Problems with OAuth since upgrading from v. 0.74 to v. 1.03, random logout, chat history not updated

(This has already been posted on GitHub, but remained unnoticed. That’s why I’m trying it here.)

We use OAuth via Keycloak to log in to our server. It worked well up to version 0.74. Then we upgraded to version 1.02 / 1.03 (and now 1.1.1) and the login fails, usually once. If you hit reload on the error page and try to login again, it’s usually successful.
The first login attempt does not generate any logs whatsoever. Do you guys know if it’s an issue with a cached token? I could not find anything in regard to this.

Additionally some of our users are logged out randomly, although the sessions should only be terminated after 72h (end session on window close is OFF). This happens especially if you’re logged in on a desktop client / browser and a mobile device simultaneously.

Some users report that they’re getting notifications about a new message, but the message is not shown in the chat history.

All these issues arose with the upgrade to v. 1.02 which we installed to fix the XSS vulnerability.
(Additionally the mobile Clients received another update at exactly the same time and now the app constantly complains that “you have to be logged in to do” … anything. Clearing the app cache fixes this for a few hours until the bug occurs again. The app is now more or less unusable).

I’ve read about most of these issues (except maybe the issue with OAuth) and I thought that they had already been fixed in '17 / '18.

Server Setup Information

  • Version of Rocket.Chat Server: 1.1.1
  • Operating System: Centos 7 x64
  • Deployment Method: normal install on the system
  • Number of Running Instances: 1
  • DB Replicaset Oplog: ON (Had to be enabled after the upgrade for some reason, even if no replicaset is active. Could this cause an issue?)
  • NodeJS Version: 8.11.3
  • MongoDB Version: 3.6.13
  • Proxy: nginx
  • Firewalls involved: -

Any help is very much appreciated :slight_smile:

Where exactly is it failing in the login process? Does it fail when going to keycloak to get login or when coming back to

If coming back… any logs?

Hm… I’ve actually seen this. Does it mostly log them out on the desktop?

Android/ iOS regular or experimental?

Also regarding posting on issues… did you post like this all as one issue? If so it won’t go anywhere quickly. That I can assure you.

Immediately after you hit the OAuth login button. Depending on the client you should be either redirected to the Keycloak login page or be logged in immediately. The Windows client for example should log you in immediately.
I had the logs in full debug mode running. No entry on the first login attempt.
So you get the “Houston we have a Problem” page. You hit reload and your’re sent back to the login page. You hit the OAuth button again - et voilá - you’re logged in.
The OAuth / Keycloak redirection does not work for the MAC desktop clients. For these users I had to set a password in the RC db and they’re logging in directly to RC.

All other users use OAuth.

It depends. But we have about 100 users here and reports are not completely consistent. I’ve tried to replicate these issues on my machine but didn’t manage it. I’m using the Windows Client myself. I only get logged out over night, at least sometimes. The user complaining the most uses Chrome and Firefox on MAC and the android app. He gets logged out in the middle of the day. He reports that this happens pretty much exactely every 24h, although i’ve set 72h for the sessions. So his 24h time frame always ends somewhere around 11 AM… His android app is not usable, as with all of our users.

We’re using the full package here (browser versions Win / MAC including Chrome, Firefox, Safari; Desktop clients for Windows 7 / 10, Mac OSX 10.4 / 10.6(?), Android and IOS clients (not experimental since the experimental client does not support neither OAuth nor SAML).

Ehm. Yep. Wrong approach I presume? I did not want to spam like 20 topics with basically old issues that simply seemed to reappear.

For sure. Those tend to not get addressed because they are so overwhelming. Requires someone to sit down and really digest what you said and break it apart. Best advice is to make each issue bite sized and easy to digest and understand and maybe most importantly easy to reproduce.

Maybe you could record a video or something? I’m not understanding exactly what you are saying is happening.

I did what you recommended. At least the first post regarding OAuth got some attention. I 've managed to produce some logs. Don’t know if it really helps though.

GitHub post OAuth
GitHub post chat history
GitHub post random logout