Skip to content

Custom OAuth2 Sign in - user successfully authenticates, creates backend user but isn't logged into rocket.chat app #38722

@trimacdo

Description

@trimacdo

Description:

I am currently using Authentik as my OIDC/OAuth2 provider, I've followed the documentation outlined here:
https://integrations.goauthentik.io/chat-communication-collaboration/rocketchat/

I am successfully redirected to authentik, I sign into authentik via Entra ID, but then it doesn't sign into the app. A user is created in the backend so the authentication does have some sort of connection.

Steps to reproduce:

  1. Setup Custom OAuth2 Provider in Rocket.chat for Authentik as per documentation above
  2. Sign into rocket.chat with your custom OAuth2, successfully authenticate via Authentik's Entra ID based OAuth source within Federation and Social login
  3. Redirect back to rocketchat.domain.com

Expected behavior:

After successful authentication via authentik, user is signed into rocket chat app.

Actual behavior:

Redirects back to rocketchat.domain.com/home, without being signed into rocket.chat app. User is created in the admin backend with username: [email protected] , email: [email protected]. Status is pending.

Server Setup Information:

  • Version of Rocket.Chat Server: 8.1.0
  • License Type: Starter
  • Number of Users: 1 [testing enviroment]
  • Operating System: Linux Debian 13.1
  • Deployment Method: docker compose
  • Number of Running Instances: 1
  • DB Replicaset Oplog: n/a
  • NodeJS Version: 22.16.0 - x64 [container]
  • MongoDB Version: 8.2.4 [container]

Client Setup Information

  • Desktop App or Browser Version: Chrome Version 144.0.7559.133 (Official Build) (64-bit)
  • Operating System: Win 11

Additional context

User is created in rocket.chat admin panel, if I manually reset their password you can sign in with them via the login form for username:password, but SSO does not sign them in even if they're an active user.

I've disabled all of the verification requirements in settings->accounts->registration tab.

I am currently using this exact same authentication flow successfully on numerous other docker compose based apps, all on the same reverse proxy network (traefik).

Relevant logs:
Network tab after successful sign in to authentik, and redirected back to rocket.chat.
Image

{message: '{"msg":"result","id":"1","error":{"isClientSafe":t…ser not found [401]","errorType":"Meteor.Error"}}', success: false}message: "{"msg":"result","id":"1","error":{"isClientSafe":true,"error":401,"reason":"User not found","message":"User not found [401]","errorType":"Meteor.Error"}}"success: false[[Prototype]]: Objectconstructor: ƒ Object()hasOwnProperty: ƒ hasOwnProperty()isPrototypeOf: ƒ isPrototypeOf()propertyIsEnumerable: ƒ propertyIsEnumerable()toLocaleString: ƒ toLocaleString()toString: ƒ toString()valueOf: ƒ valueOf()defineGetter: ƒ defineGetter()length: 2name: "defineGetter"arguments: (...)caller: (...)[[Prototype]]: ƒ ()[[Scopes]]: Scopes[0]defineSetter: ƒ defineSetter()lookupGetter: ƒ lookupGetter()lookupSetter: ƒ lookupSetter()proto: (...)get proto: ƒ proto()set proto: ƒ proto()

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions