Rocket.chat: Oauth2 (auth0) users can't log in

Two RC are used to test OAuth login, but an error is reported

me too
If a user only registers server a, uses mailbox [email protected], and then OAuth logs in to server B, the problem is that the two server administrator accounts use the same mailbox, the above error will appear, and the administrator account cannot log in again. This is a bug

I see the same bug with a different oauth2 provider (custom oauth).

same bug: #18255, #17307

Is there any reaction to this? This is a show stopper for us. Users simply can't login.

I've been manually updating the user records in Mongo to mitigate this. 😒

Thank you @aforsythe. This is a big problem. We have reproduced this behavior repeatedly, as we doubly- and triply-checked to make sure we had not configured something incorrectly. It is exactly as described above. (Except that we are using OAuth2 with google.)

Seems OAuth2 should not be advertised as something RC can do, when it in fact cannot. Other features are flagged as "beta" in the settings panel. Perhaps this one should be as well?

Any idea on timeline of resolution?

@tofr This is exceedingly frustrating. The rocketchat team even gave specific instructions on how to set this up with my provider (auth0) here https://forums.rocket.chat/t/anyone-auth0-sso-experience/2060/8

I'm wondering if SAML might work better but frankly I don't know where to start to set that up.

Workaround

db.users.update(
  {
      _id: '{Affected_User_Id_Or_Omit_For_All}',
    },
    {
      $set: {
        requirePasswordChange: false
      }
    }
);

@adraut Sorry but how does one go about implementing this workaround?

Is the error still present on the latest version of Rocket.Chat? I've tested it with multiple OAuths (Including Auth0) but I was unable to replicate it.

@pierre-lehnen-rc I'm on 3.6.2 because that's what appears to be in the snap channel.. Issue still exists in 3.6.2.

User attempts to login 1st time, gets thrown back to login screen with no message, attempts to login 2nd time and recieves "This email has already been used and has not been verified. Please change your password. Type your new password"

@pierre-lehnen-rc when can we expect 3.7 to be in the snap channel so I can check that?

I was just able to reproduce this on version 3.7.1.

@pierre-lehnen-rc Any updates? Seems like others can reproduce on the latest version.

The same thing. Same error message with my custom openid provider. I can see that rocket chat does not take into account email_verified field from USERINFO openid endpoint. But it should. And when creating user with email_verified eq TRUE it should not ask user to verify email again.

I think I found solution. You need to go to /admin/Accounts settings, then Registration tab and check Verify Email for External Accounts. Then new users will be created with email verified set to true and error is gone

I thinks this is bug, because if checkbox is checked (active), email verified flag must be false, and otherwise true. It must be fixed somewhere here https://github.com/RocketChat/Rocket.Chat/blob/develop/app/authentication/server/startup/index.js#L180

This work around sorta works ... on the first login attempt the user is kicked back to the login window as they always have been. On the second, and subsequent attempts they can get in. Obviously this is still a bug.

Any news on this?
Have this bug with an custom oauth provider and gitlab as oauth provider.
Rocketchat Version is 3.7.1.

Actually i use the workaround from https://github.com/RocketChat/Rocket.Chat/issues/18391#issuecomment-703113449

We're on 3.9.1, and still seeing this issue. Our user records are marked as verified, and we still see this. I finally setup a cron job to run this script every minute: mongo rocketchat --eval 'db.users.updateMany({ requirePasswordChange: true, requirePasswordChangeReason: { $exists: true } }, {$set: { requirePasswordChange: false}, $unset: { requirePasswordChangeReason: 1 } })'.

This has become a HUGE issue for our rollout. We are working around it by logging in as Admin and toggling the "Verify email" fag for the user affected. However if this continues to happen we may be forced to roll back our implementation.

Custom OAuth using AzureAD, RC 3.9.1

I've had this issue too. But I seem to have fixed it with this configuration:
Go to Administration > Users > Registration, disable "require name for signup" and "require password verify" (is handled by the oauth anyway). Make sure that "verify external email" is set to on, as otherwise the email addressed won't be marked as verified upon registration. Sometimes I got a "enter your verification code" dialog. So I've also disabled auto opt-in for two factor email verification just in case. But I am not sure if this is realated.

I have another issue with nextcloud OAuth login. Actually two issues. First, if I use the built-in nextcloud OAuth config, that login button is not shown in the RC iOS app. So I've set up a custom OAuth handler which is doing fine. Except, every successful login is logged as a failed login attempt in nextcloud. Resulting in the brute-force app to block all connections to RC and making the OAuth login impossible. An "udefined" error is shown in the top right corner and the console shows "websocket connection timeout".
Can this be related to the way RC implements OAuth? Idk. maybe not completing the handshake or similar? I ask because using the same nextcloud instance on a Wekan OAuth login form works just fine.

Also, see my comment on the related brute-force nextcloud app:
https://github.com/nextcloud/bruteforcesettings/issues/223#issuecomment-750880392

We got this issue with brand new RC Oauth-endpoint-config. Old endpoints don't seem to be affected.