Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Post iframe auth leaves "X SSO" frame on mobile app #2758

Closed
mddvul22 opened this issue Jan 4, 2021 · 8 comments
Closed

Post iframe auth leaves "X SSO" frame on mobile app #2758

mddvul22 opened this issue Jan 4, 2021 · 8 comments
Labels
ℹ️ needs info

Comments

@mddvul22
Copy link

mddvul22 commented Jan 4, 2021
edited
Loading

Description:

We have a RC server that is configured to make use of Rocket Chat's iframe authentication. Everything is working when we use the browser. But in the mobile app, we have a frame at the top that reads "X SSO", that never goes away.

Environment Information:

  • Rocket.Chat Server Version: 3.8.4
  • Rocket.Chat App Version: 4.13.0
  • Device Name: One Plus 6T
  • OS Version: Android

Steps to reproduce:

  1. We open the app, the user specifies the workspace, and we redirect our users to the website that performs the actual authentication. As soon as that happens, the "X SSO" frame appears at the top.
  2. User authenticates and is logged back into Rocket Chat workspace. The "X SSO" frame at the top never goes away.
  3. Tapping on the "X", appears to take the user back to the login screen of the RC app, even though they were successfully logged in.

Expected behavior:

The "X SSO" frame should go away.

Actual behavior:

image

Thanks!
@diegolmello
Copy link
Member

Can you check the docs? https://docs.rocket.chat/guides/developer/iframe-integration/authentication#iframe-url
We had a couple of similar issues in the past (if you search from iframe) and all of them were configuration mistakes (even if other clients were working).
#2342 (comment)

Thanks!

@mddvul22
Copy link
Author

Thanks @diegolmello We have now looked over the docs multiple times. Here is what we are observing: on the mobile app, a logged-in user sees the mobile browser version inside of a "SSO frame", as in the above screenshot. If the user selects "Logout", it immediately calls the URL set in in Accounts > IFrame > API URL, correctly receives a login token, and re-displays the browser homepage, in mobile mode, still within the SSO frame. The URL set in "iframe URL" does not appear to be called using this path.

@barrydegraaff
Copy link

@diegolmello I can confirm this issue.

In my scenario I have the SSO banner stay in the APP as well.

iframe url:
https://zm-zimbra9.barrydegraaff.tk/service/extension/rocket?action=redirect
this will always return HTML with a link for the user to go to the login page of my application.

api url:
https://zm-zimbra9.barrydegraaff.tk/service/extension/rocket?action=signOn
if called when logged in, it will return a json like so:
{"loginToken":"pJ_uDDnNF5-kKUSw45FXtkGD5CYf4yY8-xt2hCNBYb7"}

if not logged in there is a link the user clicks to go to the login page of my application.

After login, the user needs to click the X on the left top of the Rocket App and click login again in the Rocket App, after which the user is logged into the app. But the SSO banner stays on the top.

So we are missing a step here, or not understanding a part of the documentation.

I also had the issue #2342 before, but that went away magically, without me changing anything.

@barrydegraaff
Copy link

@diegolmello I can send you a test account if you wish!

@barrydegraaff
Copy link

I have figured out why the SSO banner stays in the screen, what happens is that my application does log in rocket chat, so you can see the UI. But that is just the mobile version of Rocket Chat and not what the Rocket Chat app does/shows.

In the end firing window.parent.postMessage from a complex web application is difficult, so I ended up implementing a separate login page, just for mobile devices and electron apps that leads to a very simple page that fires window.parent.postMessage. And then it all works.

@gilesdring
Copy link

I can confirm I can also see this, using a Keycloak identity provider registered as a custom Oauth provider. I also use iFrame integration to embed this site in an app, but also need to provide native mobile access. I can share settings here, if you need to see anything.

@gilesdring
Copy link

@barrydegraaff Do you have examples of the code that you used to implement the login page? I'd be happy to write up any solutions, given it seems to be a common issue. As far as I can see the iframe settings and oauth are OK. It just doesn't seem to recognise that the login is coming from a mobile app and redirect back to that context properly - as you say, I see the logged in mobile view inside the login redirect.

@barrydegraaff
Copy link

barrydegraaff commented May 8, 2021 via email

@wojtek555 wojtek555 mentioned this issue Apr 20, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ℹ️ needs info
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@diegolmello @gilesdring @barrydegraaff @mddvul22