Stabilise MAS integration (#18759)

This can be reviewed commit by commit There are a few improvements over the experimental support: - authorisation of Synapse <-> MAS requests is simplified, with a single shared secret, removing the need for provisioning a client on the MAS side - the tests actually spawn a real server, allowing us to test the rust introspection layer - we now check that the device advertised in introspection actually exist, making it so that when a user logs out, the tokens are immediately invalidated, even if the cache doesn't expire - it doesn't rely on discovery anymore, rather on a static endpoint base. This means users don't have to override the introspection endpoint to avoid internet roundtrips - it doesn't depend on `authlib` anymore, as we simplified a lot the calls done from Synapse to MAS We still have to update the MAS documentation about the Synapse setup, but that can be done later. --------- Co-authored-by: reivilibre <oliverw@element.io>
2025-08-04 15:48:45 +02:00
parent 8c71875195
commit 7ed55666b5
32 changed files with 1616 additions and 231 deletions
--- a/schema/synapse-config.schema.yaml
+++ b/schema/synapse-config.schema.yaml
@@ -656,6 +656,43 @@ properties:
      - - master.hostname.example.com
        - 10.1.0.0/16
        - 172.30.0.0/16
+  matrix_authentication_service:
+    type: object
+    description: >-
+      The `matrix_authentication_service` setting configures integration with
+      [Matrix Authentication Service (MAS)](https://github.com/element-hq/matrix-authentication-service).
+    properties:
+      enabled:
+        type: boolean
+        description: >-
+          Whether or not to enable the MAS integration. If this is set to
+          `false`, Synapse will use its legacy internal authentication API.
+        default: false
+
+      endpoint:
+        type: string
+        format: uri
+        description: >-
+          The URL where Synapse can reach MAS. This *must* have the `discovery`
+          and `oauth` resources mounted.
+        default: http://localhost:8080
+
+      secret:
+        type: ["string", "null"]
+        description: >-
+          A shared secret that will be used to authenticate requests from and to MAS.
+
+      secret_path:
+        type: ["string", "null"]
+        description: >-
+          Alternative to `secret`, reading the shared secret from a file.
+          The file should be a plain text file, containing only the secret.
+          Synapse reads the secret from the given file once at startup.
+
+    examples:
+      - enabled: true
+        secret: someverysecuresecret
+        endpoint: http://localhost:8080
  dummy_events_threshold:
    type: integer
    description: >-