Is RocketChat not compatible with OAuth2 and Office365? #6809
Comments
|
URL: https://login.microsoftonline.com/common same issue. first it launches, looks like its going to work then it says internal server error saml for o365 works just can't get oauth to work which we need for outside users Got this error now this error Exception while invoking method 'login' Error: Failed to complete OAuth handshake with oauthoffice365 at https://login.microsoftonline.com/common/oauth2/token. failed [400] {"error":"invalid_grant","error_description":"AADSTS70000: Transmission data parser failure: Authorization Code is malformed or invalid |
|
I don't believe /me is the proper identity path. Actually digging through i'm not finding such an equivalent route. Microsofts authentication services are a bit of a mess. They've been doing a bit better in recent years. If you can find the identity path in their documentation somewhere you could probably get this to work. Otherwise I think we're going to have to add one specifically for office365 |
|
Thanks.
I tried to use outlook as the identity url to get the identity because that is how I saw some other apps grab the identity but that didn’t work either. Specifically <https://outlook.office365.com/api/v1.0/me> https://outlook.office365.com/api/v1.0/me because it looked similar to your example.
…--
Vr, Frank
From: Aaron Ogle [mailto:notifications@github.com]
Sent: Thursday, April 27, 2017 4:55 PM
To: RocketChat/Rocket.Chat <Rocket.Chat@noreply.github.com>
Cc: Frank Tucker <frank.tucker@microhealthllc.com>; Comment <comment@noreply.github.com>
Subject: Re: [RocketChat/Rocket.Chat] Is RocketChat not compatible with OAuth2 and Office365? (#6809)
I don't believe /me is the proper identity path. Actually digging through i'm not finding such an equivalent route.
Microsofts authentication services are a bit of a mess. They've been doing a bit better in recent years.
If you can find the identity path in their documentation somewhere you could probably get this to work. Otherwise I think we're going to have to add one specifically for office365
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub <#6809 (comment)> , or mute the thread <https://github.com/notifications/unsubscribe-auth/ADgTo6HX_CTiWgsXYQ7jeCfeNKNJI50Hks5r0QCYgaJpZM4NJHN9> . <https://github.com/notifications/beacon/ADgTowlM54tpYOCP-bG-7Dka6ttHo7fuks5r0QCYgaJpZM4NJHN9.gif>
|
|
In fact, this is the error when I tried the identity url above Exception while invoking method 'login' Error: Failed to fetch identity from oauthoffice365 at https://outlook.office365.com/api/v1.0/me. failed [401] at CustomOAuth.getIdentity (/opt/Rocket.Chat/programs/server/packages/rocketchat_custom-oauth.js:198:17) at Object.handleOauthRequest (/opt/Rocket.Chat/programs/server/packages/rocketchat_custom-oauth.js:214:25) at OAuth._requestHandlers.(anonymous function) (packages/oauth2.js:27:31) at middleware (packages/oauth.js:203:5) at packages/oauth.js:176:5 |
|
@bluenevus how did you generate your oauth clientid / secret? Seems to be dozens of different instructions sets floating around. All of them about as clear as mud. 😁 I remember at one point having to setup things via Azure AD. But then I thought there was a more recent set that was almost a wizard via the graph api. |
|
Go to Microsoft app dev here <https://apps.dev.microsoft.com/> https://apps.dev.microsoft.com/
Register you app much like you would in facebook, twitter or github. It will generate client id and secret. Put your call back url there.
