No Documentation for QR Code Login

[SNThrailkill]

Would anyone be able to share the configuration needed in both Synapse and MAS to get QR code login available? If I try to link a new device it says QR code not supported. Your account provider doesn't support signing into a new device with a QR code. and I can find no documentation on this. Ive enabled the experimental MSC in the config and everything else seems to work. Or does this feature abandoned which is why its not documented?

[akarl10]

@SNThrailkill If you still try to enable qr code login but element web says it's not available:
The only thing I needed to add

experimental_features:
    msc4108_enabled: true

(of course the experimental_features: contains more entries, but I added it to make it clear where to put)

to take effect msc3861 must be enabled, but since you write this in the issue for mas I am sure you have this.

[enekonieto]

Not working for me using Keycloak as upstream IdP.

experimental_features:
  msc3861:
    account_management_url: https://matrix.***/auth/account
    admin_token: ***
    client_auth_method: client_secret_basic
    client_id: 0000000000000000000SYNAPSE
    client_secret: ***
    enabled: true
    introspection_endpoint: http://matrix-authentication-service:8080/auth/oauth2/introspect
    issuer: http://matrix-authentication-service:8080/auth/
  msc4108_enabled: true

Does Keycloak support this? Do I need some special config in Keycloak? I used the sample Keycloak config: https://element-hq.github.io/matrix-authentication-service/setup/sso.html#keycloak

[akarl10]

essentially this is the same I have.
What is fundamentally different in your case is that you have mas in a subdirectory /auth/ whereas I use a dedicated authentication domain.
Since you where able to login I guess in general the login works, but please check if the paths you get when opening the url http://matrix-authentication-service:8080/auth/.well-known/openid-configuration make sense

If your synapse or matrix client is not new enough you might also check if your
matrix-domain/.well-known/matrix/client contains

    "org.matrix.msc2965.authentication": {
      "issuer": "http://matrix-authentication-service:8080/auth/",
      "account": "https://matrix.***/auth/account"
    }

btw: I am not sure if the issuer can be something that is not resolvable/reachable client-side. The openid-configuration might get pulled by not only synapse (I think a copy gets served on /_matrix/client/unstable/org.matrix.msc2965/auth_metadata). This "file" contains a lot more information, for example references to keys used for signing id tokens

[enekonieto]

EDIT: I don't know why but now is working (AFAIK I changed nothing nor upgraded Element Web).

---

essentially this is the same I have. What is fundamentally different in your case is that you have mas in a subdirectory /auth/ whereas I use a dedicated authentication domain. Since you where able to login I guess in general the login works, but please check if the paths you get when opening the url http://matrix-authentication-service:8080/auth/.well-known/openid-configuration make sense

All paths starts with https://matrix.PUBLIC_DOMAIN/auth, it makes sense to me.

If your synapse or matrix client is not new enough you might also check if your matrix-domain/.well-known/matrix/client contains

"org.matrix.msc2965.authentication": {
  "issuer": "http://matrix-authentication-service:8080/auth/",
  "account": "https://matrix.***/auth/account"
}

It contains

org.matrix.msc2965.authentication: {
  account: "https://matrix.PUBLIC_DOMAIN/auth/account"
  issuer: "https://matrix.PUBLIC_DOMAIN/auth/"
}

btw: I am not sure if the issuer can be something that is not resolvable/reachable client-side. The openid-configuration might get pulled by not only synapse (I think a copy gets served on /_matrix/client/unstable/org.matrix.msc2965/auth_metadata). This "file" contains a lot more information, for example references to keys used for signing id tokens

All URLs are public too.

I'm using matrix-docker-ansible-deploy project for the deployment.

Thanks for replying!!