Hello,

Description

It seems there is a problem with how CAS validation is handled in login.py#L420.

Steps to reproduce

• Install and configure CAS 5.1.x (I didn't try with earlier ones)
• Install matrix-synapse
• Configure matrix-synapse to use CAS to connect with service_url: https://matrix.domain
• Try to login!

You'll see it doesn't work and if I'm not mistaken it is because in login.py#L397 we ask for a ticket with a service in the form of https://matrix.domain/_matrix/client/api/v1/login/cas/ticket?redirectUrl=***.
But when we validate the ticket, we only send cas_service_url which lacks the /_matrix/client/api/v1/login/cas/ticket?redirectUrl=*** part so CAS fails the validation saying the ticket was used for another service than the one it was created for.

I don't know if earlier versions were more lenient on validation, but I got it to work by replacing line 420 by this line:

"service": self.cas_service_url + request.uri[:request.uri.find("&ticket")]

But I'm sure there's a better way to do it...

I believe #2404 may be related to this problem.

Version information

• Homeserver: local homeserver

If not matrix.org:

• Version: matrix-synapse 0.24.1-1
• Install method: Debian repository
• Platform: VM on Debian9