From edf5ce277adda9e0028decd0b9e131cd686b18d6 Mon Sep 17 00:00:00 2001 From: Quentin Gliech Date: Wed, 18 Mar 2026 19:47:17 +0100 Subject: [PATCH] Allow using HTTP/2 over plaintext when introspecting tokens with MAS (#19586) --- changelog.d/19586.feature | 1 + docs/usage/configuration/config_documentation.md | 2 ++ schema/synapse-config.schema.yaml | 7 +++++++ synapse/api/auth/mas.py | 1 + synapse/config/mas.py | 2 ++ 5 files changed, 13 insertions(+) create mode 100644 changelog.d/19586.feature diff --git a/changelog.d/19586.feature b/changelog.d/19586.feature new file mode 100644 index 0000000000..a10bd2d2ef --- /dev/null +++ b/changelog.d/19586.feature @@ -0,0 +1 @@ +Introduce a [configuration option](https://element-hq.github.io/synapse/latest/usage/configuration/config_documentation.html#matrix_authentication_service) to allow using HTTP/2 over plaintext when Synapse connects to Matrix Authentication Service. diff --git a/docs/usage/configuration/config_documentation.md b/docs/usage/configuration/config_documentation.md index 1335def585..48f33d5427 100644 --- a/docs/usage/configuration/config_documentation.md +++ b/docs/usage/configuration/config_documentation.md @@ -653,6 +653,8 @@ This setting has the following sub-options: * `endpoint` (string): The URL where Synapse can reach MAS. This *must* have the `discovery` and `oauth` resources mounted. Defaults to `"http://localhost:8080"`. +* `force_http2` (boolean): Force HTTP/2 over plaintext (H2C) when connecting to MAS. MAS supports this natively, but a reverse proxy between Synapse and MAS may not. Defaults to `false`. + * `secret` (string|null): A shared secret that will be used to authenticate requests from and to MAS. * `secret_path` (string|null): Alternative to `secret`, reading the shared secret from a file. The file should be a plain text file, containing only the secret. Synapse reads the secret from the given file once at startup. diff --git a/schema/synapse-config.schema.yaml b/schema/synapse-config.schema.yaml index dbf7d7acb7..aaa306cee0 100644 --- a/schema/synapse-config.schema.yaml +++ b/schema/synapse-config.schema.yaml @@ -677,6 +677,13 @@ properties: and `oauth` resources mounted. default: http://localhost:8080 + force_http2: + type: boolean + description: >- + Force HTTP/2 over plaintext (H2C) when connecting to MAS. MAS supports + this natively, but a reverse proxy between Synapse and MAS may not. + default: false + secret: type: ["string", "null"] description: >- diff --git a/synapse/api/auth/mas.py b/synapse/api/auth/mas.py index 79c15a5329..95c6d62a9d 100644 --- a/synapse/api/auth/mas.py +++ b/synapse/api/auth/mas.py @@ -111,6 +111,7 @@ class MasDelegatedAuth(BaseAuth): self._rust_http_client = HttpClient( reactor=hs.get_reactor(), user_agent=self._http_client.user_agent.decode("utf8"), + http2_only=self._config.force_http2, ) self._server_metadata = RetryOnExceptionCachedCall[ServerMetadata]( self._load_metadata diff --git a/synapse/config/mas.py b/synapse/config/mas.py index 104ba17ab7..6973e9ae58 100644 --- a/synapse/config/mas.py +++ b/synapse/config/mas.py @@ -36,6 +36,7 @@ from ._base import Config, ConfigError, RootConfig class MasConfigModel(ParseModel): enabled: StrictBool = False endpoint: AnyHttpUrl = AnyHttpUrl("http://localhost:8080") + force_http2: StrictBool = False secret: StrictStr | None = Field(default=None) # We set `strict=False` to allow `str` instances. secret_path: FilePath | None = Field(default=None, strict=False) @@ -82,6 +83,7 @@ class MasConfig(Config): self.enabled = parsed.enabled self.endpoint = parsed.endpoint + self.force_http2 = parsed.force_http2 self._secret = parsed.secret self._secret_path = parsed.secret_path