Rocket.Chat's Community Open Call 🎤 Jan 19th, 2022 Join us!

Keycloak Integration with RocketChat OAuth Handshake Failure

Description

I have a working Keycloak server at https://keys.mydomain.com
This allows me to log in to a bookstack instance I have and everything works as it should.

I have rocket.chat installed using a docker-compose file.

When I go to log in to rocket.chat I get a popup to log in to my keycloak server and it authenticates. I can see the session in keycloak but I get an “unidentified” error in the top right of my browser after the redirect to the rocketchat:3000 url and in the Rocket.chat logs I get:

{“level”:50,“time”:“2021-12-18T00:30:35.867Z”,“pid”:43,“hostname”:“113b6f3eeb8e”,“name”:“System”,“msg”:“Exception while invoking method login ‘Failed to complete OAuth handshake with keycloak at https://keys.mydomain.com/realms/myRealm/protocol/openid-connect/token. unable to verify the first certificate’”}

I have verified that the Site URL is correct as per another post on this topic.

It seems to me like the issue is that the SSL certificate needs to be installed on the root store of the docker container - but I don’t see where to do that on the rocketchat service. I did see that the mongo service has /etc/ssl/certs/ca-certificate.crt and I added my cert manually using bash in the docker container - but no luck.

I double checked the instructions and everything appears to work except for the last step where it needs to verify the cert of https://keys.mydomain.com. Any help would be greatly appreciated.

Server Setup Information

  • Version of Rocket.Chat Server: 4.2.2
  • Operating System: Debian 10
  • Deployment Method: docker
  • Number of Running Instances: 1
  • DB Replicaset Oplog:
  • NodeJS Version:
  • MongoDB Version: 4.0.26
  • Proxy: none
  • Firewalls involved:

Any additional Information

Hi! Welcome to our forums!!

I have just set myself up this week to install and explore Keycloack in order to help our community better. I have never played around with it.

I’ll bookmark this thread for later this week.

hi!

Were you able to solve this?

I was not able to do some tests with Keycloack as of today. Will try to escalate this internally.

Hey dude
No not yet. I’ll be looking at it again this week tho