Node.js library that implements Matrix Identity Service API and this proposal
Example using express:
import express from 'express'
import FederatedIdentityService from '@twake/federated-identity-service'
// if configuration is in default file (/etc/twake/federated-identity-service.conf)
const federatedIdentityService = new FederatedIdentityService()
// else if configuration is in a different file, set TWAKE_FEDERATED_IDENTITY_SERVICE_CONF
process.env.TWAKE_FEDERATED_IDENTITY_SERVICE_CONF = '/path/to/config/file'
const federatedIdentityService = new FederatedIdentityService()
// You can also give configuration directly
const federatedIdentityService = new FederatedIdentityService(config)
const app = express()
federatedIdentityService.ready.then( () => {
app.use(federatedIdentityService.routes)
app.listen(3000)
})Configuration file is a JSON file. The default values are in src/config.json.
Sending requests to the federated identity service requires to be logged on this server. The token allowing to send requests to Tom-server does not work with the federated identity service.
After the user signed in, the client has to send a GET request to /.well-known/matrix/client endpoint or /.well-known/twake/client endpoint. If the response body contains the m.federated_identity_services key then at least one federated identity service is available. Keep the value of the base_urls field that you will find inside the m.federated_identity_services object.
These are the steps to obtain a token that works on the federated identity service:
- Send a POST request to the URL
https://<matrix_server_address>/_matrix/client/v3/user/<userId>/openid/request_token, you have to replacematrix_server_addressby the address of the Matrix server selected by the user, anduserIdby the Matrix id of the user. The request body has to be empty and you have to set theAuthorizationheader with the valueBearer <user_matrix_token>whereuser_matrix_tokenis the token retrieved on sign in. For more details see Matrix specification. NB: Theaccess_tokengiven in response can be used to register into any Matrix identity service or to ask for a Token exchange into a yadd/lemonldap-ng-portal server - The response body of the previous request now should be sent to the URL
https://<federated_identity_service>/_matrix/identity/v2/account/register.federated_identity_servicehas to be replaced by each federated identity service address retrieved in the response body of the request sent on the first step. One request by federated identity service. TheAuthorizationheader does not need to be set. If the request does not work, maybe the value ofmatrix_server_namein the body is not the good one. For more details see Matrix specification- The response body JSON of each request will contain a
tokenfield whose the value will allow to be authenticated on the matching federated identity service.
- The response body JSON of each request will contain a
Federation Identity Service is available on Docker. You can configure it using environment variables:
- Required parameters:
TRUSTED_SERVERS_ADDRESSES: the space separated list of Tom-Servers allowed to push data. Networks or IP addressesBASE_URL; the public URL of this service (example: https://fed-id-service.example.com/)DATABASE_ENGINE(sqliteorpg),DATABASE_HOST,DATABASE_NAME,DATABASE_USER,DATABASE_PASSWORD: the database parameters
- Optional parameters:
CRON_SERVICE(true/false): enable ot disable cron tasks. It is required to have at least one active federated-odentity-service withCRON_SERVICEactive per database- Logs:
LOG_TRANSPORTS: set toConsoleLOG_LEVEL: default to "error", possible values: "error", "warn", "info", "http", "verbose", "debug", "silly"
A federation server is also a Matrix Identity Service, thus all parameters of this service can also be enabled but this is interseting only if this instance is also used as ToM-Server.
Copyright (c) 2023-present Linagora https://linagora.com
License: GNU AFFERO GENERAL PUBLIC LICENSE