/_matrix/client/unstable/org.matrix.msc2965/auth_metadata getting 505

[abbasulusoy]

Steps to reproduce
Where are you starting? What can you see?
I want to use insteof password oauth2 that user never login twice and use the token to login how can I do this
If I configure it then I am getting issue with {
"errcode": "M_UNRECOGNIZED",
"error": "Unrecognized request"
}
my configuration looking like with

homeserver.yaml
server_name: "matrix.x-software.com"
pid_file: /data/homeserver.pid
listeners:

port: 8008
tls: false
type: http
x_forwarded: true
resources:
names: [client, federation]
compress: false
database:
name: psycopg2
txn_limit: 10000
args:
user: synapse
password: postgres
database: synapse
host: matrix-synapse-db-1
port: 5432
cp_min: 5
cp_max: 10
log_config: "/data/matrix.x-software.com.log.config"
media_store_path: /data/media_store
registration_shared_secret: "1f@@QvDt^F5kJ=X5,wtjxv^znRm.P98h4vTIA#QRFaIhAx5E"
report_stats: true
macaroon_secret_key: "Ogt=S#kTQx6TWwM97ZvOcraZB^YGla@uBIFzc3W+rPZZpg&=O"
form_secret: "=n.TDdo0rQaRO6hYkudm-F=aDMrB+dHfKv_kTCHH;3LWueLa;"
#signing_key_path: "/data/matrix.x-software.com.signing.key"
trusted_key_servers:
server_name: "matrix.org"
enable_registration: false
enable_registration_without_verification: false
registrations_require_3pid: false
public_baseurl: "https://matrix.x-software.com/"
matrix_authentication_service:
enabled: true
endpoint: "http://192.168.1.74:8444/" # MAS endpoint
secret: "5SSDzVuYtZwphmC7m0AFWCHVW5kf6nAP"
password_config:
enabled: false

oauth2:
enabled: true
issuer: "http://192.168.1.74:8444/"
client_id: "synapse"
client_secret: "SYNAPSE_CLIENT_SECRET"
introspection_endpoint: "http://192.168.1.74:8444/oauth2/introspect"
#jwks_uri: "http://192.168.1.74:8444/.well-known/jwks.json"
scopes:

• matrix

config.yaml
matrix:
kind: synapse
homeserver: matrix.x-software.com
secret: 5SSDzVuYtZwphmC7m0AFWCHVW5kf6nAP
endpoint: http://192.168.1.74:8080/

Reiner OAuth2-Provider (ohne OIDC) abbas latest copy 2
default:
providers:

• id:
  upstream_oauth2: "custom-oauth2"
  synapse_idp_id: oauth2-custom
  human_name: "Meine OAuth2-App"
  authorization_endpoint: "http://192.168.1.74:8444/oauth/authorize"
  token_endpoint: "http://192.168.1.74:8444/oauth/token"
  user_info_endpoint: "http://192.168.1.74:8444/api/userinfo"
  client_id: "${CUSTOM_CLIENT_ID}"
  client_secret: "${CUSTOM_CLIENT_SECRET}"
  token_endpoint_auth_method: client_secret_basic
  scope: "profile email"
  claims_imports:
  localpart:
  action: require
  template: "{{ user.email.split('@')[0].lower() }}"
  displayname:
  action: force
  template: "{{ user.name }}"
  email:
  action: force
  template: "{{ user.email }}"

I generate config.yaml with docker images then they to check validate then I have a problem with missing "secrets
root@matrixServer:/home/liadmin/DOCKER/matrixServer/docker-compose# docker exec matrix-mas-1 mas-cli config check -c config2.yaml
Error: missing field secrets

Outcome
Can Any one help me please where I am doing errors, which configurations are missing ?

[anntnzrb]

Your MAS config is missing the required secrets section. Generate a complete config with docker run ghcr.io/element-hq/matrix-authentication-service config generate > config.yaml. The secrets section must include encryption (32-byte hex key) and keys (RSA signing key).

