Add a service of OpenID Provider (like Dex) to use with MAS

[igogold]

Upcoming problem

In the future, work with user credentials will be moved from the Synapse server to a separate Matrix Authentication Service (MAS). This will cause password providers in Synapse to stop working, including matrix-synapse-ldap3, through which it was possible to access the LDAP servers (or even the Active Directory servers). MAS supports only a local database with usernames and passwords, but is able to access upstream OpenID Connect servers. And those of them who can, in turn, will be able to access the LDAP servers.

Possible solution

One of these OpenID Connect open-source servers is Dex, so it would be handy to be able to deploy and configure it via ansible at the same time as installing MAS.

An alternative

Another open-source Identity provider with LDAP support is Keycloak, but it seems more heavy than Dex.

Additional context

And also the documentation for MAS says:

The Matrix Authentication Service has been created to support the migration of Matrix to an OpenID Connect (OIDC) based architecture as per MSC3861.

It is not intended to be a general purpose Identity Provider (IdP) and instead focuses on the specific needs of Matrix.

Furthermore, it is only intended that it would speak OIDC for authentication and not other protocols. Instead, if you want to connect to an upstream SAML, CAS or LDAP backend then you need to pair MAS with a separate service (such as Dex or Keycloak) which does that translation for you.

[spantaleev]

It should be noted that Keycloak and Authentik are already supported services in the sister playbook mash-playbook. The Ansible roles for these (ansible-role-keycloak and ansible-role-authentik) are independent and can easily be added to this playbook as well, but there's probably no point, because:

• I think for most Matrix homeserver administrators, the local user database provided by MAS will probably be good enough and they won't need a dedicated powerful identity server. For those others that need LDAP integration, etc., perhaps going with something heavy-weight as Keycloak, etc. is reasonable

• in a lot of cases (organizations integrating Matrix into their existing infrastructure), they already have an existing identity server that they're already using for other things

• installing an identity server is likely outside the scope of this playbook, given that the the sister playbook mash-playbook supports it and both playbooks are easily interoperable

• since the identity server is an important single point of failure that many services depend on, many organizations may actually wish to pay someone else to run it or host it in a high-availability manner (perhaps on Kubernetes via a Helm chart like bitnami/keycloak)

[igogold]

Thank you!
I already use some services from mash playbook so I'll check Keycloak and Authentik roles. I searched only Dex there and forgot to search Keycloak.