Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Is RocketChat not compatible with OAuth2 and Office365? #6809

Closed
basitmohammad opened this issue Apr 26, 2017 · 42 comments

Comments

Projects
None yet
@basitmohammad
Copy link

commented Apr 26, 2017

I can't set up OAuth with Office365, please help. Is Oauth2 not compatible or supported?

Rocket.Chat Version: 0.54.2
Running Instances: 1
DB Replicaset OpLog: Disabled
Node Version: v4.5.0

@bluenevus

This comment has been minimized.

Copy link

commented Apr 27, 2017

URL: https://login.microsoftonline.com/common
token path: /oauth2/token
identity path: /me
authorize path: /oauth2/authorize
scope: openid
username field: userPrinciplename
and the correct callback url with id and secret configured

same issue. first it launches, looks like its going to work then it says internal server error

saml for o365 works just can't get oauth to work which we need for outside users

Got this error
oauth.js:431) �[35mError in OAuth Server: Failed to fetch identity from office365 at https://login.microsoftonline.com/me. failed [404]
�[34mI20170412-19:44:06.805(0) Exception while invoking method 'login' Error: Failed to fetch identity from office365 at https://login.microsoftonline.com/me. failed [404] at CustomOAuth.getIdentity (/opt/Rocket.Chat/programs/server/packages/rocketchat_custom-oauth.js:198:17) at Object.handleOauthRequest (/opt/Rocket.Chat/programs/server/packages/rocketchat_custom-oauth.js:214:25) at OAuth._requestHandlers.(anonymous function) (packages/oauth2.js:27:31) at middleware (packages/oauth.js:203:5) at packages/oauth.js:176:5

now this error

Exception while invoking method 'login' Error: Failed to complete OAuth handshake with oauthoffice365 at https://login.microsoftonline.com/common/oauth2/token. failed [400] {"error":"invalid_grant","error_description":"AADSTS70000: Transmission data parser failure: Authorization Code is malformed or invalid

@geekgonecrazy

This comment has been minimized.

Copy link
Member

commented Apr 27, 2017

I don't believe /me is the proper identity path. Actually digging through i'm not finding such an equivalent route.

Microsofts authentication services are a bit of a mess. They've been doing a bit better in recent years.

If you can find the identity path in their documentation somewhere you could probably get this to work. Otherwise I think we're going to have to add one specifically for office365

@bluenevus

This comment has been minimized.

Copy link

commented Apr 27, 2017

@bluenevus

This comment has been minimized.

Copy link

commented Apr 27, 2017

In fact, this is the error when I tried the identity url above

Exception while invoking method 'login' Error: Failed to fetch identity from oauthoffice365 at https://outlook.office365.com/api/v1.0/me. failed [401] at CustomOAuth.getIdentity (/opt/Rocket.Chat/programs/server/packages/rocketchat_custom-oauth.js:198:17) at Object.handleOauthRequest (/opt/Rocket.Chat/programs/server/packages/rocketchat_custom-oauth.js:214:25) at OAuth._requestHandlers.(anonymous function) (packages/oauth2.js:27:31) at middleware (packages/oauth.js:203:5) at packages/oauth.js:176:5

@geekgonecrazy

This comment has been minimized.

Copy link
Member

commented Apr 27, 2017

@bluenevus how did you generate your oauth clientid / secret? Seems to be dozens of different instructions sets floating around. All of them about as clear as mud. 😁 I remember at one point having to setup things via Azure AD. But then I thought there was a more recent set that was almost a wizard via the graph api.

@bluenevus

This comment has been minimized.

Copy link

commented Apr 27, 2017

@bluenevus

This comment has been minimized.

Copy link

commented Apr 27, 2017

its pretty much the common microsoft login whether o365, live etc

@geekgonecrazy

This comment has been minimized.

@bluenevus

This comment has been minimized.

Copy link

commented Apr 27, 2017

@geekgonecrazy

This comment has been minimized.

Copy link
Member

commented Apr 27, 2017

@bluenevus perfect! What fields did you end up with? That way we can pass the knowledge forward for others 😁

@bluenevus

This comment has been minimized.

Copy link

commented Apr 27, 2017

@geekgonecrazy

This comment has been minimized.

Copy link
Member

commented Apr 27, 2017

I've managed to duplicate every thing except a successful login 😁

Heres what I have on my app page on microsoft.

image

image

Is there something missing from here?

@bluenevus

This comment has been minimized.

Copy link

commented Apr 27, 2017

@JannikZed

This comment has been minimized.

Copy link

commented Jul 4, 2017

Hi,
I always receive the following:

35mError in OAuth Server: Failed to fetch identity from o365 at https://login.microsoftonline.com/common/openid/userinfo. failed [400]

@geekgonecrazy @bluenevus
The endpoint doesn't seem to work. Is it still working for you?

@KoAi

This comment has been minimized.

Copy link

commented Jul 19, 2017

Hi,
From my part, with same config mention above I get following error:

Exception while invoking method 'login' Error: Failed to complete OAuth handshake with o365 at https://login.microsoftonline.com/common/oauth2/token. failed [400]

Did somebody make it works ?

@bluenevus

This comment has been minimized.

Copy link

commented Jul 21, 2017

This is your problem.
image

it has to be https

@bluenevus

This comment has been minimized.

Copy link

commented Jul 21, 2017

image

@bluenevus

This comment has been minimized.

Copy link

commented Jul 21, 2017

image

@bluenevus

This comment has been minimized.

Copy link

commented Jul 21, 2017

your redirect url on o365 will need to be https://your.rocketchat-server.com/_oauth/CustomOAuthNAME

doing a localhost will be problematic. If you want to do that, put a reverse proxy so you are going out and in on https on 443 not 3000

It works...we have it working this way

@geekgonecrazy

This comment has been minimized.

Copy link
Member

commented Jul 22, 2017

We definitely need to turn this in to a doc. I think this would be incredibly useful.

@JannikZed

This comment has been minimized.

Copy link

commented Jul 23, 2017

@bluenevus

This comment has been minimized.

Copy link

commented Jul 23, 2017

@KoAi

This comment has been minimized.

Copy link

commented Jul 23, 2017

Still not working for me too with same config and https with domain.
I will give others tries next week

@JannikZed

This comment has been minimized.

Copy link

commented Jul 28, 2017

Hi,
@bluenevus that's not right. I'm a different person :D we are using https on a FQDN. This is what my config looks like:
bildschirmfoto 2017-07-29 um 01 37 58
bildschirmfoto 2017-07-29 um 01 37 43

And this is what I get in my log:
bildschirmfoto 2017-07-29 um 01 39 04

@steversk

This comment has been minimized.

Copy link

commented Sep 11, 2017

I have followed the steps above and can successfully authenticate but it fails when trying to return to the redirect URL. After authenticating, the authentication screen hangs while trying to return back to the redirect URL listed at apps.microsoft.com.

I'm setting the redirect URL to the same as the callback URL listed in my custom OAuth:
https://rapchat-dev.corp.*****.net/_oauth/azuread

When I try to connect to the Callback URL listed in RocketChat, it works fine until I add an entry to the URL field. Once, I add https://login.microsoftonline.com/common to the URL field, I can no longer connect to the Callback URL and instead receive a timeout error.

I've attached a screenshot of the configuration in RocketChat. I've set the redirect URL at apps.microsoft.com to match the callback URL.

ss

Thanks for your help!

@bluenevus

This comment has been minimized.

Copy link

commented Sep 11, 2017

@steversk

This comment has been minimized.

Copy link

commented Sep 11, 2017

Yes, we are using HTTPS and I believe I've matched all of the entries. I've pasted screenshots of my RocketChat setup, apps.microsoft.com setup screen, as well as the gateway timeout that occurs after I successfully authenticate.

rc setup

apps ms setup

timeout

@jmoont

This comment has been minimized.

Copy link

commented Dec 6, 2017

It seems that Office365 is set to use the body (payload) for the authorize and token and then the header for subsequent requests. Could you add the option to set "Token Sent Via" to something different for the identity request vs the Authorize and Token requests?

@rodrigok

This comment has been minimized.

Copy link
Member

commented Dec 6, 2017

@jmoont We can try 😄 @mrinaldhar will start working on OAuth improvements soon, he will be able to answer this question soon.

@jmoont

This comment has been minimized.

Copy link

commented Dec 6, 2017

That sounds great but I'd like to confirm my idea (and get it working sooner!) - I've got RocketChat running on docker, on Ubuntu, on AWS - is there a way to build a version and deploy to the container or edit/hack the code on the container? Thanks.

@jmoont

This comment has been minimized.

Copy link

commented Dec 6, 2017

Ok - I worked it out - edited/hacked it on my docker container and its working :)

@rodrigok

This comment has been minimized.

Copy link
Member

commented Dec 6, 2017

@jmoont Can you show me what exactly you did? So I can try to fix it ASAP

@jmoont

This comment has been minimized.

Copy link

commented Dec 6, 2017

So I just commented out the case statement for the identity so that it used the header and then set my custom oauth to use the payload for the initial requests. This is obviously a hack to get it working but having the option to use a different "Token Sent Via" for the identity request vs the authorize and token ones would be a generic fix.

@rodrigok

This comment has been minimized.

Copy link
Member

commented Dec 7, 2017

@jmoont can you check if this PR solves your problem #9034 ?

@jmoont

This comment has been minimized.

Copy link

commented Dec 11, 2017

Yes - works well. Thank you for the quick turnaround.

Below are my settings for the app I set up in Azure Active Directory.
rocketchat - settings

@rodrigok

This comment has been minimized.

Copy link
Member

commented Dec 11, 2017

Closed by #9034

@rodrigok rodrigok closed this Dec 11, 2017

@rodrigok rodrigok added this to the 0.60.0 milestone Dec 11, 2017

@rodrigok

This comment has been minimized.

Copy link
Member

commented Dec 11, 2017

Awesome, thanks @jmoont

@JannikZed

This comment has been minimized.

Copy link

commented Dec 31, 2017

@jmoont Hi, just one more little question: do you also know what to put into "Username field"? Right now rocket.chat is not recognizing the email Adresse of the authenticating user.
Kind regards

@JSzaszvari

This comment has been minimized.

Copy link
Member

commented Dec 31, 2017

@JannikZed

userPrinciplename

@alincalinciuc

This comment has been minimized.

Copy link

commented Feb 22, 2018

@JannikZed if you need to setup email as Username you can use upn or any of the fields of the JWT token found here : https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code#jwt-token-claims

@sketch242

This comment has been minimized.

Copy link

commented Mar 27, 2018

@alincalinciuc I used upn, but according to ticket #10196 @ is not an allowed character in usernames.

I did find that you can also use "name", which returns the user's full name with a space, however, then mentions are broken (see ticket #7280).

I figured I would mention it here in case anyone didn't realize that you can actually leave the username field blank, and RocketChat will prompt the user at initial login.

It would be nice if there was some way to automatically set a consistent username, with functional mentions, though. Is there any way to combine multiple fields? I tried a few variations like {given_name}.{last_name} but couldn't find anything which worked.

@BlackFenix2

This comment has been minimized.

Copy link

commented Aug 6, 2018

i referred this constraint into a feature request here: #11647

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.