Registration Token requirement can be bypassed by logging in with SSO

[morg-mov]

Description

Registration Token requirement (where you need a token given by an admin to sign up) can be bypassed by using a Third Party (OpenID) login service
I wish to have OpenID enabled on my private homeserver for the convenience of the people I give access to.
And I have registration tokens enabled since my Homeserver is private. (duh)

Steps to reproduce

• Create account via Third Party (Twitch, Google, Github, Whatever) with Registration Token requirement enabled.

Version information

• Homeserver: Would rather not provide publicly due to it being private, however it is self-hosted.

If not matrix.org:

• Version: 1.44.0

• Install method: Docker-Compose

• Platform: Ubuntu 20.04 Server running on actual hardware, Homeserver running in Docker Container

[DMRobertson]

I think the registration tokens are a fairly recent development, judging by the timelines on #10142 and matrix-org/matrix-spec-proposals#3231 .

If I understand correctly @Morg-S9 , I think you want to:

• allow users to authenticate via OpenID
• while requiring them to prove they were invited (by the token)

From a brief read, it sounds like the auth type m.login.registration_token is an alternative to other auth types, and not an additional requirement. If that's the case, it sounds like the behaviour is as intended (though I appreciate it's not what you expected!)

Perhaps someone in @matrix-org/spec-core-team can check my working?

[clokep]

From a brief read, it sounds like the auth type m.login.registration_token is an alternative to other auth types, and not an additional requirement.

I think it should theoretically be able to stacked on top (due to the way that UI authentication works), but there might be some gotchas with doing that with SSO. E.g. I'm not sure if we do that for consent right now.

[anoadragon453]

The current implementation require users additionally provide a token when registering:

synapse/docs/sample_config.yaml

Lines 1217 to 1224 in 6045331

	# Require users to submit a token during registration.
	# Tokens can be managed using the admin API:
	# https://matrix-org.github.io/synapse/latest/usage/administration/admin_api/registration_tokens.html
	# Note that `enable_registration` must be set to `true`.
	# Disabling this option will not delete any tokens previously generated.
	# Defaults to false. Uncomment the following to require tokens:
	#
	#registration_requires_token: true

The issue here may be that using SSO is considered a login (you've already registered an account elsewhere), rather than a registration through user-interactive authentication stages (which m.login.registration_token is one of). (Unless this is about a different mechanism which uses user-interactive auth for social login?)

[clokep]

The issue here may be that using SSO is considered a login (you've already registered an account elsewhere), rather than a registration through user-interactive authentication stages (which m.login.registration_token is one of). (Unless this is about a different mechanism which uses user-interactive auth for social login?)

Ah, yes that's likely why it doesn't work. SSO is a login, not registration. I think there's some bits in there to do consent and such though after making the account.

[callahad]

It would be nice if you could configure this to be AND or OR'd with SSO, but that's evidently nontrivial. Right now it's OR and our documentation should make that more obvious to avoid footguns.

[deepbluev7]

If /login used UIA, you could add registration_tokens as an additional UIA stage. Sadly it does not use UIA and SSO is a different beast again. (relevant MSC: matrix-org/matrix-spec-proposals#2835)