Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Re-Activating account fails when using SSO/SAML (with local passwords disabled) #8393

Closed
phewitt-uw opened this issue Sep 24, 2020 · 11 comments · Fixed by #9587
Closed

Re-Activating account fails when using SSO/SAML (with local passwords disabled) #8393

phewitt-uw opened this issue Sep 24, 2020 · 11 comments · Fixed by #9587
Labels
A-SSO Single Sign-On (maybe OIDC) S-Minor Blocks non-critical functionality, workarounds exist. T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues.

Comments

@phewitt-uw
Copy link

Description

Using a self-hosted server, and using SAML2/SSO for authentication with local password DB is disabled. When you deactivate an account this works, but when you try to reactivate an account via API _synapse/admin/v2/users by setting "deactivated" to "false" API returns error:

{
"errcode": "M_UNKNOWN",
"error": "Must provide a password to re-activate an account."
}

and when you try to include a password API returns error:

{
"errcode": "M_FORBIDDEN",
"error": "Password change disabled"
}

Steps to reproduce

  • enable SSO
  • disable local password db in config
  • activate account
  • deactivate account
  • then try to re-activate account using API

Version information

  • Homeserver:

If not matrix.org:

  • Version: 1.20.0

  • Install method: docker images from matrixdotorg

  • Platform: kubernetes & docker
@clokep clokep added z-bug (Deprecated Label) A-SSO Single Sign-On (maybe OIDC) z-p2 (Deprecated Label) labels Sep 24, 2020
@clokep
Copy link
Member

clokep commented Sep 24, 2020

Looks like the code around here needs to be updated to handle the case of an account not needing a password. I'm unsure there's a good way to check if an account is an SSO account or not, although we do have a table of external IDs to internal IDs. Maybe existing in there is a reasonable solution?

@anoadragon453
Copy link
Member

Note that this seems separate from #8359 in that it only affects SSO users.

@localguru
Copy link
Contributor

Hi, anything going on here? Or is there a workaround?

@callahad
Copy link
Contributor

No current plans to address this on the Element side; we would gladly accept patches.

@clokep clokep added the Z-Help-Wanted We know exactly how to fix this issue, and would be grateful for any contribution label Nov 30, 2020
@localguru
Copy link
Contributor

@clokep Hi, have the same problem. I'm ussing SSO (Shibboleht) and want to reactivate a user. Error is

{"errcode":"M_UNKNOWN","error":"Must provide a password to re-activate an account."}

Is there a workaround like changing deactivated in postgres?

@localguru
Copy link
Contributor

localguru commented Jan 28, 2021

hmm ... it set {"deactivated": false, "password": "foobar"}' via API, so that the user is reactivated. And then I set password_hash via SQL in users table to NULL: UPDATE users SET password_hash=NULL WHERE name = '@user:example.org';. BUT if I check the users data via API, the password is not NULL. Wrong way? Is there a way to set password via API to NULL or did I miss something in postgres tables?

@anoadragon453
Copy link
Member

@localguru GET /_synapse/admin/v2/users/<user_id> attempts to pull from a cache before it pulls from the database. If you queried that user via the Admin API before, and then changed something directly in Postgres, Synapse will be unaware of the change and continue to serve the cached content.

Try restarting Synapse and see if the results of the Admin API call are correct.

@clokep clokep added S-Minor Blocks non-critical functionality, workarounds exist. T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues. and removed z-bug (Deprecated Label) Z-Help-Wanted We know exactly how to fix this issue, and would be grateful for any contribution z-p2 (Deprecated Label) labels Jan 28, 2021
@localguru
Copy link
Contributor

localguru commented Jan 28, 2021

@anoadragon453 okay, I will try that, can't restart a live server now. Is there another way to NULL a users password? I tried

POST /_synapse/admin/v1/reset_password/<user_id>

with a body of:

{
    "new_password": "<secret>",
    "logout_devices": true
}

with curl

curl --header "Authorization: Bearer ${ACCESS_TOKEN}" -XPUT -d \
    '{"new_password": "", "logout_devices": true}' \
    http://localhost:8008/_synapse/admin/v1/reset_password/${MATRIX_ID}

but get an error (may be because of SSO config): {"errcode":"M_UNRECOGNIZED","error":"Unrecognized request"}.

And the user is still listed in erased_users table. How do I get the user removed from this table? SQL or is there an API? I thought if I set deactivated to false via API, I should get rid of the user in the erased_table.

@localguru
Copy link
Contributor

Hmmm ... now the entry for that user in erased_users is gone. Strange. Took about an hour.

@clokep
Copy link
Member

clokep commented Jan 28, 2021

Hmmm ... now the entry for that user in erased_users is gone. Strange. Took about an hour.

The cache timed out and the user got re-pulled from the database. This is what @anoadragon453 described above.

@localguru
Copy link
Contributor

@clokep right, after a restart of synapse the password_hash is NULL via API too. Thanks. It would be nice to have a way to set password to NULL on SSO systems or better to reactivate an account without having to set a password, if SSO is used.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
A-SSO Single Sign-On (maybe OIDC) S-Minor Blocks non-critical functionality, workarounds exist. T-Defect Bugs, crashes, hangs, security vulnerabilities, or other reported issues.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants