Rocket.Chat icon indicating copy to clipboard operation
Rocket.Chat copied to clipboard
verified publisher icon RocketChat

Existing users can't login via OAuth/Keycloak

Open highpingblorg opened this issue 1 year ago • 3 comments

Description:

To initially access Rocketchat, users must log in through Keycloak, which is how accounts are provisioned. This functionality generally works without issue.

However, the problem arises seemingly at random. Users with existing Keycloak-created accounts are sometimes unable to successfully log in to Rocketchat. There are no error messages, password update prompts, or other indications of the issue. When the user attempts to log in through Keycloak, they are simply redirected back to the login page without gaining access.

According to Keycloak, these users have an active session for Rocketchat, but no corresponding cookies or tokens are set in the browser. As a result, the users cannot log in.

This issue forces the administrator to manually provision local Rocketchat accounts by manually resetting their password for affected users through the UI, which is an undesirable workaround.

image

I've tried reproducing this bug but I can't seem to find the exact cause.

Steps to reproduce:

  1. Have a Rocketchat instance with Keycloak as the OAuth provider
  2. Create an account via OAuth
  3. Re-log in and get denied access -> No idea what the cause of this

Expected behavior:

The expected behavior is that the user is logged in successfully.

Actual behavior:

Unsuccessful log in to Rocketchat

Server Setup Information:

  • Version of Rocket.Chat Server: 7.0.0
  • Number of Users: 300+
  • NodeJS Version: v20.18.1
  • MongoDB Version: 7.0.15 / wiredTiger (oplog Enabled)

Client Setup Information

Happens in different browsers, on different versions and different operating systems.

Additional context

This issue has been around for at least 1.5-2 years, the user was able to log in fine via Keycloak until that bug occurred, no configuration settings were modified in either Rocketchat or Keycloak for affected users.

highpingblorg avatar Dec 16 '24 12:12 highpingblorg

Yeah i faced same issue today one time of not logging in it doing reconnecting again and again but after 15-20 minutes i able to login

Priyanshuthapliyal2005 avatar Dec 16 '24 15:12 Priyanshuthapliyal2005

Please check with 7.0.1

reetp avatar Dec 17 '24 08:12 reetp

Please check with 7.0.1

Even better you should test with 7.1.0 - as per the bug guidelines "always test on the latest release"

reetp avatar Dec 17 '24 12:12 reetp

Same behavior as @highpingblorg described. Every time a login does not complete, RocketChat log states as follows:

{
"level":50,
"time":"2025-01-09T07:20:11.715Z",
"pid":9,
"hostname":"<DOMAIN>",
"name":"System",
"msg":"Exception while invoking method login",
"err":
  {
    "type":"Error",
    "message":"remove +  is not available on the server. Please use removeAsync() instead.",
    "stack":"Error: remove +  is not available on the server. Please use removeAsync() instead.
            at Object.ret.<computed> [as remove] (packages/mongo/remote_collection_driver.js:53:15)
            at Collection.remove (packages/mongo/collection.js:1016:29)
            at Collection.Mongo.Collection.<computed> [as remove] (packages/dispatch_run-as-user.js:346:17)
            at Object.OAuth._retrievePendingCredential (app/2fa/server/loginHandler.ts:88:29)
            at processTicksAndRejections (node:internal/process/task_queues:95:5)
            at MethodInvocation.<anonymous> (packages/accounts-oauth/oauth_server.js:18:18)
            at packages/accounts-base/accounts_server.js:593:9
            at tryLoginMethod (packages/accounts-base/accounts_server.js:1560:14)
            at AccountsServer._runLoginHandlers (packages/accounts-base/accounts_server.js:592:22)
            at AccountsServer.Accounts._runLoginHandlers (app/lib/server/lib/loginErrorMessageOverride.ts:9:17)
            at MethodInvocation.methods.login (packages/accounts-base/accounts_server.js:654:22)"
   }
}

Tested against 7.2 Running MongoDB 6

phagemann avatar Jan 09 '25 07:01 phagemann

Thanks for testing.

I'll refer to the team.

reetp avatar Jan 09 '25 08:01 reetp

Hello team, I am also affected by this, is there any new updates?

SDAdham avatar Jan 24 '25 09:01 SDAdham

~~I can confirm the issue on a fresh install with both current Keycloak + RC 7.2.1. I copied the configuration from existing servers. So I'm relatively confident that the OAuth configuration is correct. The MongoDB version is 7.~~

I had a typo in the user info endpoint. I'd recommend to carefully check all settings again. After fixing this config bug, the error message is gone and login works.

svenseeberg avatar Jan 25 '25 14:01 svenseeberg

Having the same issue here

2025-02-01 16:13:16 {"level":50,"time":"2025-02-01T21:13:16.432Z","pid":1,"hostname":"c536f734cedd","name":"System","msg":"Exception while invoking method login","err":{"type":"Error","message":"remove is not available on the server. Please use removeAsync() instead.","stack":"Error: remove is not available on the server. Please use removeAsync() instead.\n    at Object.ret.<computed> [as remove] (packages/mongo/remote_collection_driver.ts:92:15)\n    at Collection.remove (packages/mongo/collection/methods_sync.js:288:29)\n    at Collection.Mongo.Collection.<computed> [as remove] (packages/dispatch_run-as-user.js:346:17)\n    at Object.OAuth._retrievePendingCredential (app/2fa/server/loginHandler.ts:88:29)\n    at processTicksAndRejections (node:internal/process/task_queues:105:5)\n    at MethodInvocation.<anonymous> (packages/accounts-oauth/oauth_server.js:18:18)\n    at packages/accounts-base/accounts_server.js:593:9\n    at tryLoginMethod (packages/accounts-base/accounts_server.js:1560:14)\n    at AccountsServer._runLoginHandlers (packages/accounts-base/accounts_server.js:592:22)\n    at AccountsServer.Accounts._runLoginHandlers (app/lib/server/lib/loginErrorMessageOverride.ts:9:17)\n    at MethodInvocation.methods.login (packages/accounts-base/accounts_server.js:654:22)"}}

ghost avatar Feb 01 '25 21:02 ghost

I am facing the same issue -

{"level":50,"time":"2025-02-25T15:04:37.558Z","pid":1,"hostname":"56817af5fa15","name":"System","msg":"Exception while invoking method login","err":{"type":"Error","message":"remove is not available on the server. Please use removeAsync() instead.","stack":"Error: remove is not available on the server. Please use removeAsync() instead.\n at Object.ret.<computed> [as remove] (packages/mongo/remote_collection_driver.ts:92:15)\n at Collection.remove (packages/mongo/collection/methods_sync.js:288:29)\n at Collection.Mongo.Collection.<computed> [as remove] (packages/dispatch_run-as-user.js:346:17)\n at Object.OAuth._retrievePendingCredential (app/2fa/server/loginHandler.ts:88:29)\n at processTicksAndRejections (node:internal/process/task_queues:105:5)\n at MethodInvocation.<anonymous> (packages/accounts-oauth/oauth_server.js:18:18)\n at packages/accounts-base/accounts_server.js:593:9\n at tryLoginMethod (packages/accounts-base/accounts_server.js:1560:14)\n at AccountsServer._runLoginHandlers (packages/accounts-base/accounts_server.js:592:22)\n at AccountsServer.Accounts._runLoginHandlers (app/lib/server/lib/loginErrorMessageOverride.ts:9:17)\n at MethodInvocation.methods.login (packages/accounts-base/accounts_server.js:654:22)"}}

What is the immediate remedy ?

vmss2009 avatar Feb 25 '25 15:02 vmss2009

If you are affected you MUST specify your own setup.

#metoo is just ignored.

reetp avatar Feb 25 '25 15:02 reetp

Sorry for the inconvenience, I opened a new issue -

https://github.com/RocketChat/Rocket.Chat/issues/35341

vmss2009 avatar Feb 27 '25 02:02 vmss2009

Sorry for the inconvenience, I opened a new issue -

Yup - you are using a different provider....

Chasing this up.

reetp avatar Feb 27 '25 09:02 reetp

The actual bug is on this line: https://github.com/RocketChat/Rocket.Chat/blob/develop/apps/meteor/app/2fa/server/loginHandler.ts#L88 It should be await OAuth._pendingCredentials.removeAsync({ This should have been changed in https://github.com/RocketChat/Rocket.Chat/commit/c683a417cd0b7e8e07b9d4f410d9915df2d5af61, but it was missed.

However, this line is only reached if there is already an error with the oauth, probably with your setup. Unfortunately, this line prevents the actual error from being logged. However, if you are able to guess what your error is, then fix it, you should be able to avoid this line.

In my case, my no_proxy env variable was missing the leading . for subdomain matches, since https://www.npmjs.com/package/proxy-from-env handles no_proxy subdomain matching differently than most other libraries, so once I fixed my no_proxy env variable the problem went away.

SteffeyDev avatar Mar 01 '25 12:03 SteffeyDev

The actual bug is on this line: https://github.com/RocketChat/Rocket.Chat/blob/develop/apps/meteor/app/2fa/server/loginHandler.ts#L88 It should be await OAuth._pendingCredentials.removeAsync({

Ok.

This should have been changed in https://github.com/RocketChat/Rocket.Chat/commit/c683a417cd0b7e8e07b9d4f410d9915df2d5af61, but it was missed.

Thanks. I'll get that checked.

However, this line is only reached if there is already an error with the oauth, probably with your setup.

Yes most issues are wrong configs, but it should show the error correctly.

reetp avatar Mar 01 '25 12:03 reetp

"This should have been changed in https://github.com/RocketChat/Rocket.Chat/commit/c683a417cd0b7e8e07b9d4f410d9915df2d5af61, but it was missed."

Hey, when will the above commit be pushed ?

I need to see the error and work on it

vmss2009 avatar Mar 26 '25 13:03 vmss2009

Hey, can I know the exact place I could have gone. I glanced the code, seems like there is something wrong about the credentials. Is it by chance related to client secret and client Id of auth ?

vmss2009 avatar Apr 04 '25 13:04 vmss2009