Custom OAuth2 Sign in - user successfully authenticates, creates backend user but isn't logged into rocket.chat app #38722
Description
Description:
I am currently using Authentik as my OIDC/OAuth2 provider, I've followed the documentation outlined here:
https://integrations.goauthentik.io/chat-communication-collaboration/rocketchat/
I am successfully redirected to authentik, I sign into authentik via Entra ID, but then it doesn't sign into the app. A user is created in the backend so the authentication does have some sort of connection.
Steps to reproduce:
- Setup Custom OAuth2 Provider in Rocket.chat for Authentik as per documentation above
- Sign into rocket.chat with your custom OAuth2, successfully authenticate via Authentik's Entra ID based OAuth source within Federation and Social login
- Redirect back to rocketchat.domain.com
Expected behavior:
After successful authentication via authentik, user is signed into rocket chat app.
Actual behavior:
Redirects back to rocketchat.domain.com/home, without being signed into rocket.chat app. User is created in the admin backend with username: [email protected] , email: [email protected]. Status is pending.
Server Setup Information:
- Version of Rocket.Chat Server: 8.1.0
- License Type: Starter
- Number of Users: 1 [testing enviroment]
- Operating System: Linux Debian 13.1
- Deployment Method: docker compose
- Number of Running Instances: 1
- DB Replicaset Oplog: n/a
- NodeJS Version: 22.16.0 - x64 [container]
- MongoDB Version: 8.2.4 [container]
Client Setup Information
- Desktop App or Browser Version: Chrome Version 144.0.7559.133 (Official Build) (64-bit)
- Operating System: Win 11
Additional context
User is created in rocket.chat admin panel, if I manually reset their password you can sign in with them via the login form for username:password, but SSO does not sign them in even if they're an active user.
I've disabled all of the verification requirements in settings->accounts->registration tab.
I am currently using this exact same authentication flow successfully on numerous other docker compose based apps, all on the same reverse proxy network (traefik).
Relevant logs:
Network tab after successful sign in to authentik, and redirected back to rocket.chat.
{message: '{"msg":"result","id":"1","error":{"isClientSafe":t…ser not found [401]","errorType":"Meteor.Error"}}', success: false}message: "{"msg":"result","id":"1","error":{"isClientSafe":true,"error":401,"reason":"User not found","message":"User not found [401]","errorType":"Meteor.Error"}}"success: false[[Prototype]]: Objectconstructor: ƒ Object()hasOwnProperty: ƒ hasOwnProperty()isPrototypeOf: ƒ isPrototypeOf()propertyIsEnumerable: ƒ propertyIsEnumerable()toLocaleString: ƒ toLocaleString()toString: ƒ toString()valueOf: ƒ valueOf()defineGetter: ƒ defineGetter()length: 2name: "defineGetter"arguments: (...)caller: (...)[[Prototype]]: ƒ ()[[Scopes]]: Scopes[0]defineSetter: ƒ defineSetter()lookupGetter: ƒ lookupGetter()lookupSetter: ƒ lookupSetter()proto: (...)get proto: ƒ proto()set proto: ƒ proto()