MSC4190 login fails with MAS, due to unnecessarily checking for login flows

[meson800]

Synopsis

If you enable MSC4190 on the master branch here on a homeserver that is using OIDC delegation (in this case, to MAS), the call to get_login_flows fails. However, this call is unnecessary (AFAIK) in the case when MSC4190 is in use.

Error logs:

When using a bridge built against the bleeding-edge master of this library, you get this error because the bridge tries to hit _matrix/client/v3/login even though MSC4190 is enabled (and enabled in bridge config)

[DEBUG@mau.bridge.e2ee.client] req #5: GET http://synapse/_matrix/client/v3/login None
[DEBUG@mau.bridge.e2ee.client] req #5 (/v3/login) completed in 1.6ms with status 404
[CRITICAL@mau.init] Unexpected error in main event loop
 Traceback (most recent call last):
  File "/usr/lib/python3.11/site-packages/mautrix/util/program.py", line 211, in _run
    self.loop.run_until_complete(self.start())
  File "/usr/lib/python3.11/asyncio/base_events.py", line 654, in run_until_complete
     return future.result()
            ^^^^^^^^^^^^^^^
   File "/usr/lib/python3.11/site-packages/mautrix_googlechat/__main__.py", line 84, in start
     await super().start()
   File "/usr/lib/python3.11/site-packages/mautrix/bridge/bridge.py", line 254, in start
     await self.matrix.init_encryption()
   File "/usr/lib/python3.11/site-packages/mautrix/bridge/matrix.py", line 299, in init_encryption
     await self.e2ee.start()
   File "/usr/lib/python3.11/site-packages/mautrix/bridge/e2ee.py", line 250, in start
     flows = await self.client.get_login_flows()
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   File "/usr/lib/python3.11/site-packages/mautrix/client/api/authentication.py", line 46, in get_login_flows
     resp = await self.api.request(Method.GET, Path.v3.login)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/mautrix/api.py", line 425, in request
     resp_data, resp = await self._send(
                       ^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3.11/site-packages/mautrix/api.py", line 265, in _send
    raise make_request_error(
 mautrix.errors.request.MUnrecognized: Unrecognized request

This happens because the _matrix/client/v3/login endpoint is reverse proxied to MAS, which, in my deploy, is outside of my docker containers.

Fix

Luckily, this call to get_login_flows is unneeded. In the mautrix-go library, if MSC4190 support is enabled, the GetLoginFlows call is skipped.

I will submit a pull request today with the reordered version of the equivalent call in the library, after I confirm that the logic from the Go library works in the Python library, and works for this bridge.

[tulir]

That sounds like your setup is broken. GET /_matrix/client/v3/login still works with MAS. See matrix.org for example: https://matrix-client.matrix.org/_matrix/client/v3/login (you can tell it's MAS from the presence of org.matrix.msc3824.delegated_oidc_compatibility)

[meson800]

My bridges live within a docker bridge network and connect to Synapse without a reverse proxy, so yeah I suppose from the bridge perspective this is (now) broken. Externally, I have a reverse proxy that points the /_matrix/client/*/login to the MAS container, and other endpoints to the Synapse container, so connecting from any client, including Element X works great.

I guess I could stand up a reverse proxy within Docker just for this purpose, but I still think it's still unnecessary though to make the login flows call if MSC4190 is enabled? I'm running a lot of the mautrix go bridgev2 bridges which work fine under MSC4190 and they don't make login calls.

As in, the flows variable is unused in the Python bridge if MSC4190 is enabled right now.