Rocket.chat: Is RocketChat not compatible with OAuth2 and Office365?

URL: https://login.microsoftonline.com/common
token path: /oauth2/token
identity path: /me
authorize path: /oauth2/authorize
scope: openid
username field: userPrinciplename
and the correct callback url with id and secret configured

same issue. first it launches, looks like its going to work then it says internal server error

saml for o365 works just can't get oauth to work which we need for outside users

Got this error
oauth.js:431) Error in OAuth Server: Failed to fetch identity from office365 at https://login.microsoftonline.com/me. failed [404]
I20170412-19:44:06.805(0) Exception while invoking method 'login' Error: Failed to fetch identity from office365 at https://login.microsoftonline.com/me. failed [404] at CustomOAuth.getIdentity (/opt/Rocket.Chat/programs/server/packages/rocketchat_custom-oauth.js:198:17) at Object.handleOauthRequest (/opt/Rocket.Chat/programs/server/packages/rocketchat_custom-oauth.js:214:25) at OAuth._requestHandlers.(anonymous function) (packages/oauth2.js:27:31) at middleware (packages/oauth.js:203:5) at packages/oauth.js:176:5

now this error

Exception while invoking method 'login' Error: Failed to complete OAuth handshake with oauthoffice365 at https://login.microsoftonline.com/common/oauth2/token. failed [400] {"error":"invalid_grant","error_description":"AADSTS70000: Transmission data parser failure: Authorization Code is malformed or invalid

I don't believe /me is the proper identity path. Actually digging through i'm not finding such an equivalent route.

Microsofts authentication services are a bit of a mess. They've been doing a bit better in recent years.

If you can find the identity path in their documentation somewhere you could probably get this to work. Otherwise I think we're going to have to add one specifically for office365

Thanks.

I tried to use outlook as the identity url to get the identity because that is how I saw some other apps grab the identity but that didn’t work either. Specifically https://outlook.office365.com/api/v1.0/me https://outlook.office365.com/api/v1.0/me because it looked similar to your example.

--

Vr, Frank

From: Aaron Ogle [mailto:[email protected]]
Sent: Thursday, April 27, 2017 4:55 PM
To: RocketChat/Rocket.Chat Rocket.Chat@noreply.github.com
Cc: Frank Tucker frank.tucker@microhealthllc.com; Comment comment@noreply.github.com
Subject: Re: [RocketChat/Rocket.Chat] Is RocketChat not compatible with OAuth2 and Office365? (#6809)

I don't believe /me is the proper identity path. Actually digging through i'm not finding such an equivalent route.

Microsofts authentication services are a bit of a mess. They've been doing a bit better in recent years.

If you can find the identity path in their documentation somewhere you could probably get this to work. Otherwise I think we're going to have to add one specifically for office365

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub https://github.com/RocketChat/Rocket.Chat/issues/6809#issuecomment-297836513 , or mute the thread https://github.com/notifications/unsubscribe-auth/ADgTo6HX_CTiWgsXYQ7jeCfeNKNJI50Hks5r0QCYgaJpZM4NJHN9 . https://github.com/notifications/beacon/ADgTowlM54tpYOCP-bG-7Dka6ttHo7fuks5r0QCYgaJpZM4NJHN9.gif

In fact, this is the error when I tried the identity url above

Exception while invoking method 'login' Error: Failed to fetch identity from oauthoffice365 at https://outlook.office365.com/api/v1.0/me. failed [401] at CustomOAuth.getIdentity (/opt/Rocket.Chat/programs/server/packages/rocketchat_custom-oauth.js:198:17) at Object.handleOauthRequest (/opt/Rocket.Chat/programs/server/packages/rocketchat_custom-oauth.js:214:25) at OAuth._requestHandlers.(anonymous function) (packages/oauth2.js:27:31) at middleware (packages/oauth.js:203:5) at packages/oauth.js:176:5

@bluenevus how did you generate your oauth clientid / secret? Seems to be dozens of different instructions sets floating around. All of them about as clear as mud. :grin: I remember at one point having to setup things via Azure AD. But then I thought there was a more recent set that was almost a wizard via the graph api.

Go to Microsoft app dev here https://apps.dev.microsoft.com/ https://apps.dev.microsoft.com/

Register you app much like you would in facebook, twitter or github. It will generate client id and secret. Put your call back url there.

