Document the default policy behaviour around admin scopes
sandhose opened this issue · comments
The default policy is not documented at all, but it is especially tricky to understand how admin scopes (urn:synapse:admin:*
and urn:mas:admin
) interact with it. This needs to be documented
A few informations to include, in a very brain-dumpy format:
- There are three main ways to get an access token:
- Interactively, through an authorisation code grant, in which case the token has a user attached to it. This is regulated by the policy engine
- Programatically, through a client credentials grant, in which case the token has no user attached to it, only an OAuth client. This is regulated by the policy engine
- Programatically, through MAS' GraphQL API, using the
createOauth2Session
mutation. This is completely unregulated, arbitrary (including non-existing) scopes can be granted through this. The only restriction is that the token making the API call needs to be admin (= has theurn:mas:admin
scope)
- The
urn:synapse:admin:*
scope grants access to/_synapse/admin/*
. Because of some Synapse subtlety, this scope has to be linked to a user, so it can't be requested through the client credentials grant - The
urn:mas:admin
scope grants admin access to MAS' GraphQL API, which lets it request and edit resources of other users than the current one, and access a few privileged mutations. When requesting this scope, theurn:mas:graphql:*
scope should be requested as well. - With the default policy, a user can request the
urn:synapse:admin:*
scope or theurn:mas:admin
scope if:- their username (aka. localpart of the MXID) is listed in
policy.data.admin_users
- or if their account has the
can_request_admin
flag in the database set to true (see below about toggling that flag)
- their username (aka. localpart of the MXID) is listed in
- With the default policy, a client can request the
urn:mas:admin
scope if their client ID is listed inpolicy.data.admin_clients
- The GraphQL schema is self-documented. A playground can be found in MAS itself, for example: https://auth-oidc.lab.element.dev/graphql/playground
- The URL of the GraphQL endpoint can be discovered with the
org.matrix.matrix-authentication-service.graphql_endpoint
property in the OIDC discovery document - The
can_request_admin
flag can be found on theusers
table in the database, and can be dynamically toggled using thesetCanRequestAdmin
mutation. This mutation requires auserId
, which can be found on users using theuserByUsername
query method
I tried to configure a user via policy.data.admin_users
as admin.
The user gets always the normal user claims:
Introspection result: {'active': True, 'scope': 'urn:matrix:org.matrix.msc2967.client:api:* urn:matrix:org.matrix.msc2967.client:device:l1qiNGItBF', 'client_id': 'legacy'
Do I understand correctly that the admin claim must be explicitly requested? And does this also work via legacy OIDC login?
_matrix/client/r0/login/sso/redirect?redirectUrl=https%3A%2F%2F...