User authenticated using OAuth not added to default rooms due to default avatar issue

[amottier]

Description:

A new user that perform authentication using OAuth (GitHub, Google, etc.) is not added to rooms configured as "default". A user that register with username and password is added, as expected, to the "default" rooms.

Steps to reproduce:

1. Configure at least one OAuth provider (e.g. GitHub)
2. Create several rooms
3. Add the "default" setting to more than one room
4. Register and login with using OAuth → user is not added to any room but can join them manually
5. Register with email and password → user is added to all default room

Expected behavior:

A new user should be added to all default room not matter the authentication mechanism used.

Actual behavior:

User not added to default room when using OAuth.

Server Setup Information:

• Version of Rocket.Chat Server: 4.6.3 and also reproduce on 4.7.0
• Operating System: Debian GNU/Linux 10 (buster) on the server
• Deployment Method: Docker
• Number of Running Instances: 1
• DB Replicaset Oplog: enabled
• NodeJS Version: v14.18.3
• MongoDB Version: 4.4.13 / wiredTiger (oplog Enabled)

Client Setup Information

• Desktop App or Browser Version: Firefox 91.8.0esr (64 bits)
• Operating System: Debian GNU/Linux 11 (bullseye)

Relevant logs:

{"level":50,"time":"2022-05-09T12:49:50.313Z","pid":37,"hostname":"01a08d797a59","name":"System","msg":"Exception while invoking method setUsername 'Cannot read property 'blob' of undefined'"}

This log is due to code call but I don't know the exact root cause.

[Gummikavalier]

I could not reproduce on our RC 4.6.3 instance that uses Oauth.

My previous experience on the matter:
Something that may have happened is that if the user didn't get assigned the regular user role, they don't get any permissions to join to any channels, unless invited or manually added to channels by other users. User ends up being a kind of guest account. Although I'm not sure it is designed as such.

Make sure that you have
Accounts -> Registration -> Default Roles for Authentication Services
Accounts -> Registration -> Default Roles for Users
set up to be assigned with the user role user.

Also just in case do not set Merge Roles from SSO on under the Oauth settings, as at least at one point in the past this was able to wipe out all roles from the user if the they did not get one provided directly from Oauth provider.
(Also this is a risky option as it might allow admin accounts roles to be controlled from the hopefully trusted Oauth / OIDC service providers.)

[amottier]

to be assigned with the user role user

I take a look at the settings and both are configured to assign the user role and the newly created user actually has the role. If I edit the setting adding for example admin role to the list, user get the role as expected.

Merge Roles from SSO does not seems to be an option available for GitHub Oauth configuration.

By takeing a second look at the logs I found the following error:

{"level":50,"time":"2022-05-09T12:49:50.313Z","pid":37,"hostname":"01a08d797a59","name":"System","msg":"Exception while invoking method setUsername 'Cannot read property 'blob' of undefined'"} 

My guess would be that the error mentionned above prevent the call to joinDefaultChannels

I'm not sure what I can do to debug this.

[Gummikavalier]

Looking at the GitHub option it indeed has very few options for configuration indeed. Ours use custom Oauth setup so it has more options to choose from. You are correct, seems to be a new bug.

[amottier]

The issue is actually a consequence of a problem related to avatar code.

Disabling the option Accounts → Avatar → Set Default Avatar allow to avoid the issue.