1 | 2024-11-03T17:23:19.152603926Z json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0) synapse-1 | 2024-11-03T17:23:19.153510452Z 2024-11-03 17:23:19,153 - synapse.access.http.8008 - 473 - INFO - GET-8 - 172.18.0.1 - 8008 - {None} Processed request: 0.495sec/-0.000sec (0.011sec, 0.000sec) (0.000sec/0.000sec/0) 167B 500 "GET /_synapse/client/oidc/callback?code=570eb483fd9242f5b1be01f2ba70002c&state=uw0yDmOCuR1lW4dBL9BjLTBCZfSnr6 HTTP/1.1" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.1 Safari/605.1.15" [0 dbevts] [...]
Relevant config snippet from homeserver.yaml:
homeserver.yaml
[...] oidc_providers: - idp_id: authentik idp_name: authentik discover: true issuer: "https://auth.REDACTED.de/application/o/synapse-slug/" client_id: "REDACTED}" client_secret: "REDACTED" scopes: - "openid" - "profile" - "email" user_mapping_provider: config: localpart_template: "{{ user.preferred_username }}" display_name_template: "{{ user.name|capitalize }}" [...]
Self-hosted homeserver
v1.118.0
Docker (matrixdotorg/synapse)
PostgreSQL, single server, no ported data (fresh set up)
Single process
Debian 12 VM via Docker
No response
The text was updated successfully, but these errors were encountered:
I figured it out myself - the jwt block was missing in my Synapse configuration:
jwt
[...] jwt_config: enabled: true secret: "SAME_AS_OPENID_SECRET" algorithm: "RS256" [...]
Maybe the documentation regarding authentik (https://github.com/element-hq/synapse/blob/develop/docs/openid.md#authentik) should be updated to work out of the box. If I understood it correctly, recent versions of authentik are only able to use JWTs and not plain JSON responses.
If desired, I can provide a PR.
Sorry, something went wrong.
No branches or pull requests
Description
When using the official guides to connect Synapse to authentik (https://element-hq.github.io/synapse/latest/openid.html#authentik and https://docs.goauthentik.io/integrations/services/matrix-synapse/) Synapse raises a
JSONDecodeError
when trying to login.Steps to reproduce:
Relevant config snippet from
homeserver.yaml
:Steps to reproduce
Homeserver
Self-hosted homeserver
Synapse Version
v1.118.0
Installation Method
Docker (matrixdotorg/synapse)
Database
PostgreSQL, single server, no ported data (fresh set up)
Workers
Single process
Platform
Debian 12 VM via Docker
Configuration
No response
Relevant log output
Anything else that would be useful to know?
No response
The text was updated successfully, but these errors were encountered: