Serving synapse on a subpath breaks OIDC due to session cookie having incorrect path #9574
Comments
anoadragon453
added
T-Enhancement
|
We currently only support endpoints being hosted at the root path of a domain, hence the hardcoded path. However we have been planning towards lifting this restriction. I'm curious whether you've been successfully hosting your Client Server API (and Federation API?) on a subpath without running into any other issues? |
|
Hi, We're running a non-federating server, so can't speak about federation API ; regarding client-server API, in a few weeks of running 1.28.0 with patched OIDC we have not ran into any other issue. I'm attaching the patch to |
|
@imaspeer out of interest, what is the usecase for hosting synapse at a sub-path? This came up in another context and I'm interested to know if there are important reasons we should support it. |
|
After discussion today: we're inclined to fix this for you by merging #9726, but we have no intention of formally supporting Synapse on a subpath :) We would love to know more about your use case, though! |
Applied a (slightly modified) patch from #9574. As far as I understand this would allow the cookie set during the OIDC flow to work on deployments using public baseurls that do not sit at the URL path root.
|
Closing this issue now that the patch has landed - but feel free to still comment here about your use case! This likely won't be the last thing to need fixing w.r.t hosting endpoints on subpaths :) |
The session cookie synapse sets before redirecting to the OIDC provider always has its path set to
/_synapse/client/oidcregardless of the configuredpublic_baseurl.If synapse is served on a subpath rather than at the webserver's root (e.g.
domain.example/matrix), this causes the cookie to not be sent with the callback request (since the path/matrix/_synapse/client/oidc/callbackdoes not match the cookie's), which then fails with the errormissing_session.The text was updated successfully, but these errors were encountered: