RocketChat and Keycloak uri error in Rocket chat log

RocketChat version 3.4.2 port 3000
Nginx port 443. >> is it possible nginx is messing with the uri ?
Lets Encrypt Nginx certificate
OS Ubuntu 18
Local installation on AWS EC2 node
DNS set in GoDaddy

Keycloak version 10.0.2
Lets Encrypt / keystore
OS Ubuntu 18
Local installation on AWS EC2 node
DNS set in GoDaddy

URI setting in Keycloak for rocket-chat client is: https:///_oauth/keycloak

Keycloak option shows up in login screen
when selected popup asks for credentials
goes back to Rocket chat login screen without logging in, a small screen appears upper right corner which says “Undefined”

Keycloak shows the user with a session token
However in Rockechat log I see this error:

Jul 24 19:09:25 rocket rocketchat[15068]: {“line”:“403”,“file”:“oauth_server.js”,“message”:“Error in OAuth Server: Failed to complete OAuth handshake with keycloak at https://keycloak.my-domain:8443/auth/realms/fastslk.com/protocol/openid-connect/token. failed [400] {“error”:“invalid_grant”,“error_description”:“Incorrect redirect_uri”}”,“time”:{"$date":1595617765765},“level”:“warn”}
Jul 24 19:09:26 rocket rocketchat[15068]: API ➔ debug POST: /api/v1/method.callAnon/login
Jul 24 19:09:26 rocket rocketchat[15068]: API ➔ debug Success {
Jul 24 19:09:26 rocket rocketchat[15068]: statusCode: 200,
Jul 24 19:09:26 rocket rocketchat[15068]: body: {
Jul 24 19:09:26 rocket rocketchat[15068]: message: ‘{“msg”:“result”,“id”:“105”,“error”:{“message”:“Failed to complete OAuth handshake with keycloak at https://keycloak.my-domain:8443/auth/realms/fastslk.com/protocol/openid-connect/token. failed [400] {\“error\”:\“invalid_grant\”,\“error_description\”:\“Incorrect redirect_uri\”}”,“response”:{“statusCode”:400,“content”:"{\“error\”:\“invalid_grant\”,\“error_description\”:\“Incorrect redirect_uri\”}",“headers”:{“cache-control”:“no-store”,“x-xss-protection”:“1; mode=block”,“pragma”:“no-cache”,“x-frame-options”:“SAMEORIGIN”,“date”:“Fri, 24 Jul 2020 19:09:25 GMT”,“connection”:“close”,“strict-transport-security”:“max-age=31536000; includeSubDomains”,“x-content-type-options”:“nosniff”,“content-type”:“application/json”,“content-length”:“70”},“data”:{“error”:“invalid_grant”,“error_description”:“Incorrect redirect_uri”}}}}’,
Jul 24 19:09:26 rocket rocketchat[15068]: success: true

Guide: ://docs.rocket.chat/guides/administrator-guides/authentication/oauth/keycloak

Sounds kinda like either the payload isn’t sent how keycloak expects in the token exchange… or the redirect uri stored in keycloak doesn’t match the redirect uri it’s coming back to.

Can you provide more details on settings?

I followed the guide 99.99% for both the client config and oauth
Only change I made was using rocket.domain-com/_oauth/keycloak for the uri instead of the rocket.domain-com/* used in the guide. No luck with using either.

I also reviewed rodriq.github.io/GSoC-2019-Interactive-APIs-Docs/administrator-guides/authentication/oauth/keycloak/ which seems to be the same as what I have

Since I am public facing I added certs to my server configs for both rocket and keycloak
Anything specific in configs not covered in these 2 guides that I can provide ?

Sorry I have had to hack up the urls, seems there is a limit for new users to post

REALLY appreciate your help

Hi @aaron.ogle ,

Do you have any response on Jmedlin’s concern?

Thanks,
Toan Do

Hi @aaron.ogle,

I’m facing same issue in token exchange step. This is my request to keycloak:

http://localhost:8080/auth/realms/master/protocol/openid-connect/auth?client_id=toantuan&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2F_oauth%2Fkeycloak_integration&response_type=code&state=eyJsb2dpblN0eWxlIjoicG9wdXAiLCJjcmVkZW50aWFsVG9rZW4iOiJTWjR3U1kyazNkLU5ZSkMzTDdjSXZTb3Fqd0R6bzVuT2dETlI5OGlhczlwIiwiaXNDb3Jkb3ZhIjpmYWxzZX0%3D&scope=openid

Not sure, this is a URL encoding issue or not?
Could you please help share your comment on this?

Thanks,
Toan Do

@ jmedlin

did u guys ever found the solution to this i am facing the same exact problem .

Guys, I have the same problem. Is there a solution?

I bet GeneralSite URL configuration is your problem. It must match domain, which you are using in the browser and not any random/default value. HELP! Setting up oauth with keycloack