[abbasulusoy]

I have already created secrets like this but do you want to that I share full configuration, if I try to check config,yaml then I am getting the issue missing "secrets" how should work Matrix => MAS within element, do I need on element images changes the configuration if I use some own server here is my full configuration
http:
listeners:

• name: web
  resources:
  • name: discovery
  • name: human
  • name: oauth
  • name: compat
  • name: graphql
  • name: assets
    binds:
  • address: '0.0.0.0:8444'
    proxy_protocol: false
• name: internal
  resources:
  • name: health
    binds:
  • host: 0.0.0.0
    port: 8443
    proxy_protocol: false
    trusted_proxies:
• 192.168.0.0/16
• 172.16.0.0/12
• 10.0.0.0/10
• 127.0.0.1/8
• fd00::/8
• ::1/128
  public_base: "https://mas.siegele-software.com/"
  issuer: "https://mas.siegele-software.com/"
  database:
  uri: postgresql://mas:postgres@matrix-mas-db-1:5432/mas
  max_connections: 10
  min_connections: 0
  connect_timeout: 30
  idle_timeout: 600
  max_lifetime: 1800
  email:
  from: '"Authentication Service" root@localhost'
  reply_to: '"Authentication Service" root@localhost'
  transport: blackhole
  secrets:
  encryption: 0c8b1409bf920515f65c6c250ff352a3c539f325f686215446c0a4ad74c90118
  keys:
• key: |
  -----BEGIN RSA PRIVATE KEY-----
  MIIEowIBAAKCAQEAxVhGf3papDypAMKODnbMa+Grz2Z1Cj9/1dqquWsULbzkxwl5
  kkgAx7jVsGqJSubrGD7Mnz81gfjvKH6PVTlhGO8AE9DdF0cMXG4CKHZjffy525D7
  R+TpgG14LR4KbLtqtN+eFSCecd5p8LeYAYCHul/sVVzT39vBDm0ffQXGgXJ8+LHp
  mBvG0XEEKCc1tgctxe/nIW9bQsLuJfJEXI1JVCVcqRJBrrenE63zQ0JAhEpjr/WW
  2WhBZ8YmHtkEBD2xZuo5gnr0dvSNOfxiLjH2c5/qMSL1hoLRaJSsO2xAGcW0uwPF
  TY25uGLxgD1P6yLaNL1Zzg5JGqL9qU9AOqZJwwIDAQABAoIBAGg92u9XeC2tBTCr
  lFI7mnuZ9yFU45oINMSH/wp2b3BBiS9B5//HHPJixi2r+N2h4Kkr8vZjcyY2kk33
  nErORmXfSVEuULsNApCIY4dwEdno91vt124Akv8N1B8w8RzCWvkz7dMHKerIK3nF
  4PtaI1fld3cX06s5715pceqedF7HZ5ZqBQkoECLyErKTH7HqKtEx+zNEtqhpsVUT
  Gp2ItjNtUMKyu9jwYNqm34zuuUsw1lqKnaR9ClV9P5HrqO4OncbBTfXX6KkNAFGx
  d/ENADyBX9+XKoanuHxA+1DcUax5zUIRd+wdLdKvTqNWFaNLqtIEgXRIXSpp19Aq
  B6MGi4ECgYEA3gAhB6jZOjGkn5TPZkojxClBHmlHVRmdABHe6qe2PQFu4gjj5syt
  HrDbcIACrpq0AlCruYKNI6m/kXnHMaLdcYtmh9BhAbZcMpn7UFDB7vOtdhqncHQG
  qcmkeFj9jPhPN6l3LNbYTKTiwvFgCkMVWBDMPWGy1Ba4YbPG9IorrqMCgYEA45F7
  i28cf/int2FD8f4lyN1Dxok2qq0hqFaCTqdP6fcEt3i9aiJFvRcGjicFA8Q2TtSF
  inZ4zQ8XvnZWxDayBkjg4W3n2c8uOcV0OjVQEsnIF5WFVun5LlInD9t0SVE1dXt0
  eSB1yQMELDs08KIkVBYxL2hlFuacKVJimPHKSmECgYB/ItvHoy8kYKHCslpEXlk1
  Udr1K52qYszC6XkcMYfwUA3MbQL3fmf2l5pURztB+17zpHdz+gwSTHhlO7ST/I2N
  JSRGy1OCw4jxgbWnPViTHAJPDNyvTgMy4UPLmEs8nEfhvK9/glrFKfijY9B4kAp9
  MMGGtZjQVWKqsWZTTX3OuQKBgGxfWgB6942R8v0Hmv3hVEkl5iLkMV5yeLbcC849
  K3d2JY7iNwIWNDPqhTqpJmA2zs4Xs0jPRpQQ/fO8E3H5winwBvgUCPfXDGKCv+kA
  fpOT+HASyp8raXk/sk6A6g4IWHcMRdlxNeZ2Q0R1Ja766GYK831qL8oKJJAhJcdE
  TlvBAoGBAMwUsraPaHC1wCbOBEHaJrQFSB10ZtUPvxs2elkbukS7MUJd1/EAllTE
  kDtkSaq5XHLf0YJXP05yt5cH7zZb0mThaMW65R5Pz75j+TPvgOhbXr1A/tuVSsqL
  lATiHlmKtgNGuGI0+3a9Y1VmA+HABi0A+E48i1EuoRUxwAzxArQz
  -----END RSA PRIVATE KEY-----
• key: |
  -----BEGIN EC PRIVATE KEY-----
  MHcCAQEEIGELW0WM9mlACsSbMHIjruew8x44I0/helE4g/gc+pItoAoGCCqGSM49
  AwEHoUQDQgAEPSBop4pHdegc2djkBXyNGkKSYCKiJICdhtNUwRU40JCaahvp3sbr
  /75V/2aoqtMMDvsd6nPXtQFaeRIWf4P3BQ==
  -----END EC PRIVATE KEY-----
• key: |
  -----BEGIN EC PRIVATE KEY-----
  MIGkAgEBBDDQIwh3ntACPChkaDcj1NG1fT95GayCLmuMbtS+3+/XF+w69pe3Da9/
  7T8UI5qb+dagBwYFK4EEACKhZANiAARrNkdTncyV4FSbXQ34aFHB3F0paU5lycJh
  QNjcXAtu71jIXo1weIujh5YiSjVKjfkXiG/tUWe83Cxl23Gt4M8asz4ozHqGuTQd
  XYshV6B7BA8vI6AsAhgG0G04aH/BOHI=
  -----END EC PRIVATE KEY-----
• key: |
  -----BEGIN EC PRIVATE KEY-----
  MHQCAQEEILfwNWCSXnh1YK1gMnySa6OBSUzPIxxNdotTWTToVSzHoAcGBSuBBAAK
  oUQDQgAENBkt5oqRurt8uuN2K1sIBDW7+QNzPrgoEjYfIA7GS05bWSRONwuMPnYE
  NoAgNGERO/kwlmJ0dnIbdPoq3J+8jA==
  -----END EC PRIVATE KEY-----
  passwords:
  enabled: false
  schemes:
• version: 1
  algorithm: argon2id
  minimum_complexity: 3
  matrix:
  kind: synapse
  homeserver: localhost:8008
  secret: B9tCnHWagqVT3GkUDoaJ6ksreT5mLJgb
  endpoint: http://localhost:8008/

