element-ios icon indicating copy to clipboard operation
element-ios copied to clipboard

Published 20 hours ago verified publisher icon element-hq

SSO doesn't work

Open BRGustavoRibeiro opened this issue 2 years ago • 9 comments

Steps to reproduce

Disclaimer: I'm not a specialist and don't know exactly how Matrix (Synapse) talks with the Element Client, so there's a possibility of a noob question below.

1. Where are you starting? What can you see?

I have a YunoHost server, running Synapse. Login with user/password is disabled in the configs, and only is possible to login using SSO.

With Element Android, when you click to login with SSO, Element opens up a web page with YunoHost's SSOwat, asking for the username and password, and after the authentication, it works perfectly.

With Element iOS, the login with SSO doesn't even show up, and it throws this error: image

I'm not sure if this is pertinent, but this is the URL that is opening up when the SSO loads (on iOS): https://invaliddomain.tld/_matrix/client/r0/login/sso/redirect/?redirectUrl=element://connect?transaction_id%3Dm56[CENSORED] I've added the [CENSORED] tag because I'm not sure if that thing is an auth token or something like that.

2. What do you click?

"Login with SSO" button after setting Element to use my homeserver.

Outcome

What did you expect?

I expected Element to login after YunoHost's SSO authentication.

What happened instead?

An error showed up.

Your phone model

iPhone 13 Pro Max

Operating system version

iOS 16.0.2

Application version

Element version 1.9.7

Homeserver

Synapse 1.67.0 Stable

Will you send logs?

No

BRGustavoRibeiro avatar Oct 09 '22 21:10 BRGustavoRibeiro

FWIW, I'm experiencing the same issue. I haven't tried using element-ios until just a few days ago, so I cannot say whether a regression or not.

bavier avatar Oct 09 '22 23:10 bavier

New update on this case:

I've found out that on Element Android, a different URL is triggered.

Instead of https://invaliddomain.tld/_matrix/client/r0/login/sso/redirect/?redirectUrl=element://connect?transaction_id%3Dm56[CENSORED] on Android the URL is https://invaliddomain.tld/_matrix/client/r0/login/sso/redirect/cas?redirectUrl=element://connect

I'm quite sure that this is probably a bug on the client side.

BRGustavoRibeiro avatar Oct 10 '22 03:10 BRGustavoRibeiro

Same issues here, selfhosted in combination with SSO; resulting in a 405 Method not Allowed.

Other clients (Element on Mac, Element on Android) works just fine.

tim427 avatar Nov 01 '22 15:11 tim427

Same problem (selfhosted + SSO) and a lot of colleagues who were handed out new devices at the same time are now also facing this issue.

sanderboele avatar Nov 03 '22 10:11 sanderboele

Could everyone verify their matrix-server version? https://<matrixserver.fqdn>/_matrix/client/versions

The version reported with our matrix-sever is {"unstable_features": {}, "versions": ["r0.5.0"]}, which isn't supported by other clients (Fluffy chat, for example)

tim427 avatar Nov 03 '22 11:11 tim427

Issue is not directly related to an Mobile Client version , maybe also not to the server version. I think something in the SSO redirect service. Issue is that there is a slash to much in the redirect URL.

How to fix your login:

  1. Connect to your homeserver.
  2. Connect via SSO
  3. Now you get the 405 method not allowed message. Copy the requested url.
  4. Copy this requested url and paste into your browser, for example Apple Safari.
  5. Remove the the slash between redirect/?redirectUrl.

You welcome. 😄

T0mWz avatar Nov 03 '22 21:11 T0mWz

New update on this case:

I've found out that on Element Android, a different URL is triggered.

Instead of https://invaliddomain.tld/_matrix/client/r0/login/sso/redirect/?redirectUrl=element://connect?transaction_id%3Dm56[CENSORED] on Android the URL is https://invaliddomain.tld/_matrix/client/r0/login/sso/redirect/cas?redirectUrl=element://connect

I'm quite sure that this is probably a bug on the client side.

iOS client seems to need transaction_id and loginToken parameters here and another difference is cas in the URL. Can you check them?

ismailgulek avatar Nov 04 '22 13:11 ismailgulek

New update on this case: I've found out that on Element Android, a different URL is triggered. Instead of https://invaliddomain.tld/_matrix/client/r0/login/sso/redirect/?redirectUrl=element://connect?transaction_id%3Dm56[CENSORED] on Android the URL is https://invaliddomain.tld/_matrix/client/r0/login/sso/redirect/cas?redirectUrl=element://connect I'm quite sure that this is probably a bug on the client side.

iOS client seems to need transaction_id and loginToken parameters here and another difference is cas in the URL. Can you check them?

Issue is that there is a slash to much in the redirect uri. Now you get on iOS a redirect uri like; https://invaliddomain.tld/_matrix/client/r0/login/sso/redirect/?redirectUrl=element://connect?transaction_id%3Dm56 However the correct uri is; https://invaliddomain.tld/_matrix/client/r0/login/sso/redirect?redirectUrl=element://connect?transaction_id%3Dm56 so without the slash after redirect.

T0mWz avatar Nov 04 '22 13:11 T0mWz

@ismailgulek @T0mWz I exeperienced this bug too in a yunohost setup. It looks easy to solve, and anyone running synapse with a CAS config and using iOS would be exposed... How can it be classified as minor ?

Gredin67 avatar Aug 27 '23 20:08 Gredin67