--

Vr, Frank

From: Aaron Ogle [mailto:[email protected]]
Sent: Thursday, April 27, 2017 5:12 PM
To: RocketChat/Rocket.Chat Rocket.Chat@noreply.github.com
Cc: Frank Tucker frank.tucker@microhealthllc.com; Mention mention@noreply.github.com
Subject: Re: [RocketChat/Rocket.Chat] Is RocketChat not compatible with OAuth2 and Office365? (#6809)

@bluenevus https://github.com/bluenevus how did you generate your oauth clientid / secret? Seems to be dozens of different instructions sets floating around. All of them about as clear as mud. 😁 I remember at one point having to setup things via Azure AD. But then I thought there was a more recent set that was almost a wizard via the graph api.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub https://github.com/RocketChat/Rocket.Chat/issues/6809#issuecomment-297840680 , or mute the thread https://github.com/notifications/unsubscribe-auth/ADgTo9b023ufbHZ-QrVr5Re4Ftq2dlYDks5r0QSagaJpZM4NJHN9 . https://github.com/notifications/beacon/ADgTo0sLxx3JMi2pEyxT7zMSiC5FOqFRks5r0QSagaJpZM4NJHN9.gif

its pretty much the common microsoft login whether o365, live etc

The endpoint seems to be: https://login.microsoftonline.com/common/openid/userinfo

Found here: https://login.microsoftonline.com/common/.well-known/openid-configuration

Worked like a champ. We have been struggling for weeks with calls to Microsoft on this. Thank you, Thank you, Thank you. You have an amazing product we are trying to pilot

--

Vr, Frank

From: Aaron Ogle [mailto:[email protected]]
Sent: Thursday, April 27, 2017 5:44 PM
To: RocketChat/Rocket.Chat Rocket.Chat@noreply.github.com
Cc: Frank Tucker frank.tucker@microhealthllc.com; Mention mention@noreply.github.com
Subject: Re: [RocketChat/Rocket.Chat] Is RocketChat not compatible with OAuth2 and Office365? (#6809)

The endpoint seems to be: https://login.microsoftonline.com/common/openid/userinfo

Found here: https://login.microsoftonline.com/common/.well-known/openid-configuration

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub https://github.com/RocketChat/Rocket.Chat/issues/6809#issuecomment-297847690 , or mute the thread https://github.com/notifications/unsubscribe-auth/ADgTo4w58R_0K_7aXZJS7D3CEnFBsg79ks5r0QwYgaJpZM4NJHN9 . https://github.com/notifications/beacon/ADgTowG2GLpluPuG7k_Ud6qdhgkghOsqks5r0QwYgaJpZM4NJHN9.gif

@bluenevus perfect! What fields did you end up with? That way we can pass the knowledge forward for others :grin:

For oauth

• url https://login.microsoftonline.com/common https://login.microsoftonline.com/common
• token path /oauth2/token
• identity path /openid/userinfo
• authorize path /oauth2/authorize
• scope openid
• token sent via header
• id from https://apps.dev.microsoft.com
• secret from https://apps.dev.microsoft.com https://apps.dev.microsoft.com
• login style popup
• username field: just doesn’t work. It should be UserPrincipalName but I get an error that says its not found in data stream. Tried others like mail and email and it’s the same. So the user can’t expect it to be the same account if their email is the same registered in say o365 and github…won’t be the same user and won’t allow them to register with the same username
• merge users really doesn’t matter because it can’t find the username in the data stream

--

Vr, Frank

From: Aaron Ogle [mailto:[email protected]]
Sent: Thursday, April 27, 2017 5:59 PM
To: RocketChat/Rocket.Chat Rocket.Chat@noreply.github.com
Cc: Frank Tucker frank.tucker@microhealthllc.com; Mention mention@noreply.github.com
Subject: Re: [RocketChat/Rocket.Chat] Is RocketChat not compatible with OAuth2 and Office365? (#6809)

@bluenevus https://github.com/bluenevus perfect! What fields did you end up with? That way we can pass the knowledge forward for others 😁

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub https://github.com/RocketChat/Rocket.Chat/issues/6809#issuecomment-297850899 , or mute the thread https://github.com/notifications/unsubscribe-auth/ADgTo0mhWBuzM4rynLB7CRawOwxTqsOMks5r0Q-wgaJpZM4NJHN9 . https://github.com/notifications/beacon/ADgTo1Ch4Ukokq3Alf3SeWWzywot8RaQks5r0Q-wgaJpZM4NJHN9.gif

I've managed to duplicate every thing except a successful login :grin:

Heres what I have on my app page on microsoft.

Is there something missing from here?

Has to be https. Will not work with http.

