script for sync users between keycloak group and Synapse DB (#1) (#1)

Andrbur · web-flow · commit 2229d1d11274 · 2026-04-07T12:12:18.000+03:00
* script for sync users between keycloak group and Synapse DB (#1) * added github action for build and bush image (#2) * script for sync users between keycloak group and Synapse DB * added github action for build and bush image
diff --git a/.github/workflows/build-docker-image.yml b/.github/workflows/build-docker-image.yml
@@ -0,0 +1,45 @@
+name: Docker Image
+
+on:
+  push:
+    tags:
+      - '*'
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v3
+
+      - name: Generate Docker Metadata
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ghcr.io/${{ github.repository }}
+          tags: |
+            type=ref,event=tag
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+          flavor: latest=true
+
+      - name: Setup Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and Push Docker Image
+        uses: docker/build-push-action@v3
+        env:
+          DOCKER_BUILDKIT: 1
+        with:
+          context: .
+          file: Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,14 @@
+FROM ghcr.io/element-hq/matrix-authentication-service:1.10.0 AS mas-cli
+
+FROM debian:bookworm-slim
+
+RUN apt update && \
+    apt install curl jq -y
+
+WORKDIR /opt/sync
+
+COPY --chmod=755 keycloak_matrix_sync.sh .
+#COPY keycloak_matrix_sync.conf .
+#COPY mas-config.yaml .
+
+COPY --from=mas-cli /usr/local/bin/mas-cli /usr/local/bin/mas-cli
diff --git a/README.md b/README.md
@@ -1 +1,92 @@
-# matrix-keycloak-sync
+# matrix-keycloak-sync
+ 
+A script that synchronizes users from a Keycloak group with user accounts in a Matrix chat (Synapse).
+ 
+---
+ 
+## Overview
+ 
+The script fetches the list of users from a specific Keycloak group and compares them against the user state (enabled/disabled) in the Matrix/Synapse database. User activation and deactivation in Matrix is controlled by Keycloak group membership.
+
+---
+ 
+## User Sync Logic
+ 
+| User in Keycloak group | User in Synapse DB | Action |
+|---|---|---|
+| ✅ Yes | ✅ Yes (active) | No action needed |
+| ✅ Yes | ✅ Yes (disabled) | **Activate** via `mas-cli` |
+| ✅ Yes | ❌ No | **Skip** — will be created on first login |
+| ❌ No | ✅ Yes (active) | **Disable** via `mas-cli` |
+| ❌ No | ✅ Yes (disabled) | No action needed |
+ 
+> **Note:** If a user is present in the Keycloak group but does not yet exist in the Synapse database, they are skipped during this sync run. The user account will be automatically created in Synapse upon their first login via Keycloak SSO.
+
+---
+ 
+## Components
+ 
+### Keycloak
+- Source of truth for user access.
+- Users added to a designated group are considered **active** in Matrix.
+- Users removed from the group will be **disabled** in Matrix on the next sync run.
+ 
+### Synapse API
+- Used **read-only** to fetch the current list of users and their `deactivated` status.
+- Requires an admin token (see [Authentication](#authentication) below).
+ 
+### mas-cli (Matrix Authentication Service CLI)
+- Used to **activate and deactivate** users.
+- Requires a `mas-cli.yaml` config file.
+- Communicates **directly with the database** — bypasses Synapse API for write operations.
+ 
+> **Why mas-cli instead of Synapse API for writes?**  
+> Disabling a user directly in the Synapse database (without going through MAS) is insufficient — MAS will still allow the user to log in even if the `is_disabled = true` flag is set in the Synapse DB. All deactivation must go through `mas-cli` to be effective.
+ 
+---
+ 
+## Authentication
+ 
+### Synapse Admin Token
+ 
+Generate an admin-scoped token via `mas-cli`. It is recommended to create a **dedicated non-admin Matrix user** for management purposes and grant it admin privileges via token only:
+ 
+```bash
+mas-cli manage issue-compatibility-token \
+  --yes-i-want-to-grant-synapse-admin-privileges \
+  <your_matrix_username_for_managing_users>
+```
+ 
+---
+ 
+## Configuration
+ 
+### `mas-cli.yaml`
+ 
+Required for `mas-cli` to connect to the database. Example path: `/etc/mas-cli/mas-cli.yaml`.
+ 
+### Environment variables / config for the script
+ 
+| Variable | Description |
+|---|---|
+| `KC_URL` | Base URL of the Keycloak instance |
+| `KC_REALM` | Keycloak realm name |
+| `KC_GROUP_NAME` | Name or ID of the group to sync |
+| `KC_CLIENT_ID` | Client ID |
+| `KC_ADMIN_USER` | User in keycloak in master realm (with restriction permission in specific realm for getting user list)|
+| `KC_ADMIN_PASS` | User pass in keycloak in master realm |
+| `MATRIX_URL` | Base URL of the Synapse homeserver |
+| `MATRIX_ADMIN_TOKEN` | Admin token for Synapse API |
+| `MATRIX_SERVER_NAME` | Matrix server name |
+ 
+---
+ 
+## Alternative: MAS Admin API
+ 
+It is also possible to manage users via the [MAS Admin API](https://matrix-org.github.io/matrix-authentication-service/topics/admin-api.html#enabling-the-api) instead of `mas-cli`. However, this approach has additional overhead:
+ 
+- The API must be explicitly enabled in MAS configuration.
+- A separate API token must be generated (not the one generated via the MAS CLI).
+- The API endpoint is **exposed publicly by default** and requires additional hardening.
+ 
+For these reasons, using `mas-cli` directly is the recommended approach for this script.
diff --git a/keycloak_matrix_sync.conf b/keycloak_matrix_sync.conf
@@ -0,0 +1,15 @@
+#Examples of environments vars
+
+KC_URL="https://keycloak.domain.com"
+KC_REALM="<KeyCloak_Realm_name>"                  
+KC_CLIENT_ID="admin-cli"                                # Default client in master realm for connect ot KK via kk_user
+KC_ADMIN_USER="matrix-groups-viewer"                    # Created user in master realm
+KC_ADMIN_PASS="<KeyCloak user pass>"
+KC_GROUP_NAME="matrix-users"                            # Keycloak group from which users will be synchronized with the chat
+
+MATRIX_URL="https://matrix.domain.com"                  # URL Matrix homeserver
+MATRIX_ADMIN_TOKEN="<Matrix_generated_token_via_mas>"   # Access token Matrix-
+MATRIX_SERVER_NAME="matrix.domain.com"                  # Matrix server name
+
+#In script hardcoded as false
+#DRY_RUN=true
diff --git a/keycloak_matrix_sync.sh b/keycloak_matrix_sync.sh
diff --git a/mas-config.yaml b/mas-config.yaml
