HELP! Setting up oauth with keycloack

Description

I have installed keycloack openid and configured it with rocket.chat using oath. I followed the guide in the documentation all the configurations are 100% correct yet i cant make it to work.

Steps to reproduce the issue:
Go to rocketchat home page (localhost:3000) .
Press login using keycloack .
enter keycloack credentials (username/password)
After that i am getting an undefined error on top right corner.
See error logs below

Server Setup Information

  • Version of Rocket.Chat Server: Latest
  • Operating System: ubuntu 16.04
  • Deployment Method: snaps
  • Number of Running Instances: 1
  • DB Replicaset Oplog: snaps latest
  • NodeJS Version: snaps latest
  • MongoDB Version: snaps latest
  • Proxy: snaps didnt touch anything
  • Firewalls involved: localhost idk

Any additional Information

The error logs on rocket.chat are redirect uri is not valid.
My redirect uri on keycloack is set to http://localhost:3000/*

I have everything correctly yet i can’t make this work and it’s driven me crazy.

p.s this is all installed on ubuntu 16.04 localhost using snaps.

How exactly is configured OAuth in the Rocket Chat?

1 Like





@jan.garaj

It looks good to me. Could you share your rocket chat logs + HAR file of whole login process from your browser (keep in mind: some your password may be recorded in the HAR file), pls?

HAT
https://zerobin.net/?841a21b92f088206#VaYUKbjzShS9YLUqlpNrcgjmqZVSP813TvklzIiyaec=
@jan.garaj

Edit:
Keycloack settings :

HAR file has only 2 requests. I need whole login process. It’s not clear which redirect URL has been sent to Keycloak during login.

Halt for log in :
https://zerobin.net/?9b8cfdd3e36d5e9e#zrlZNCLlAlbUxRhnPx6wtkujKSRz3ROjnjAFNt3qi8k=
Check this , this is the only log in i can see

This is halt for fonthello.woff2
https://zerobin.net/?0359f5267f18705c#eHfaAWH8eg8F7jimQLNZzuNvOgJdaZA6Z4YsKTYaRGo=

You have to persist logs in the network console. Browser is redirected between Keycloak/Rocket Chat - I want to see all those redirects (and other requests around) in HAR file:

ah i get what u mean now .

Hopefully this is it , i truly appreciate the help !!!

https://zerobin.net/?f24c3e2055f8b21f#cgApntscF/XhFqVEemvSXT//jv2cXTaXMXCCg0W5+qk=

Nope, HAR file is not OK. Let’s try different - paste the Keycloak URL (whole all parameters), where you are redirected for the login and where do you see login form. Example, to give you idea what I’m expecting:

http://localhost:8080/auth/realms/xxx/protocol/openid-connect/auth?client_id=xxx&redirect_uri=xxx&state=983c975f-e626-4696-89bb-e610072e788c&response_mode=fragment&response_type=code&scope=openid&nonce=9986f157-6c2e-4181-86dc-bd13212862cb

The pop up windows to log in to keycloack url ?

localhost:8080/auth/realms/demoKeyclock/protocol/openid-connect/auth?client_id=rocket-chat-client&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2F_oauth%2Fkeyclock&response_type=code&state=eyJsb2dpblN0eWxlIjoicG9wdXAiLCJjcmVkZW50aWFsVG9rZW4iOiJtSW1Uc0kwLU5EbnB1RUJIc1ZlTVp5U3ZSbEtmZmI3UkRlQXhhc3gtd21SIiwiaXNDb3Jkb3ZhIjpmYWxzZX0%3D&scope=openid

Link pls, not a screenshot.

There is a link above the screenshot.

im sorry link is wrong hold on (im on virtualbox and i can’t copy paste sorry again)

localhost:8080/auth/realms/demoKeyclock/protocol/openid-connect/auth?client_id=rocket-chat-client&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2F_oauth%2Fkeyclock&response_type=code&state=eyJsb2dpblN0eWxlIjoicG9wdXAiLCJjcmVkZW50aWFsVG9rZW4iOiJtSW1Uc0kwLU5EbnB1RUJIc1ZlTVp5U3ZSbEtmZmI3UkRlQXhhc3gtd21SIiwiaXNDb3Jkb3ZhIjpmYWxzZX0%3D&scope=openid

localhost:8080/auth/realms/demoKeyclock/protocol/openid-connect/auth?client_id=rocket-chat-client&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2F_oauth%2Fkeyclock&response_type=code&state=eyJsb2dpblN0eWxlIjoicG9wdXAiLCJjcmVkZW50aWFsVG9rZW4iOiJtSW1Uc0kwLU5EbnB1RUJIc1ZlTVp5U3ZSbEtmZmI3UkRlQXhhc3gtd21SIiwiaXNDb3Jkb3ZhIjpmYWxzZX0%3D&scope=openid

I trully appreciate your free help , spending your own time help me you generous human being :slight_smile:
@jan.garaj

So, root url use in the login is:

http://localhost:3000/_oauth/keyclock

That one must be used also when Rocker Chat is exchanging code for the token:

You may see which redirect URL was actually used in the Keycloak logs.

I just guess, you didn’t configure ROOT_URL env variable as http://localhost:3000 or Site URL is different as http://localhost:3000 or something else (especially if it is behind reverse proxy, LB, …).

Setting ROOT URL on Keycloack to
http://localhost:3000/_oauth/keyclock or http://localhost:3000/

Still doesn’t work , getting same result

keycloack log

No reverse proxy or anything this is just a pure install using snaps and nothing has change .
Maybe it has something to do with it being on localhost and not on a production env . i know keycloack works because i have set up nextcloud as well on this env and it works fine .

ROOT_URL is env variable for Rocket Chat, not for the Keycloak. And that also just guess.

There is nothing wrong with the Keycloak configuration or with the used OIDC client configuration.

Sniff http traffic to keycloak to token exchange (tcpdump, wireshark, … ) and find which redirect_uri is used by the rocket chat, when rocket chat is calling Keycloak token endpoint.

I am going to set this up on a live server hopefully that fixes the issue :frowning: .

I set it up in a live server and i am getting the same exact issue.
Can someone please help me , what do i do wrong ?

This is how my redirect URL looks like :(it’s example)
http://55.43.234.23:3000/*
or even http://55.43.234.23:3000/_oauth/key
nothing works.
I have no idea why it doesn’t work .
On the official documentation it says http:localhost:3000/* well http: and not http:// doesn’t work for me i get invalid url on keycloack log in.

if i change in rockethcat settgings pop up to be redirect i get this :
W20210201-17:59:31.839(0) (oauth_server.js:403) Error in OAuth Server: redirectUrl (http://xxxxxxxxxxxx.58:3000/home) is not on the same host as the app (http://localhost/)

I bet your GeneralSite URL is http://localhost (or some similar value) and not http://55.43.234.23:3000.