Allow using HTTP/2 over plaintext when introspecting tokens with MAS (#19586)

2026-03-30 12:55:40 +00:00 · 2026-03-18 19:47:17 +01:00
parent 261bfb786f
commit edf5ce277a
5 changed files with 13 additions and 0 deletions
--- a/changelog.d/19586.feature
+++ b/changelog.d/19586.feature
@@ -0,0 +1 @@
+Introduce a [configuration option](https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#matrix_authentication_service) to allow using HTTP/2 over plaintext when Synapse connects to Matrix Authentication Service.
--- a/docs/usage/configuration/config_documentation.md
+++ b/docs/usage/configuration/config_documentation.md
@@ -653,6 +653,8 @@ This setting has the following sub-options:

 * `endpoint` (string): The URL where Synapse can reach MAS. This *must* have the `discovery` and `oauth` resources mounted. Defaults to `"http://localhost:8080"`.

+* `force_http2` (boolean): Force HTTP/2 over plaintext (H2C) when connecting to MAS. MAS supports this natively, but a reverse proxy between Synapse and MAS may not. Defaults to `false`.
+
 * `secret` (string|null): A shared secret that will be used to authenticate requests from and to MAS.

 * `secret_path` (string|null): Alternative to `secret`, reading the shared secret from a file. The file should be a plain text file, containing only the secret. Synapse reads the secret from the given file once at startup.
--- a/schema/synapse-config.schema.yaml
+++ b/schema/synapse-config.schema.yaml
@@ -677,6 +677,13 @@ properties:
          and `oauth` resources mounted.
        default: http://localhost:8080

+      force_http2:
+        type: boolean
+        description: >-
+          Force HTTP/2 over plaintext (H2C) when connecting to MAS. MAS supports
+          this natively, but a reverse proxy between Synapse and MAS may not.
+        default: false
+
      secret:
        type: ["string", "null"]
        description: >-
--- a/synapse/api/auth/mas.py
+++ b/synapse/api/auth/mas.py
@@ -111,6 +111,7 @@ class MasDelegatedAuth(BaseAuth):
        self._rust_http_client = HttpClient(
            reactor=hs.get_reactor(),
            user_agent=self._http_client.user_agent.decode("utf8"),
+            http2_only=self._config.force_http2,
        )
        self._server_metadata = RetryOnExceptionCachedCall[ServerMetadata](
            self._load_metadata
--- a/synapse/config/mas.py
+++ b/synapse/config/mas.py
@@ -36,6 +36,7 @@ from ._base import Config, ConfigError, RootConfig
 class MasConfigModel(ParseModel):
    enabled: StrictBool = False
    endpoint: AnyHttpUrl = AnyHttpUrl("http://localhost:8080")
+    force_http2: StrictBool = False
    secret: StrictStr | None = Field(default=None)
    # We set `strict=False` to allow `str` instances.
    secret_path: FilePath | None = Field(default=None, strict=False)
@@ -82,6 +83,7 @@ class MasConfig(Config):

        self.enabled = parsed.enabled
        self.endpoint = parsed.endpoint
+        self.force_http2 = parsed.force_http2
        self._secret = parsed.secret
        self._secret_path = parsed.secret_path
				`@@ -0,0 +1 @@`
				`Introduce a [configuration option](https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#matrix_authentication_service) to allow using HTTP/2 over plaintext when Synapse connects to Matrix Authentication Service.`