Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Existing users can't login via OAuth/Keycloak #34184

Open
highpingblorg opened this issue Dec 16, 2024 · 7 comments
Open

Existing users can't login via OAuth/Keycloak #34184

highpingblorg opened this issue Dec 16, 2024 · 7 comments
Labels
Tasked Added to the internal issue tracking

Comments

@highpingblorg
Copy link

Description:

To initially access Rocketchat, users must log in through Keycloak, which is how accounts are provisioned. This functionality generally works without issue.

However, the problem arises seemingly at random. Users with existing Keycloak-created accounts are sometimes unable to successfully log in to Rocketchat. There are no error messages, password update prompts, or other indications of the issue. When the user attempts to log in through Keycloak, they are simply redirected back to the login page without gaining access.

According to Keycloak, these users have an active session for Rocketchat, but no corresponding cookies or tokens are set in the browser. As a result, the users cannot log in.

This issue forces the administrator to manually provision local Rocketchat accounts by manually resetting their password for affected users through the UI, which is an undesirable workaround.

image

I've tried reproducing this bug but I can't seem to find the exact cause.

Steps to reproduce:

  1. Have a Rocketchat instance with Keycloak as the OAuth provider
  2. Create an account via OAuth
  3. Re-log in and get denied access -> No idea what the cause of this

Expected behavior:

The expected behavior is that the user is logged in successfully.

Actual behavior:

Unsuccessful log in to Rocketchat

Server Setup Information:

  • Version of Rocket.Chat Server: 7.0.0
  • Number of Users: 300+
  • NodeJS Version: v20.18.1
  • MongoDB Version: 7.0.15 / wiredTiger (oplog Enabled)

Client Setup Information

Happens in different browsers, on different versions and different operating systems.

Additional context

This issue has been around for at least 1.5-2 years, the user was able to log in fine via Keycloak until that bug occurred, no configuration settings were modified in either Rocketchat or Keycloak for affected users.

@Priyanshuthapliyal2005
Copy link

Priyanshuthapliyal2005 commented Dec 16, 2024

Yeah i faced same issue today one time of not logging in it doing reconnecting again and again
but after 15-20 minutes i able to login

@reetp
Copy link

reetp commented Dec 17, 2024

Please check with 7.0.1

@reetp
Copy link

reetp commented Dec 17, 2024

Please check with 7.0.1

Even better you should test with 7.1.0 - as per the bug guidelines "always test on the latest release"

@phagemann
Copy link

phagemann commented Jan 9, 2025

Same behavior as @highpingblorg described.
Every time a login does not complete, RocketChat log states as follows:

{
"level":50,
"time":"2025-01-09T07:20:11.715Z",
"pid":9,
"hostname":"<DOMAIN>",
"name":"System",
"msg":"Exception while invoking method login",
"err":
  {
    "type":"Error",
    "message":"remove +  is not available on the server. Please use removeAsync() instead.",
    "stack":"Error: remove +  is not available on the server. Please use removeAsync() instead.
            at Object.ret.<computed> [as remove] (packages/mongo/remote_collection_driver.js:53:15)
            at Collection.remove (packages/mongo/collection.js:1016:29)
            at Collection.Mongo.Collection.<computed> [as remove] (packages/dispatch_run-as-user.js:346:17)
            at Object.OAuth._retrievePendingCredential (app/2fa/server/loginHandler.ts:88:29)
            at processTicksAndRejections (node:internal/process/task_queues:95:5)
            at MethodInvocation.<anonymous> (packages/accounts-oauth/oauth_server.js:18:18)
            at packages/accounts-base/accounts_server.js:593:9
            at tryLoginMethod (packages/accounts-base/accounts_server.js:1560:14)
            at AccountsServer._runLoginHandlers (packages/accounts-base/accounts_server.js:592:22)
            at AccountsServer.Accounts._runLoginHandlers (app/lib/server/lib/loginErrorMessageOverride.ts:9:17)
            at MethodInvocation.methods.login (packages/accounts-base/accounts_server.js:654:22)"
   }
}

Tested against 7.2
Running MongoDB 6

@reetp
Copy link

reetp commented Jan 9, 2025

Thanks for testing.

I'll refer to the team.

@reetp reetp added Tasked Added to the internal issue tracking and removed stat: need more info labels Jan 9, 2025
@SDAdham
Copy link

SDAdham commented Jan 24, 2025

Hello team, I am also affected by this, is there any new updates?

@svenseeberg
Copy link

svenseeberg commented Jan 25, 2025

I can confirm the issue on a fresh install with both current Keycloak + RC 7.2.1. I copied the configuration from existing servers. So I'm relatively confident that the OAuth configuration is correct. The MongoDB version is 7.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Tasked Added to the internal issue tracking
Projects
None yet
Development

No branches or pull requests

7 participants
@reetp @SDAdham @svenseeberg @phagemann @highpingblorg @Priyanshuthapliyal2005 and others