Reiner OAuth2-Provider (ohne OIDC) abbas latest copy 2

upstream_oauth2:
providers:
- id: "01H8PKNWKKRPCBW4YGH1RWV279"
issuer: "https://keycloak.test-software.com/realms/SSG" # TO BE FILLED
token_endpoint_auth_method: client_secret_basic
client_id: "matrix-authentication-service"
client_secret: "Mqp2gmsPPldUVT6jbDETG34DsUUiWLj9" # TO BE FILLED
#authorization_endpoint: "https://keycloak.test-software.com/realms/SSG/protocol/openid-connect/auth"
#token_endpoint: "https://keycloak.test-software.com/realms/SSG/protocol/openid-connect/token"
#userinfo_endpoint: "https://keycloak.test-software.com/realms/SSG/protocol/openid-connect/userinfo"
#jwks_uri: "https://keycloak.test-software.com/realms/SSG/protocol/openid-connect/certs"
#introspection_endpoint: "https://keycloak.test-software.com/realms/SSG/protocol/openid-connect/token/introspect"
redirect_uris:
- "https://mas.test-software.com/oauth2/callback"
- "https://mas.test-software.com/_synapse/oidc/callback"
scope: "openid profile email"
claims_imports:
localpart:
action: require
template: "{{ user.preferred_username }}"
displayname:
action: suggest
template: "{{ user.name }}"
email:
action: suggest
template: "{{ user.email }}"
oauth2:
providers:
- id: "01H8PKNWKKRPCBW4YGH1RWV279"
issuer: "https://keycloak.test-software.com/realms/SSG" # TO BE FILLED
token_endpoint_auth_method: client_secret_basic
client_id: "matrix-authentication-service"
client_secret: "Mqp2gmsPPldUVT6jbDETG34DsUUiWLj9" # TO BE FILLED
authorization_endpoint: "https://keycloak.test-software.com/realms/SSG/protocol/openid-connect/auth"
token_endpoint: "https://keycloak.test-software.com/realms/SSG/protocol/openid-connect/token"
userinfo_endpoint: "https://keycloak.test-software.com/realms/SSG/protocol/openid-connect/userinfo"
jwks_uri: "https://keycloak.test-software.com/realms/SSG/protocol/openid-connect/certs"
introspection_endpoint: "https://keycloak.test-software.com/realms/SSG/protocol/openid-connect/token/introspect"
scope: "openid profile email"
claims_imports:
localpart:
action: require
template: "{{ user.preferred_username }}"
displayname:
action: suggest
template: "{{ user.name }}"
email:
action: suggest
template: "{{ user.email }}"
clients:
- client_id: "matrix-authentication-service"
client_secret: "Mqp2gmsPPldUVT6jbDETG34DsUUiWLj9"
redirect_uris:
- "https://mas.test-software.com/_synapse/oidc/callback"
allowed_scopes:
- openid
- profile
- email