--

Vr, Frank

From: Aaron Ogle [mailto:[email protected]]
Sent: Thursday, April 27, 2017 6:34 PM
To: RocketChat/Rocket.Chat Rocket.Chat@noreply.github.com
Cc: Frank Tucker frank.tucker@microhealthllc.com; Mention mention@noreply.github.com
Subject: Re: [RocketChat/Rocket.Chat] Is RocketChat not compatible with OAuth2 and Office365? (#6809)

I've managed to duplicate every thing except a successful login 😁

Heres what I have on my app page on microsoft.

https://cloud.githubusercontent.com/assets/51996/25507087/a4f08eee-2b6f-11e7-839e-6ab54e3ac50c.png

Is there something missing from here?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub https://github.com/RocketChat/Rocket.Chat/issues/6809#issuecomment-297857661 , or mute the thread https://github.com/notifications/unsubscribe-auth/ADgToxRULhwIqRdeAnNYt4NifIKzhRDTks5r0RfZgaJpZM4NJHN9 . https://github.com/notifications/beacon/ADgTo37DNF2juyOu_s1toj9hiaWMwKu2ks5r0RfZgaJpZM4NJHN9.gif

Hi,
I always receive the following:

35mError in OAuth Server: Failed to fetch identity from o365 at https://login.microsoftonline.com/common/openid/userinfo. failed [400]

@geekgonecrazy @bluenevus
The endpoint doesn't seem to work. Is it still working for you?

Hi,
From my part, with same config mention above I get following error:

Exception while invoking method 'login' Error: Failed to complete OAuth handshake with o365 at https://login.microsoftonline.com/common/oauth2/token. failed [400]

Did somebody make it works ?

This is your problem.

it has to be https

your redirect url on o365 will need to be https://your.rocketchat-server.com/_oauth/CustomOAuthNAME

doing a localhost will be problematic. If you want to do that, put a reverse proxy so you are going out and in on https on 443 not 3000

It works...we have it working this way

We definitely need to turn this in to a doc. I think this would be incredibly useful.

I don't know what I'm doing wrong, but it's still not working for me. I'm using exactly the settings you where screenshotting, but no success. It would be so nice to have o365 as an officially tested oauth provider in rocketchat.

On Sat, Jul 22, 2017 at 4:57 AM +0200, "Aaron Ogle" notifications@github.com wrote:

We definitely need to turn this in to a doc. I think this would be incredibly useful.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

The problem is you are in localhost on http vs a domain or up on https port 443

Get Outlook for Androidhttps://aka.ms/ghei36

From: JZinkl notifications@github.com
Sent: Sunday, July 23, 2017 8:02:29 AM
To: RocketChat/Rocket.Chat
Cc: Frank Tucker; Mention
Subject: Re: [RocketChat/Rocket.Chat] Is RocketChat not compatible with OAuth2 and Office365? (#6809)

I don't know what I'm doing wrong, but it's still not working for me. I'm using exactly the settings you where screenshotting, but no success. It would be so nice to have o365 as an officially tested oauth provider in rocketchat.

TRIEB.WORK | DISRUPTIVE IT SOLUTIONS
Jannik Zinkl
Geschäftsleitung
+49 151 51183272 (mobil)
Email: jannik.[email protected]

Diese E-Mail ist ausschließlich für den angeführten Adressaten bestimmt. Sie kann Informationen enthalten, welchevertraulich sind und durch die Verschwiegenheit geschützt werden. „trieb.work“ und „BitPaket“ sind Markennamen dertrieb.work Zinkl, Marquart GbR, Vorrastraße 9 90482 Nürnberg. USt.ID.: DE310650608, Kontakt: [email protected]

On Sat, Jul 22, 2017 at 4:57 AM +0200, "Aaron Ogle" notifications@github.com wrote:

We definitely need to turn this in to a doc. I think this would be incredibly useful.

—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/RocketChat/Rocket.Chat/issues/6809#issuecomment-317248311, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ADgTo54NKpfokPkio9K_GSDaMaWHsVqDks5sQzZVgaJpZM4NJHN9.

Still not working for me too with same config and https with domain.
I will give others tries next week

Hi,
@bluenevus that's not right. I'm a different person :D we are using https on a FQDN. This is what my config looks like:

And this is what I get in my log:

I have followed the steps above and can successfully authenticate but it fails when trying to return to the redirect URL. After authenticating, the authentication screen hangs while trying to return back to the redirect URL listed at apps.microsoft.com.

I'm setting the redirect URL to the same as the callback URL listed in my custom OAuth:
https://rapchat-dev.corp.*.net/_oauth/azuread

When I try to connect to the Callback URL listed in RocketChat, it works fine until I add an entry to the URL field. Once, I add https://login.microsoftonline.com/common to the URL field, I can no longer connect to the Callback URL and instead receive a timeout error.

