[FIX] Custom Oauth login not working with accessToken

[knrt10]

TODO

• Check for whitelist fields, somehow make it configurable maybe asking in curl request as an object.

Closes #14108

cc @geekgonecrazy would you please review

[knrt10]

@geekgonecrazy I had to add another field for access_token cause different services use different params to get identity. Like in many they use access_token but in case of gitlab they use private_token. Added functionality for this. Please review.

[ralfbecker]

I was about to open a similar pull request: 63f6e52
Also using getIdentity to verify the accessToken, though I added an other function/request to get the lifetime/expiration of the token, as that was always missing from options. So I used RFC7662 OAuth 2.0 Token Introspection, to query it from the server:

function getTokeninfo(idToken, config) {
	try {
		const introspectPath = '/introspect';	// not yet configurable in Rocket.Chat, thought RFC defines that path
		return HTTP.post(
			config.serverURL + introspectPath,
			{
				auth: `${ config.clientId }:${ OAuth.openSecret(config.secret) }`,
				headers: {
					Accept: 'application/json',
				},
				params: {
					token: idToken,
					token_type_hint: 'access_token',
				},
			}).data;
	} catch (err) {
		throw _.extend(new Error(`Failed to fetch tokeninfo from custom OAuth ${ config.service }. ${ err.message }`), { response: err.response });
	}
}

That of cause requires the server to implement that OAuth 2 extension.

I will try this pull request and report back, if that allows me to access Rocket.Chat Api with accessToken from my server.

Ralf

[geekgonecrazy]

Note on introspection.. it for sure will need to be configurable: https://www.oauth.com/oauth2-servers/token-introspection-endpoint/ here they are using /token_info

in the rfc they use: /introspect - https://tools.ietf.org/html/rfc7662

Maybe have a setting.. if "" then don't use introspect since the oauth provider probably hasn't implemented it

[geekgonecrazy]

@knrt10 made a few adjustments it now works :)

[geekgonecrazy]

This is looking good 👍 i'll give it another pass.

@ralfbecker if you get a chance definitely give this a go and see if works for your case as well

[ralfbecker]

A quick update: this pull request does not fix my issue which Rocket.Chat Api access with an accessToken and custom OAuth. It seems the custom OAuth does NOT get registered in AccessTokenServices, it it's called via the Api.
I will try to create an app/lib/server/oauth/custom.js, as in my planned pull request https://github.com/EGroupware/Rocket.Chat/commit/63f6e52fc8b01449dd2cd392ed7e0a129283ee47, but only register knrt10 custom OAuth there.
Any idea how it should supply that, I can't commit to this pull request. I could make an other pull request to knrt10 issue14108 branch.
I'll keep you posted.

[knrt10]

@ralfbecker can you specify your process to access the API using token?

[knrt10]

Did you follow this step? I am giving an example for github. You need to go to, admin, Oauth, create a new oauth and just fill the URL endpoint and identity input box, like for github URL is https://api.github.com and identity is /user

. Now go and create access token from your github account and use it in your request like this

curl -H "Content-type:application/json" \
  http://localhost:3000/api/v1/login \
  -d '{ "serviceName": "yourServiceName", "accessToken": "token","expiresIn": 200 }

Also your yourServiceName will be one with your new oauth name, also enable both accessToken and oauth before using it

[ralfbecker]

I believe I do exactly the same. Config in Rocket.Chat is like in my README. And I get the exception from here: https://github.com/knrt10/Rocket.Chat/blob/issue14108/app/lib/server/oauth/oauth.js#L31
If I inspect AccessTokenServices in the debugger, only facebook, google and twitter from that directory are registered.
Ralf

[knrt10]

It should work, did you rebased the latest changes? I mean some changes were made quite recently. Let me try once for this

[knrt10]

@ralfbecker Its working, I found the error, even if you set name as EGroupware it will be converted to lowercase, so you should try like this

curl -H "Content-type:application/json" \
  http://localhost:3000/api/v1/login \
  -d '{ "serviceName": "egroupware", "accessToken": "token","expiresIn": 200 }'

Notice name is egroupware not EGroupware. Proof of working

My Access token is wrong so error

[ralfbecker]

That is not the problem, I already use "egroupware" as serviceName.

I just verified, that - for some reason - I made a mistake in merging your pull-request.

I redo it and let you know.

Ralf

[knrt10]

Sure, no problem we need testing for this feature, thank you for helping ✌️

[ralfbecker]

Ok, I can make now requests to Rocket.Chat Api with my own servers access-tokens :)

I need to check if my pull request #14121 is still necessary and if the refreshToken is used.

[geekgonecrazy]

Awesome! Glad you were able to test and get it working!

[charafsalmi]

Hi,

Is it possible to do it now ? I mean, use the rest api with a keycloak jwt token ?

Thanks,