[abbasulusoy]

Homeserver yaml

[1] https://docs.ansible.com/ansible/latest/reference_appendices/YAMLSyntax.html

For more information on how to configure Synapse, including a complete accounting of

each option, go to docs/usage/configuration/config_documentation.md or

https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html

server_name: "matrix.test-software.com"
pid_file: /data/homeserver.pid
listeners:

• port: 8008
  tls: false
  type: http
  x_forwarded: true
  resources:
  • names: [client, federation]
    compress: false
    database:
    name: psycopg2
    txn_limit: 10000
    args:
    user: synapse
    password: postgres
    database: synapse
    host: matrix-synapse-db-1
    port: 5432
    cp_min: 5
    cp_max: 10
    log_config: "/data/matrix.test-software.com.log.config"
    media_store_path: /data/media_store
    registration_shared_secret: "1f@@QvDt^F5kJ=X5,wtjxv^znRm.P98h4vTIA#QRFaIhAx5E"
    report_stats: true
    macaroon_secret_key: "Ogt=S#kTQx6TWwM97ZvOcraZB^YGla@uBIFzc3W+rPZZpg&=O"
    form_secret: "=n.TDdo0rQaRO6hYkudm-F=aDMrB+dHfKv_kTCHH;3LWueLa;"
    #signing_key_path: "/data/matrix.test-software.com.signing.key"
    trusted_key_servers:
• server_name: "matrix.org"
  enable_registration: false
  enable_registration_without_verification: false
  registrations_require_3pid: false
  public_baseurl: "https://matrix.test-software.com"
  matrix_authentication_service:
  enabled: true
  endpoint: "http://localhost:8444/" # MAS endpoint
  secret: "B9tCnHWagqVT3GkUDoaJ6ksreT5mLJgb"

password_config:
enabled: false

oauth2:
enabled: true
issuer: "http://localhost:8444"
client_id: "synapse"
client_secret: "SYNAPSE_CLIENT_SECRET"
introspection_endpoint: "http://localhost:8444/oauth2/introspect"
#jwks_uri: "http://192.168.1.74:8444/.well-known/jwks.json"
scopes:
- matrix

[abbasulusoy]

They are all starten with in docker images

[abbasulusoy]

this is my docker-compose version: '3.9'
name: matrix

services:
traefik:
image: "traefik:${TRAEFIK_VERSION}"
restart: "always"
command:
- "--api=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
- "--entrypoints.websecure.address=:443"
- "--entrypoints.web.http.redirections.entrypoint.to=websecure"
- "--entrypoints.web.http.redirections.entrypoint.scheme=https"
- "--certificatesresolvers.letls.acme.email=admin@${DOMAIN}"
- "--certificatesresolvers.letls.acme.storage=/certs/acme.json"
- "--certificatesresolvers.letls.acme.httpchallenge=true"
- "--certificatesresolvers.letls.acme.httpchallenge.entrypoint=web"
ports:
- "443:443"
- "80:80"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- traefik_certs:/certs

