Enable QR code login (MSC4108) support for Synapse when Matrix Authen…

…tication Service is enabled Related to 8a6b822 Related to matrix-org/matrix-spec-proposals#4108 Potential (unconfirmed) fix for #3749
spantaleev · Nov 9, 2024 · 509542c · 509542c
1 parent 3a11881
commit 509542c
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 0 deletions.
diff --git a/group_vars/matrix_servers b/group_vars/matrix_servers
@@ -4769,6 +4769,8 @@ matrix_synapse_experimental_features_msc3861_client_secret: "{{ '%s' | format(ma
 matrix_synapse_experimental_features_msc3861_admin_token: "{{ matrix_authentication_service_config_matrix_secret if matrix_authentication_service_enabled else '' }}"
 matrix_synapse_experimental_features_msc3861_account_management_url: "{{ matrix_authentication_service_account_management_url if matrix_authentication_service_enabled else '' }}"
 
+matrix_synapse_experimental_features_msc4108_enabled: "{{ matrix_authentication_service_enabled and not matrix_authentication_service_migration_in_progress }}"
+
 # Disable password authentication when delegating authentication to Matrix Authentication Service.
 # Unless this is done, Synapse fails on startup with:
 # > Error in configuration at 'password_config.enabled':

diff --git a/roles/custom/matrix-synapse/defaults/main.yml b/roles/custom/matrix-synapse/defaults/main.yml
@@ -1180,6 +1180,10 @@ matrix_synapse_experimental_features_msc3861_admin_token: ''
 # URL to advertise to clients where users can self-manage their account.
 matrix_synapse_experimental_features_msc3861_account_management_url: ''
 
+# Controls whether to enable the "QR code login" experimental feature.
+# Enabling this requires that MSC3861 (see `matrix_synapse_experimental_features_msc3861_enabled`) is also enabled.
+matrix_synapse_experimental_features_msc4108_enabled: false
+
 ################################################################################
 #
 # /Next-generation auth for Matrix, based on OAuth 2.0/OIDC

diff --git a/roles/custom/matrix-synapse/tasks/validate_config.yml b/roles/custom/matrix-synapse/tasks/validate_config.yml
@@ -154,3 +154,8 @@
   ansible.builtin.fail:
     msg: "When Synapse is delegating authentication to Matrix Authentication Service, it doesn't make sense to enable the password config (`matrix_synapse_password_config_enabled: true`), because it is not Synapse that is handling authentication. Please remove your `matrix_synapse_password_config_enabled: true` setting before enabling Matrix Authentication Service integration for Synapse. Synapse will refuse to start otherwise."
   when: matrix_synapse_experimental_features_msc3861_enabled and matrix_synapse_password_config_enabled
+
+- name: Fail if QR code login (MSC4108) is enabled while Next-Gen Auth (MSC3861) is not
+  ansible.builtin.fail:
+    msg: "When Synapse QR code login is enabled (MSC4108 via `matrix_synapse_experimental_features_msc4108_enabled`), Next-Gen auth (MSC3861 via `matrix_synapse_experimental_features_msc3861_enabled`) must also be enabled."
+  when: matrix_synapse_experimental_features_msc4108_enabled and not matrix_synapse_experimental_features_msc3861_enabled
diff --git a/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2 b/roles/custom/matrix-synapse/templates/synapse/homeserver.yaml.j2
@@ -2987,5 +2987,8 @@ experimental_features:
     admin_token: {{ matrix_synapse_experimental_features_msc3861_admin_token | to_json }}
     account_management_url: {{ matrix_synapse_experimental_features_msc3861_account_management_url | to_json }}
   {% endif %}
+  {% if matrix_synapse_experimental_features_msc4108_enabled %}
+  msc4108_enabled: true
+  {% endif %}
 
 # vim:ft=yaml