{"id":22741837,"url":"https://github.com/t2bot/synapse-vault-auth-provider","last_synced_at":"2025-03-30T04:14:19.547Z","repository":{"id":114495864,"uuid":"155009786","full_name":"t2bot/synapse-vault-auth-provider","owner":"t2bot","description":"Synapse auth provider to enable vault-plugin-secrets-matrix: https://github.com/t2bot/vault-plugin-secrets-matrix","archived":false,"fork":false,"pushed_at":"2018-10-28T03:12:31.000Z","size":16,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-02-05T06:33:57.639Z","etag":null,"topics":["auth","matrix","provider","synapse","vault"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/t2bot.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-10-27T21:12:36.000Z","updated_at":"2021-03-29T09:24:56.000Z","dependencies_parsed_at":"2023-05-17T02:45:31.784Z","dependency_job_id":null,"html_url":"https://github.com/t2bot/synapse-vault-auth-provider","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/t2bot%2Fsynapse-vault-auth-provider","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/t2bot%2Fsynapse-vault-auth-provider/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/t2bot%2Fsynapse-vault-auth-provider/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/t2bot%2Fsynapse-vault-auth-provider/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/t2bot","download_url":"https://codeload.github.com/t2bot/synapse-vault-auth-provider/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246273552,"owners_count":20750906,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["auth","matrix","provider","synapse","vault"],"created_at":"2024-12-11T00:18:46.617Z","updated_at":"2025-03-30T04:14:19.542Z","avatar_url":"https://github.com/t2bot.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# synapse-vault-auth-provider\n\nSynapse auth provider to enable [vault-plugin-secrets-matrix](https://github.com/t2bot/vault-plugin-secrets-matrix)\n\n# Install / Upgrade\n\nIn the same python used by synapse, `pip install https://github.com/t2bot/synapse-vault-auth-provider/tarball/master`\n\n# Usage\n\nAdd the following to your `homeserver.yaml`:\n\n```yaml\npassword_providers:\n  - module: \"synapse-vault-auth-provider.VaultAuthProvider\"\n    config:\n      # The address where this module can reach Vault\n      vault_url: https://localhost:8200\n\n      # The Vault token to use. Should have read only access to the vault_path_root\n      # described below. Comment out to use the VAULT_TOKEN environment variable.\n      vault_token: \"YourTokenHere\"\n\n      # The base path this provider will use to look for user shared secrets. Secrets\n      # are stored in Vault to verify that the requesting party has the appropriate\n      # permissions to actually obtain an access_token for a user.\n      #\n      # For example, if an access token for the user @alice:example.org was requested,\n      # this provider will get the shared secret from \"secret/matrix/users/@alice:example.org\"\n      # and use that secret to verify the request. Therefore, the Vault token listed\n      # above should have read access to secret/matrix/users/* (or whatever your path\n      # actually is).\n      #\n      # Note that this is the path itself without the mount point. In the examples above,\n      # this would end up being \"matrix/users\" while the mount point is \"secret\"\n      vault_path_root: \"matrix/users\"\n\n      # The mount point for the above path root.\n      vault_kv_mount_point: \"secret\"\n```\n\nSynapse will need to be restarted to pick up the configuration change.\n\n## Logging\n\nAll logging is done under the name `synapse_vault_auth_provider` and should show up\nin your homeserver's logs during an applicable login request. If the logging doesn't\nshow up, change your logging configuration to include:\n\n```yaml\nloggers:\n  synapse_vault_auth_provider:\n    level: INFO\n```\n\nSynapse will need to be restarted to pick up logging configuration changes.\n\n# Example Login\n\nFirst, the client should request the login flows to ensure the provider is active\nand able to be used:\n\n```\nGET /_matrix/client/r0/login\n\nResponse:\n{\n  \"flows\": [\n    {\n      \"type\": \"io.t2bot.vault\"\n    }\n  ]\n}\n```\n\nAssuming the `type` above is listed as a login flow, the client should then get the\nshared secret for the user it wishes to get an access token for. The shared secret,\nif using the default config, would be mounted at `secret/matrix/users/@someone:example.org`\nby an external party (not done by this provider).\n\nThe client then takes a sha256 hmac of the shared secret and user ID, providing that\nas `token_hash` in a login request:\n\n```\nPOST /_matrix/client/r0/login\n\nBody:\n{\n  \"type\": \"io.t2bot.vault\",\n  \"identifier\": {\n    \"type\": \"m.id.user\",\n    \"user\": \"@someone:example.org\"\n  },\n  \"token_hash\": \"some_very_long_sha256_string\"\n}\n\nResponse:\n{\n  \"user_id\": \"@someone:example.org\",\n  \"access_token\": \"SomeSortOfAccessToken\",\n  \"device_id\": \"SomeDevice\"\n}\n```\n\nAssuming the hash matches what the provider expects, the response above will be returned\nfor the client to use.\n\n# Shared secret storage in Vault\n\nIf you haven't already, enable the `kv` plugin:\n\n```\nvault kv enable-versioning secret/\n```\n\nConfigure your permissions and tokens to have applicable read/write access to `secret/matrix/users/*`,\nthen write your secret:\n\n```\nvault kv put secret/matrix/users/@alice:example.org login_secret=YourRandomString\n```\n\nAnd there you go! The provider will use the value of `login_secret` as the shared secret\nfor that user.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ft2bot%2Fsynapse-vault-auth-provider","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ft2bot%2Fsynapse-vault-auth-provider","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ft2bot%2Fsynapse-vault-auth-provider/lists"}