nginx:
image: "nginx:${NGINX_VERSION}"
restart: "always"
volumes:
- nginx_conf:/etc/nginx/conf.d
labels:
- traefik.enable=true
- traefik.http.routers.nginx.entrypoints=websecure
- traefik.http.routers.nginx.rule=Host(${DOMAIN})
- traefik.http.routers.nginx.tls=true
- traefik.http.routers.nginx.tls.certresolver=letls
synapse:
image: "docker.io/matrixdotorg/synapse:${SYNAPSE_VERSION}"
restart: unless-stopped
user: root
environment:
- SYNAPSE_CONFIG_PATH=/data/homeserver.yaml
volumes:
- synapse_data:/data
- ./setup:/setup
- ./:/backup # Zugriff auf homeserver.yaml oder .env
working_dir: /setup # Startverzeichnis fuer den Container
entrypoint: ["bash", "./config-homeserver.sh"] # Skript im working_dir ausfuehren
ports:
- "8080:8008"
depends_on:
- synapse-db
- mas
labels:
- traefik.enable=true
- traefik.http.routers.synapse.entrypoints=websecure
- traefik.http.routers.synapse.rule=Host(matrix.${DOMAIN})
- traefik.http.routers.synapse.tls=true
- traefik.http.routers.synapse.tls.certresolver=letls
networks:
- matrix-network
synapse-db:
image: "docker.io/postgres:${POSTGRES_VERSION}"
restart: unless-stopped
environment:
- POSTGRES_USER=synapse
- POSTGRES_PASSWORD=${POSTGRES_PASSWORD}
- POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C
volumes:
- synapse_db_data:/var/lib/postgresql/data
ports:
- "5432:5432"
networks:
- matrix-network
coturn:
image: "instrumentisto/coturn:${COTURN_VERSION}"
restart: "unless-stopped"
volumes:
- coturn:/etc/coturn
- ./setup:/setup
ports:
- "49160-49200:49160-49200/udp"
- "3478:3478"
- "5349:5349"
#working_dir: /setup # Startverzeichnis fuer den Container
#entrypoint: ["sh", "./config-coturn.sh"] # Skript im working_dir ausfuehren
networks:
- matrix-network
element:
image: "vectorim/element-web:${ELEMENT_VERSION}"
restart: unless-stopped
volumes:
- element:/app
ports:
- "8181:8181"
labels:
- traefik.enable=true
- traefik.http.routers.element.entrypoints=websecure
- traefik.http.routers.element.rule=Host(web.${DOMAIN})
- traefik.http.routers.element.tls=true
- traefik.http.routers.element.tls.certresolver=letls
- traefik.http.services.element.loadbalancer.server.port=8181
networks:
- matrix-network

--- MAS Config Init ---

mas-config-init:
image: alpine:latest
command: >
sh -c "test -f /data/config.yaml || cp /setup/config.yaml /data/config.yaml"
volumes:
- ./config.yaml:/setup/config.yaml:ro
- mas_data:/data
restart: "no"

--- MAS ---

mas:
image: "ghcr.io/element-hq/matrix-authentication-service:${MAS_VERSION:-latest}"
restart: unless-stopped
environment:
- DATABASE_URL=postgresql://synapse:[email protected]:5432/mas
- SERVER_NAME=${DOMAIN}
- MAS_CONFIG=/data/config.yaml
volumes:
- mas_data:/data
ports:
- "8444:8443"
depends_on:
- mas-db
- mas-config-init
labels:
- traefik.enable=true
- traefik.http.routers.mas.entrypoints=websecure
- traefik.http.routers.mas.rule=Host(mas.${DOMAIN})
- traefik.http.routers.mas.tls=true
- traefik.http.routers.mas.tls.certresolver=letls
networks:
- matrix-network

--- MAS PostgreSQL ---

mas-db:
image: "docker.io/postgres:${POSTGRES_VERSION:-15}"
restart: unless-stopped
environment:
- POSTGRES_USER=mas
- POSTGRES_PASSWORD=${MAS_DB_PASSWORD}
- POSTGRES_DB=mas
- POSTGRES_INITDB_ARGS=--encoding=UTF-8 --lc-collate=C --lc-ctype=C
volumes:
- mas_db_data:/var/lib/postgresql/data
networks:
- matrix-network
volumes:
synapse_data:
synapse_db_data:
coturn:
element:
mas_data:
mas_db_data:
traefik_certs:
nginx_conf:
networks:
matrix-network:
name: matrix-network

[abbasulusoy]

I want to rich end of businesss
"issuer": "https://mas.test-software.com/",
"account_management_uri": "https://mas.test-software.com/account/",
"authorization_endpoint": "https://mas.test-software.com/authorize",
"token_endpoint": "https://mas.siegele-test.com/oauth2/token",
"jwks_uri": "https://mas.test-software.com/oauth2/keys.json",
"registration_endpoint": "https://mas.test-software.com/oauth2/registration", there are not here how can I configure also this urls, if you check the docu it should be generate and return this calls something