…--
Vr, Frank
From: Aaron Ogle [mailto:notifications@github.com]
Sent: Thursday, April 27, 2017 5:12 PM
To: RocketChat/Rocket.Chat <Rocket.Chat@noreply.github.com>
Cc: Frank Tucker <frank.tucker@microhealthllc.com>; Mention <mention@noreply.github.com>
Subject: Re: [RocketChat/Rocket.Chat] Is RocketChat not compatible with OAuth2 and Office365? (#6809)
@bluenevus <https://github.com/bluenevus> how did you generate your oauth clientid / secret? Seems to be dozens of different instructions sets floating around. All of them about as clear as mud. 😁 I remember at one point having to setup things via Azure AD. But then I thought there was a more recent set that was almost a wizard via the graph api.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#6809 (comment)> , or mute the thread <https://github.com/notifications/unsubscribe-auth/ADgTo9b023ufbHZ-QrVr5Re4Ftq2dlYDks5r0QSagaJpZM4NJHN9> . <https://github.com/notifications/beacon/ADgTo0sLxx3JMi2pEyxT7zMSiC5FOqFRks5r0QSagaJpZM4NJHN9.gif>
|
|
its pretty much the common microsoft login whether o365, live etc |
|
The endpoint seems to be: https://login.microsoftonline.com/common/openid/userinfo Found here: https://login.microsoftonline.com/common/.well-known/openid-configuration |
|
Worked like a champ. We have been struggling for weeks with calls to Microsoft on this. Thank you, Thank you, Thank you. You have an amazing product we are trying to pilot
…--
Vr, Frank
From: Aaron Ogle [mailto:notifications@github.com]
Sent: Thursday, April 27, 2017 5:44 PM
To: RocketChat/Rocket.Chat <Rocket.Chat@noreply.github.com>
Cc: Frank Tucker <frank.tucker@microhealthllc.com>; Mention <mention@noreply.github.com>
Subject: Re: [RocketChat/Rocket.Chat] Is RocketChat not compatible with OAuth2 and Office365? (#6809)
The endpoint seems to be: https://login.microsoftonline.com/common/openid/userinfo
Found here: https://login.microsoftonline.com/common/.well-known/openid-configuration
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#6809 (comment)> , or mute the thread <https://github.com/notifications/unsubscribe-auth/ADgTo4w58R_0K_7aXZJS7D3CEnFBsg79ks5r0QwYgaJpZM4NJHN9> . <https://github.com/notifications/beacon/ADgTowG2GLpluPuG7k_Ud6qdhgkghOsqks5r0QwYgaJpZM4NJHN9.gif>
|
|
@bluenevus perfect! What fields did you end up with? That way we can pass the knowledge forward for others 😁 |
|
For oauth
* url <https://login.microsoftonline.com/common> https://login.microsoftonline.com/common
* token path /oauth2/token
* identity path /openid/userinfo
* authorize path /oauth2/authorize
* scope openid
* token sent via header
* id from https://apps.dev.microsoft.com
* secret from <https://apps.dev.microsoft.com> https://apps.dev.microsoft.com
* login style popup
* username field: just doesn’t work. It should be UserPrincipalName but I get an error that says its not found in data stream. Tried others like mail and email and it’s the same. So the user can’t expect it to be the same account if their email is the same registered in say o365 and github…won’t be the same user and won’t allow them to register with the same username
* merge users really doesn’t matter because it can’t find the username in the data stream
…--
Vr, Frank
From: Aaron Ogle [mailto:notifications@github.com]
Sent: Thursday, April 27, 2017 5:59 PM
To: RocketChat/Rocket.Chat <Rocket.Chat@noreply.github.com>
Cc: Frank Tucker <frank.tucker@microhealthllc.com>; Mention <mention@noreply.github.com>
Subject: Re: [RocketChat/Rocket.Chat] Is RocketChat not compatible with OAuth2 and Office365? (#6809)
@bluenevus <https://github.com/bluenevus> perfect! What fields did you end up with? That way we can pass the knowledge forward for others 😁
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#6809 (comment)> , or mute the thread <https://github.com/notifications/unsubscribe-auth/ADgTo0mhWBuzM4rynLB7CRawOwxTqsOMks5r0Q-wgaJpZM4NJHN9> . <https://github.com/notifications/beacon/ADgTo1Ch4Ukokq3Alf3SeWWzywot8RaQks5r0Q-wgaJpZM4NJHN9.gif>
|
|
I've managed to duplicate every thing except a successful login 😁 Heres what I have on my app page on microsoft.
Is there something missing from here? |
|
Has to be https. Will not work with http.
…--
Vr, Frank
From: Aaron Ogle [mailto:notifications@github.com]
Sent: Thursday, April 27, 2017 6:34 PM
To: RocketChat/Rocket.Chat <Rocket.Chat@noreply.github.com>
Cc: Frank Tucker <frank.tucker@microhealthllc.com>; Mention <mention@noreply.github.com>
Subject: Re: [RocketChat/Rocket.Chat] Is RocketChat not compatible with OAuth2 and Office365? (#6809)
I've managed to duplicate every thing except a successful login 😁
Heres what I have on my app page on microsoft.