I've attached a screenshot of the configuration in RocketChat. I've set the redirect URL at apps.microsoft.com to match the callback URL.

Thanks for your help!

do you have all of the other values like this image?

Your callback url that you setup in office365 comes from this statement here on the top of the oauth configuration screen below

"When setting up your OAuth Provider, you'll have to inform a Callback URL. Use..."

It has to be HTTPS

--
Dr. Frank Tucker
CEO
MicroHealth, LLC
People * Value * Innovation

O: (855) 294-3547 | F: (855)-850-1264
Address: 8245 Boone Blvd, Suite 706 | Vienna, VA 22182
http://www.microhealthonline.com/Email: frank.[email protected]frank.tucker@microhealthllc.com
www.microhealthllc.comhttp://www.microhealthllc.com/

www.microhealthllc.comhttp://www.microhealthllc.com/

From: steversk notifications@github.com
Sent: Monday, September 11, 2017 12:49:27 PM
To: RocketChat/Rocket.Chat
Cc: Frank Tucker; Mention
Subject: Re: [RocketChat/Rocket.Chat] Is RocketChat not compatible with OAuth2 and Office365? (#6809)

I have followed the steps above and can successfully authenticate but it fails when trying to return to the redirect URL. After authenticating, the authentication screen hangs while trying to return back to the redirect URL listed at apps.microsoft.com.

I'm setting the redirect URL to the same as the callback URL listed in my custom OAuth:
https://rapchat-dev.corp.*.net/_oauth/azuread

When I try to connect to the Callback URL listed in RocketChat, it works fine until I add an entry to the URL field. Once, I add https://login.microsoftonline.com/common to the URL field, I can no longer connect to the Callback URL and instead receive a timeout error.

I've attached a screenshot of the configuration in RocketChat. I've set the redirect URL at apps.microsoft.com to match the callback URL.

[ss]https://user-images.githubusercontent.com/17030035/30286370-a0758e84-96de-11e7-8e8d-d03f91ad16cb.JPG

Thanks for your help!

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHubhttps://github.com/RocketChat/Rocket.Chat/issues/6809#issuecomment-328589357, or mute the threadhttps://github.com/notifications/unsubscribe-auth/ADgTo6rGutrOjDK-SGImJQpEuJui5D65ks5shWSXgaJpZM4NJHN9.

Yes, we are using HTTPS and I believe I've matched all of the entries. I've pasted screenshots of my RocketChat setup, apps.microsoft.com setup screen, as well as the gateway timeout that occurs after I successfully authenticate.

It seems that Office365 is set to use the body (payload) for the authorize and token and then the header for subsequent requests. Could you add the option to set "Token Sent Via" to something different for the identity request vs the Authorize and Token requests?

@jmoont We can try 😄 @mrinaldhar will start working on OAuth improvements soon, he will be able to answer this question soon.

That sounds great but I'd like to confirm my idea (and get it working sooner!) - I've got RocketChat running on docker, on Ubuntu, on AWS - is there a way to build a version and deploy to the container or edit/hack the code on the container? Thanks.

Ok - I worked it out - edited/hacked it on my docker container and its working :)

@jmoont Can you show me what exactly you did? So I can try to fix it ASAP

So I just commented out the case statement for the identity so that it used the header and then set my custom oauth to use the payload for the initial requests. This is obviously a hack to get it working but having the option to use a different "Token Sent Via" for the identity request vs the authorize and token ones would be a generic fix.

@jmoont can you check if this PR solves your problem https://github.com/RocketChat/Rocket.Chat/pull/9034 ?

Yes - works well. Thank you for the quick turnaround.

Below are my settings for the app I set up in Azure Active Directory.

Closed by https://github.com/RocketChat/Rocket.Chat/pull/9034

Awesome, thanks @jmoont

@jmoont Hi, just one more little question: do you also know what to put into "Username field"? Right now rocket.chat is not recognizing the email Adresse of the authenticating user.
Kind regards

@JannikZed

userPrinciplename

@JannikZed if you need to setup email as Username you can use upn or any of the fields of the JWT token found here : https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-protocols-oauth-code#jwt-token-claims

@alincalinciuc I used upn, but according to ticket #10196 @ is not an allowed character in usernames.

I did find that you can also use "name", which returns the user's full name with a space, however, then mentions are broken (see ticket #7280).

I figured I would mention it here in case anyone didn't realize that you can actually leave the username field blank, and RocketChat will prompt the user at initial login.

It would be nice if there was some way to automatically set a consistent username, with functional mentions, though. Is there any way to combine multiple fields? I tried a few variations like {given_name}.{last_name} but couldn't find anything which worked.

i referred this constraint into a feature request here: #11647