Enable Auth0 OpenID Connect?

[danielkokott]

Running the install like so:

helm upgrade --install ess oci://ghcr.io/element-hq/ess-helm/matrix-stack --namespace "ess" --values tls.yaml --values ess-config.yaml --wait

ess-config.yaml:

elementAdmin:
  ingress:
    host: admin.my-domain.com
elementWeb:
  ingress:
    host: chat.my-domain.com
matrixAuthenticationService:
  enabled: true
  ingress:
    host: account.my-domain.com
  additional:
    user-config.yaml:
      config: |
        account:
          email_change_allowed: false
        passwords:
          enabled: false
        upstream_oauth2:
          providers:
            - id: auth0
              issuer: https://my-test.eu.auth0.com/
              client_id: REDACTED CLIENT ID
              client_secret: “REDACTED CLIENT SECRET”
              scope: "profile openid email offline_access"
matrixRTC:
  ingress:
    host: mrtc.my-domain.com
serverName: synapse.my-domain.com
synapse:
  ingress:
    host: matrix.my-domain.com

I get error message:

level=WARN msg="upgrade failed" name=ess error="resource Deployment/ess/ess-matrix-authentication-service not ready. status: InProgress, message: Pending termination: 1\ncontext deadline exceeded"
Error: UPGRADE FAILED: resource Deployment/ess/ess-matrix-authentication-service not ready. status: InProgress, message: Pending termination: 1
context deadline exceeded

The deployment works without errors when the upstream_oauth2 section has been removed.
Changing the id to a valid ULID also did not seem to make a difference.

Documentation I use:

• https://github.com/element-hq/ess-helm/blob/main/docs/advanced.md#configuring-matrix-authentication-service
• https://element-hq.github.io/matrix-authentication-service/reference/configuration.html#upstream_oauth2providers

Any help is very much appriciated.

[gaelgatelement]

When you see this error, you need to look at the logs of the failing resource. kubectl logs Deployment/ess/ess-matrix-authentication-service -n ess will explain what's happening.

Alternatively, I suggest using a TUI such as k9s to see the deployment rollout live and watch the pods logs.

[danielkokott]

Thank you. I did actually look at logs but didn't see any thing. I forgot to mention that. Did I miss something?

BUT :) :) I found the issue using the mas-cli like this:

kubectl exec -n ess -it deploy/ess-matrix-authentication-service -- mas-cli config dump

Now manually merging my user-config.yaml with dump into mas-config-test.yaml file

docker run -v ./:/app ghcr.io/element-hq/matrix-authentication-service:main config check --config=/app/mas-config-test.yaml

Error: missing field `token_endpoint_auth_method` for key "default.upstream_oauth2.providers.0" in app/mas-config-test.yaml YAML file

[gaelgatelement]

Thank you. I did actually look at logs but didn't see any thing. I forgot to mention that. Did I miss something?

BUT :) :) I found the issue using the mas-cli like this:

kubectl exec -n ess -it deploy/ess-matrix-authentication-service -- mas-cli config dump

Now manually merging my user-config.yaml with dump into mas-config-test.yaml file

docker run -v ./:/app ghcr.io/element-hq/matrix-authentication-service:main config check --config=/app/mas-config-test.yaml

Error: missing field `token_endpoint_auth_method` for key "default.upstream_oauth2.providers.0" in app/mas-config-test.yaml YAML file

I wonder if you somehow looked at the logs of the working pod. Kubernetes will try to start a new MAS pod with the new configuration before stopping the previous one. You might have had to use kubectl get pods to list pods and see their logs.

Anyone, can we close then?

[danielkokott]

Makes sense that the logs from the deployment do not show the failing containers.

Yes, we can close this :)
Thank you for your time!