REST-API microsoft oauth rest api login from node app

Community Support
1

I am using the following configuration in my rocketchat server

Token Path: /oauth2/token
Token Sent Via: Payload
Identity Token Sent Via: Header
Identity Path: /openid/userinfo
Authorize Path: /oauth2/authorize
Scope: openid profile email
Param Name for access token: access_token
Id / Secret: copied
Login Style: Redirect
Key Field: Email

I am able to login using my microsoft account when I login through the rocket chat server address.

When I try to use the login api as part of my node project according to the docs
https://developer.rocket.chat/v1-api/apidocs/login-with-username-and-password

sending the accesstoken (for which the scope is myApi), servicename=‘microsoft’ and expiresIn parameter, I get a 400 bad request error from the /openid/userinfo.
(Invalid audience)

I tried replacing the identity path to https://graph.microsoft.com/oidc/userinfo
but then I get an error since my token doesn’t fit graph.

I would like to get the original configuration to work with the login api.
Is that possible?

Would appreciate your assistance realizing why I am getting a bad request error.

“Failed to fetch identity from microsoft at
https ://login.microsoftonline.com/<tenant_id>/openid/userinfo. failed [400]”

2

Can you start with some server info as per this.

Have you had a search here on oauth/azure/microsoft?

3

Details:
OS: Aws Eks Linux
RocketChat version: 3.18.3
Node: v12.22.1 x64
MongoDB : 6.0.10 / wiredTiger (oplog Enabled)
Deployment method: Kubernetes

I tried digging a lot of information online, which is how I came up with the configuration from rocket chat documentation + from this forum (graph attempt) + StackOverflow + GitHub.

Unfortunately, I did not find a way to make it work.

To further add information, I acquire a token on my client side through
'https://login.microsoftonline.com/${TENANT_ID}/oauth2/v2.0/token`.
This jwt token includes the user information and an audience which is my API’s scope.

When I try to pass in this token to the ‘/api/v1/login’ (in a similar manner to OAuth registration/login via API endpoint - Azure AD), if I use ‘/openid/userinfo’ as my identity path configuration of rocket chat server I get the 400 error stated above.

iIf I use the graph endpoint as my identity path configuration of rocket chat server, as suggested in the other forum post, I get an error stating the audience is not valid for graph.

I would really appreciate your assistance in making the ‘/openid/userinfo’ identity path work.

Important note - I am able to use the login api with the following for example and get a rocket chat token which I can later use in my iframe (using the ‘login-with-token’ event/externalcommand):

const response = await axios.post(${RCServer}/api/v1/login, {
user: ‘someUser’
password: ‘password’,
});

The following is what I have issues with (regardless of the usage of headers):

const response = await axios.post(${RCServer}/api/v1/login, {
headers: {
Authorization: Bearer ${JWTToken},
‘Content-Type’: ‘application/json’,
},
serviceName : ‘microsoft’,
accessToken: ${JWTToken},
expiresIn : 3600,
});

I get the 400 error rather than a token.

Thanks in advance

4

This is totally unsupported and we can’t help you.

I’m not sure it is even the latest of that version :worried:

Please upgrade to a suported version.

Thanks.

5

Thank you for the reply,
What version would you suggest we try instead?

Edit:
After going through the documentation, I see you are right, the latest of that version was 3.18.7.
The EOL on 3.18 is Feb 2022 and each version is only supported for 6 months.

Will try to update and check again.

Thanks

6

We are currently on 6.10

See Upgrading here.

https://docs.rocket.chat/docs/updating-rocketchat-faq

Also note there are a LOT of breaking changes that might affect you so you need a very in depth read of changelogs, terms etc.

Do NOT just leap in and try and upgrade. Do your research first.

How many users do you have?

7

Thank you, we are just starting out, thinking about implementing RocketChat as part of our app.

Due to the above, there is no migration needed or any effects over the users at this point.

8

OK. Odd version to pick for testing? Not sure I understand that.

Just bear in mind there were a lot of security holes and bugs back then that have been fixed in newer versions.

It is not advisable to run older versions in production. You also will get no help, except for assistance with migration, unless you are on a supported version.

Thanks.

9

Hello @reetp,
We are now using version 6.10.0 of rocket chat.

When trying to login with the access token through /api/v1/login we get the following error:
unauthorized 401 with the message:
“Failed to fetch identity from microsoft at https://login.microsoftonline.com/<tenant_id>/openid/userinfo. Bad Request”

When using the microsoft login through the server’s url it works and some bugs we had have been removed with the upgrade of rocket chat, unfortunately the microsoft oauth authentication issue remains.

Authentication with username/password works of course.

Would appreciate any guidance.

10

Get to 6.10.1 as there is security bug that is fixed.

I need to ask a dev to look at this.

Please be patient.

1 Like
11

I just wanted to update you that I created a new node project from scratch + new app registration to double check.

Followed this tutorial

Added a route called ‘/loginToRocketChat’ under auth.js which calls the following code

router.get(‘/loginToRocketChat’, async function (req, res, next) {
await axios.post(https://<my server url>/api/v1/login, {
serviceName : ‘microsoft’,
accessToken : Bearer ${req.session.accessToken},
expiresIn : 3600,
})
});

and I still get the same bad request result for identity path /openid/userinfo.
‘Failed to fetch identity from microsoft at https://login.microsoftonline.com/<tenant_id>/openid/userinfo. Bad Request’

I verified and this JWT token has the following scopes (using jwt io):
“scp”: “openid profile User.Read email”.

I have these permissions on my app registration, and it is configured to use access tokens of course.

I am able to login through rocket chat server url but not through the api.

I tried switching it up with graph urls and received unauthorized errors (used /me and /oidc/userinfo).

In addition to that, with the graph urls set as identity path, I was unable to authenticate from the rocket chat server url as well.

Thanks

12

A dev is looking at this and I hope will respond this week.

Please be patient.

1 Like
13

Also this may help (search for microsoft + oauth)

14

Unfortunately, I have already tried that to no avail.

Any updates about the Microsoft oauth test by development? :pray:

15

Nope. I’ve asked.

They’ll respond as and when they can, but they have paying customers they have to support.

The nature of open source.

If you have a subcription with Pro or EE you can obviously contact support directly.

Otherwise be patient and see if someone can solve it.

16

Thanks, not complaining of course,
just checking in and hoping someone has information/experience in solving this matter.

17

I’m hoping the “auth” dev will pop in.

See what happens.

1 Like
18

Would appreciate it if a developer could assist :pray:
Is this a bug with Microsoft oauth integration or am I doing something wrong?

19

I’ve chased it up. I can do no more.

20

FYI

Dev has had a brief look but can’t see anything obvious.

He needs to set up a test rig, but like all of us he’s fighting time.

He’ll get to it when he can.

1 Like