Re-Activating account fails when using SSO/SAML (with local passwords disabled)

[phewitt-uw]

Description

Using a self-hosted server, and using SAML2/SSO for authentication with local password DB is disabled. When you deactivate an account this works, but when you try to reactivate an account via API _synapse/admin/v2/users by setting "deactivated" to "false" API returns error:

{
"errcode": "M_UNKNOWN",
"error": "Must provide a password to re-activate an account."
}

and when you try to include a password API returns error:

{
"errcode": "M_FORBIDDEN",
"error": "Password change disabled"
}

Steps to reproduce

• enable SSO
• disable local password db in config
• activate account
• deactivate account
• then try to re-activate account using API

Version information

• Homeserver:

If not matrix.org:

• Version: 1.20.0

• Install method: docker images from matrixdotorg

• Platform: kubernetes & docker

[clokep]

Looks like the code around here needs to be updated to handle the case of an account not needing a password. I'm unsure there's a good way to check if an account is an SSO account or not, although we do have a table of external IDs to internal IDs. Maybe existing in there is a reasonable solution?

[anoadragon453]

Note that this seems separate from #8359 in that it only affects SSO users.

[localguru]

Hi, anything going on here? Or is there a workaround?

[callahad]

No current plans to address this on the Element side; we would gladly accept patches.

[localguru]

@clokep Hi, have the same problem. I'm ussing SSO (Shibboleht) and want to reactivate a user. Error is

{"errcode":"M_UNKNOWN","error":"Must provide a password to re-activate an account."}

Is there a workaround like changing deactivated in postgres?

[localguru]

hmm ... it set {"deactivated": false, "password": "foobar"}' via API, so that the user is reactivated. And then I set password_hash via SQL in users table to NULL: UPDATE users SET password_hash=NULL WHERE name = '@user:example.org';. BUT if I check the users data via API, the password is not NULL. Wrong way? Is there a way to set password via API to NULL or did I miss something in postgres tables?

[anoadragon453]

@localguru GET /_synapse/admin/v2/users/<user_id> attempts to pull from a cache before it pulls from the database. If you queried that user via the Admin API before, and then changed something directly in Postgres, Synapse will be unaware of the change and continue to serve the cached content.

Try restarting Synapse and see if the results of the Admin API call are correct.

[localguru]

@anoadragon453 okay, I will try that, can't restart a live server now. Is there another way to NULL a users password? I tried

POST /_synapse/admin/v1/reset_password/<user_id>

with a body of:

{
    "new_password": "<secret>",
    "logout_devices": true
}

with curl

curl --header "Authorization: Bearer ${ACCESS_TOKEN}" -XPUT -d \
    '{"new_password": "", "logout_devices": true}' \
    http://localhost:8008/_synapse/admin/v1/reset_password/${MATRIX_ID}

but get an error (may be because of SSO config): {"errcode":"M_UNRECOGNIZED","error":"Unrecognized request"}.

And the user is still listed in erased_users table. How do I get the user removed from this table? SQL or is there an API? I thought if I set deactivated to false via API, I should get rid of the user in the erased_table.

[localguru]

Hmmm ... now the entry for that user in erased_users is gone. Strange. Took about an hour.

[clokep]

Hmmm ... now the entry for that user in erased_users is gone. Strange. Took about an hour.

The cache timed out and the user got re-pulled from the database. This is what @anoadragon453 described above.

[localguru]

@clokep right, after a restart of synapse the password_hash is NULL via API too. Thanks. It would be nice to have a way to set password to NULL on SSO systems or better to reactivate an account without having to set a password, if SSO is used.