<https://cloud.githubusercontent.com/assets/51996/25507087/a4f08eee-2b6f-11e7-839e-6ab54e3ac50c.png>
Is there something missing from here?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#6809 (comment)> , or mute the thread <https://github.com/notifications/unsubscribe-auth/ADgToxRULhwIqRdeAnNYt4NifIKzhRDTks5r0RfZgaJpZM4NJHN9> . <https://github.com/notifications/beacon/ADgTo37DNF2juyOu_s1toj9hiaWMwKu2ks5r0RfZgaJpZM4NJHN9.gif>
|
|
Hi,
@geekgonecrazy @bluenevus |
|
Hi,
Did somebody make it works ? |
|
This is your problem. it has to be https |
|
|
|
|
|
your redirect url on o365 will need to be https://your.rocketchat-server.com/_oauth/CustomOAuthNAME doing a localhost will be problematic. If you want to do that, put a reverse proxy so you are going out and in on https on 443 not 3000 It works...we have it working this way |
|
We definitely need to turn this in to a doc. I think this would be incredibly useful. |
|
I don't know what I'm doing wrong, but it's still not working for me. I'm using exactly the settings you where screenshotting, but no success. It would be so nice to have o365 as an officially tested oauth provider in rocketchat.
On Sat, Jul 22, 2017 at 4:57 AM +0200, "Aaron Ogle" <notifications@github.com> wrote:
We definitely need to turn this in to a doc. I think this would be incredibly useful.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
|
|
The problem is you are in localhost on http vs a domain or up on https port 443
Get Outlook for Android<https://aka.ms/ghei36>
…________________________________
From: JZinkl <notifications@github.com>
Sent: Sunday, July 23, 2017 8:02:29 AM
To: RocketChat/Rocket.Chat
Cc: Frank Tucker; Mention
Subject: Re: [RocketChat/Rocket.Chat] Is RocketChat not compatible with OAuth2 and Office365? (#6809)
I don't know what I'm doing wrong, but it's still not working for me. I'm using exactly the settings you where screenshotting, but no success. It would be so nice to have o365 as an officially tested oauth provider in rocketchat.
TRIEB.WORK | DISRUPTIVE IT SOLUTIONS
Jannik Zinkl
Geschäftsleitung
+49 151 51183272 (mobil)
Email: jannik.zinkl@trieb.work
Diese E-Mail ist ausschließlich für den angeführten Adressaten bestimmt. Sie kann Informationen enthalten, welchevertraulich sind und durch die Verschwiegenheit geschützt werden. „trieb.work“ und „BitPaket“ sind Markennamen dertrieb.work Zinkl, Marquart GbR, Vorrastraße 9 90482 Nürnberg. USt.ID.: DE310650608, Kontakt: info@trieb.work
On Sat, Jul 22, 2017 at 4:57 AM +0200, "Aaron Ogle" <notifications@github.com> wrote:
We definitely need to turn this in to a doc. I think this would be incredibly useful.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#6809 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ADgTo54NKpfokPkio9K_GSDaMaWHsVqDks5sQzZVgaJpZM4NJHN9>.
|
|
Still not working for me too with same config and https with domain. |
|
Hi, And this is what I get in my log: |
|
I have followed the steps above and can successfully authenticate but it fails when trying to return to the redirect URL. After authenticating, the authentication screen hangs while trying to return back to the redirect URL listed at apps.microsoft.com. I'm setting the redirect URL to the same as the callback URL listed in my custom OAuth: When I try to connect to the Callback URL listed in RocketChat, it works fine until I add an entry to the URL field. Once, I add https://login.microsoftonline.com/common to the URL field, I can no longer connect to the Callback URL and instead receive a timeout error. I've attached a screenshot of the configuration in RocketChat. I've set the redirect URL at apps.microsoft.com to match the callback URL.
Thanks for your help! |
|
do you have all of the other values like this image?
Your callback url that you setup in office365 comes from this statement here on the top of the oauth configuration screen below
"When setting up your OAuth Provider, you'll have to inform a Callback URL. Use..."
It has to be HTTPS
…--
Dr. Frank Tucker
CEO
MicroHealth, LLC
People * Value * Innovation
O: (855) 294-3547 | F: (855)-850-1264
Address: 8245 Boone Blvd, Suite 706 | Vienna, VA 22182
<http://www.microhealthonline.com/>Email: frank.tucker@microhealthllc.com<mailto:frank.tucker@microhealthllc.com>
www.microhealthllc.com<http://www.microhealthllc.com/>
www.microhealthllc.com<http://www.microhealthllc.com/>
________________________________
From: steversk <notifications@github.com>
Sent: Monday, September 11, 2017 12:49:27 PM
To: RocketChat/Rocket.Chat
Cc: Frank Tucker; Mention
Subject: Re: [RocketChat/Rocket.Chat] Is RocketChat not compatible with OAuth2 and Office365? (#6809)
I have followed the steps above and can successfully authenticate but it fails when trying to return to the redirect URL. After authenticating, the authentication screen hangs while trying to return back to the redirect URL listed at apps.microsoft.com.
