Using the service
Running
Once the configuration is done, one should run the database migrations (database schema upgrade, also for setup) by running
mas-cli database migrate
The server can then be started by running
mas-cli server
Sep 24 14:42:42.743 INFO mas_cli::server: Starting task scheduler
Sep 24 14:42:42.743 INFO mas_core::templates: Loading builtin templates
Sep 24 14:42:42.752 INFO mas_cli::server: Listening on http://0.0.0.0:8080
The server should now be accessible through http://localhost:8080/.
Note: when running with Docker, the port used by the server should be exposed with the -p
flag:
docker run --rm \
-v `pwd`/config.yaml:/config.yaml \
-p 8080:8080 \
ghcr.io/matrix-org/matrix-authentication-service:main \
server
Registering, logging in and out
Through the interface, users are able to create an account by clicking the Register
button on the top right (or going to /register
).
They can then end their session by clicking the Sign out
button and sign back in.
Playing around with the playground
The OpenID Foundation hosts a OpenID Connect Playground where one can test logging in through an OIDC provider: https://openidconnect.net/
Step 1: Add the client to the server config
Add the following section to the server configuration file config.yaml
:
clients:
# The client ID must be a valid ULID
- client_id: 000000000000OIDCPLAYGROUND
client_secret: verysecret
redirect_uris:
- "https://openidconnect.net/callback"
Sync the configuration with the database:
mas-cli config sync
Step 2: Change the playground configuration
- Navigate to the playground
- Click on "Configuration"
- Server template: Custom
- Paste the discovery document URL found on the service homepage (e.g.
http://localhost:8080/.well-known/openid-configuration
) - Click "Use discovery document" ; it should fill out the authorization, token and token keys endpoints
- Set the OIDC Client ID to
000000000000OIDCPLAYGROUND
and the Client Secret toverysecret
(must match the ones in the configuration) - Click "Save"
Step 3: Run the OpenID Connect flow
Start the flow by clicking the "Start" button. It should redirect the browser to the authentication service. If a user is already logged in, it should redirect back to the playground immediately.
Follow the flow to see the code exchange happen. Note that the last step only works if the service is accessible through the internet.