From defd7c3bf75bd4dc0c5aaf8e9d27b7ea826e950e Mon Sep 17 00:00:00 2001 From: Ben Banfield-Zanin Date: Tue, 5 May 2026 11:12:38 +0100 Subject: [PATCH 1/4] Highlight that some endpoints are only available in experimental MAS config mode --- changelog.d/19752.doc | 1 + docs/workers.md | 4 ++++ 2 files changed, 5 insertions(+) create mode 100644 changelog.d/19752.doc diff --git a/changelog.d/19752.doc b/changelog.d/19752.doc new file mode 100644 index 00000000000..d4457ffc88b --- /dev/null +++ b/changelog.d/19752.doc @@ -0,0 +1 @@ +Improve documentation around endpoints that can be enabled with MSC3861. diff --git a/docs/workers.md b/docs/workers.md index 8d3aad19c66..e51ea7b2f68 100644 --- a/docs/workers.md +++ b/docs/workers.md @@ -345,6 +345,10 @@ set to `true`), the following endpoints can be handled by the worker: ^/_synapse/admin/v1/users/[^/]+/_allow_cross_signing_replacement_without_uia$ ^/_synapse/admin/v1/users/[^/]+/devices$ +Do note that these endpoints can't be handled by workers if the stabilised delegated +authentication support is enabled (`matrix_authentication_service.enabled` set to +`true`). + Note that a [HTTP listener](usage/configuration/config_documentation.md#listeners) with `client` and `federation` `resources` must be configured in the [`worker_listeners`](usage/configuration/config_documentation.md#worker_listeners) From 06f007c3c878f33a41cd1d3f5693dd5a2fc5535b Mon Sep 17 00:00:00 2001 From: Ben Banfield-Zanin Date: Tue, 5 May 2026 11:14:20 +0100 Subject: [PATCH 2/4] Fix endpoints handled by DeviceRestServlet and DevicesRestServlet --- docs/workers.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/workers.md b/docs/workers.md index e51ea7b2f68..3e4e23e5003 100644 --- a/docs/workers.md +++ b/docs/workers.md @@ -343,7 +343,7 @@ set to `true`), the following endpoints can be handled by the worker: ^/_synapse/admin/v2/users/[^/]+$ ^/_synapse/admin/v1/username_available$ ^/_synapse/admin/v1/users/[^/]+/_allow_cross_signing_replacement_without_uia$ - ^/_synapse/admin/v1/users/[^/]+/devices$ + ^/_synapse/admin/v2/users/[^/]+/devices(/|$) Do note that these endpoints can't be handled by workers if the stabilised delegated authentication support is enabled (`matrix_authentication_service.enabled` set to From f0d7eb8a567dcb142400bb5d565db01ccbfb2528 Mon Sep 17 00:00:00 2001 From: Ben Banfield-Zanin Date: Tue, 5 May 2026 11:28:02 +0100 Subject: [PATCH 3/4] Document stabilised delegated authentication workers --- changelog.d/19752.1.doc | 1 + docs/workers.md | 3 +++ 2 files changed, 4 insertions(+) create mode 100644 changelog.d/19752.1.doc diff --git a/changelog.d/19752.1.doc b/changelog.d/19752.1.doc new file mode 100644 index 00000000000..cfee70c67cf --- /dev/null +++ b/changelog.d/19752.1.doc @@ -0,0 +1 @@ +Document the paths that can be handled on workers with stabilised delegated authentication. diff --git a/docs/workers.md b/docs/workers.md index 3e4e23e5003..91e3169a366 100644 --- a/docs/workers.md +++ b/docs/workers.md @@ -290,6 +290,9 @@ information. # Unstable MSC4140 support ^/_matrix/client/unstable/org.matrix.msc4140/delayed_events(/.*/restart)?$ + # Stabilised Delegated Authentication support (`matrix_authentication_service.enabled: true`) + ^/_synapse/mas/ + Additionally, the following REST endpoints can be handled for GET requests: # Push rules requests From f6b33b60890f8273599299791a8eb4e8e0236b2f Mon Sep 17 00:00:00 2001 From: Ben Banfield-Zanin Date: Tue, 5 May 2026 11:28:47 +0100 Subject: [PATCH 4/4] Highlight that the SSO paths aren't need if either form of delegated authentication is enabled --- docs/workers.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/workers.md b/docs/workers.md index 91e3169a366..a39454c5fea 100644 --- a/docs/workers.md +++ b/docs/workers.md @@ -317,7 +317,7 @@ for the room are in flight: Additionally, the following endpoints should be included if Synapse is configured to use SSO (you only need to include the ones for whichever SSO provider you're -using): +using) and delegated authentication isn't enabled: # for all SSO providers ^/_matrix/client/(api/v1|r0|v3|unstable)/login/sso/redirect