I'm setting the redirect URL to the same as the callback URL listed in my custom OAuth:
https://rapchat-dev.corp.*****.net/_oauth/azuread
When I try to connect to the Callback URL listed in RocketChat, it works fine until I add an entry to the URL field. Once, I add https://login.microsoftonline.com/common to the URL field, I can no longer connect to the Callback URL and instead receive a timeout error.
I've attached a screenshot of the configuration in RocketChat. I've set the redirect URL at apps.microsoft.com to match the callback URL.
[ss]<https://user-images.githubusercontent.com/17030035/30286370-a0758e84-96de-11e7-8e8d-d03f91ad16cb.JPG>
Thanks for your help!
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#6809 (comment)>, or mute the thread<https://github.com/notifications/unsubscribe-auth/ADgTo6rGutrOjDK-SGImJQpEuJui5D65ks5shWSXgaJpZM4NJHN9>.
|
|
Yes, we are using HTTPS and I believe I've matched all of the entries. I've pasted screenshots of my RocketChat setup, apps.microsoft.com setup screen, as well as the gateway timeout that occurs after I successfully authenticate.
|
|
It seems that Office365 is set to use the body (payload) for the authorize and token and then the header for subsequent requests. Could you add the option to set "Token Sent Via" to something different for the identity request vs the Authorize and Token requests? |
|
@jmoont We can try 😄 @mrinaldhar will start working on OAuth improvements soon, he will be able to answer this question soon. |
|
That sounds great but I'd like to confirm my idea (and get it working sooner!) - I've got RocketChat running on docker, on Ubuntu, on AWS - is there a way to build a version and deploy to the container or edit/hack the code on the container? Thanks. |
|
Ok - I worked it out - edited/hacked it on my docker container and its working :) |
|
@jmoont Can you show me what exactly you did? So I can try to fix it ASAP |
|
So I just commented out the case statement for the identity so that it used the header and then set my custom oauth to use the payload for the initial requests. This is obviously a hack to get it working but having the option to use a different "Token Sent Via" for the identity request vs the authorize and token ones would be a generic fix. |
|
Yes - works well. Thank you for the quick turnaround. Below are my settings for the app I set up in Azure Active Directory. |
|
Closed by #9034 |
|
Awesome, thanks @jmoont |
|
@jmoont Hi, just one more little question: do you also know what to put into "Username field"? Right now rocket.chat is not recognizing the email Adresse of the authenticating user. |
|
userPrinciplename |
|
@JannikZed if you need to setup email as Username you can use |
|
@alincalinciuc I used upn, but according to ticket #10196 @ is not an allowed character in usernames. I did find that you can also use "name", which returns the user's full name with a space, however, then mentions are broken (see ticket #7280). I figured I would mention it here in case anyone didn't realize that you can actually leave the username field blank, and RocketChat will prompt the user at initial login. It would be nice if there was some way to automatically set a consistent username, with functional mentions, though. Is there any way to combine multiple fields? I tried a few variations like {given_name}.{last_name} but couldn't find anything which worked. |
|
i referred this constraint into a feature request here: #11647 |
|
Could be kind of late, but i leave to you my doc after days of dealing with all problems. |
|
Can I login to rocket.chat using AzureAd with this tutorial? |
|
Thats exactly the idea... |
|
It is done but when i try to login i got back to login page |
|
You press the "Azure AD Login" button to login? |
|
Yeah i pressed it generates the popup screen i select my login and i am redirected to the first step again which would be to choose the account I want to login to |
|
This may be related to which version of both azure ad and rocket I'm using? Because at the moment there are free versions of both |
|
I dont think so, I was using freeversion of both, too. |
|
Maybe i need to change the UPN options on login and email fields? |
I can't set up OAuth with Office365, please help. Is Oauth2 not compatible or supported?
Rocket.Chat Version: 0.54.2
Running Instances: 1
DB Replicaset OpLog: Disabled
Node Version: v4.5.0
The text was updated successfully, but these errors were encountered: