Adding Matrix Authentication Service was one of those changes that looked conceptually clean and then immediately forced me to separate several different problems.

At a high level, the delegated-auth model made sense:

  • the homeserver no longer owns the whole login flow,
  • the auth service becomes the Matrix-facing auth layer,
  • and an upstream identity provider can sit behind that.

The problem was that "auth is running" and "every auth-related user flow works" are very different claims.

What Was Actually Fine

The important server-side pieces were mostly okay fairly early:

  • the auth service was reachable,
  • discovery data was reachable,
  • and the homeserver could expose the metadata needed for delegated auth.

That was useful because it stopped me from debugging the wrong layer forever.

What Failed Instead

The more interesting failures were around the web-facing part of the auth flow:

  • asset delivery for the auth frontend,
  • browser-facing redirects,
  • and client expectations around specific login or linking flows.

That pushed the debugging away from "is the auth service up?" toward:

  • "is the frontend really being served correctly?"
  • "is the proxy chain preserving the right behavior?"
  • and "does the client expect a capability the stack is not actually advertising?"

The Most Useful Distinction

One thing this work made much clearer for me was the difference between three flows:

  • normal login,
  • post-login device verification,
  • and QR-based new-device login.

Those are related, but they are not interchangeable.

If one of them fails, that does not automatically mean the whole auth stack is broken.

Why This Matters

This was a good reminder that modern auth setups are really a combination of:

  • backend capability,
  • frontend asset delivery,
  • reverse proxy correctness,
  • and client-side feature expectations.

It is very easy to collapse all of that into one vague statement like "SSO is broken."

That statement is usually too coarse to be useful.

What I Kept From This Phase

The main value of the MAS work was not that every single UX path worked immediately.

It was that the boundaries became clearer:

  • delegated auth was wired in,
  • the homeserver role was cleaner,
  • and the remaining failures could be classified instead of guessed at.

That is real progress, even when a feature matrix still has gaps.