OAuth2 Partially Working - Rocket.Chat->G Suite SAML App

[timmy-mac]

Hi there,

I've been trying to get this working for a while and have gotten a little closer since update to OAuth2 docs in Wiki - thanks! I have Rocket.Chat authenticating with Google's G Suite using SAML.

Currently, I can get logged in to Wekan via the 'Sign in with Oidc' button only if I'm already logged into Rocket.Chat. If I'm not yet logged in, it looks as though nothing happens. However, a 'successful' login is registered both in the Rocket.Chat logs and in the Google Admin Console. There is no interesting output from "sudo snap logs wekan.wekan"...

See below:

Doesn't 'do anything'

..but if I log in to Rocket.Chat first...

...Wekan logs in fine.

Any ideas? :-)

Thanks again,
Tim

[xet7]

Yes that's correct, when using Rocket.Chat as authentication provider, you need to be first logged into Rocket.Chat fist.

If you would like to use Google login directly with Wekan, there are these alternatives:

• Install Sandstorm that has SAML login and Sandstorm Wekan version. This would be easiest.
• Try to configure Google OIDC OAuth2 with Standalone Wekan OIDC. I have not tried this yet.
• There is also Open Source Keycloak identity provider as alternative to Google SAML, but currently there is problems configuring it.

[xet7]

To get any debug logs, you first need to do:

sudo snap set wekan debug='true'

[timmy-mac]

Just so we definitely understand one another, I've edited to update my first gif (I hadn't noticed that I was recording just the chrome tab, so missed the pop-up login box!)...

Still nothing in sudo snap logs wekan.wekan...

Tim

[timmy-mac]

...and tried again with first gif - apologies!

[timmy-mac]

I still don't really know what I'm doing here but I have found a different behaviour that, I think, demonstrates that there is a problem, either with my config or with how Wekan initiates the oauth2 login to rocket chat.

In this gif, I demonstrate two different behaviours. The first is the 'usual' behaviour - login window popup with the url:

https://chat.withtheprogram.net/oauth/authorize?loginStyle=popup&client_id=NXXXXremovedXXXXLJpx&response_type=code&redirect_uri=https%3A%2F%2Fwekan.withtheprogram.net%2F_oauth%2Foidc&state=eyJsb2dpblN0XXXXXXXXXXXXXremovedXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXpmYWxzZX0%3D&scope=openid

I click login and nothing much happens. Neither Rocket.Chat or Wekan get logged in (though the upstream SAML IdP logs a successful login attempt). Some logs in Rocket Chat but nothing in Wekan. It's like the login attempt never happened.

The second part of the gif shows a different behaviour. When I copy the above link into a new Chrome tab and hit the login button there, Rocket.Chat does get logged in and there are successful looking logs in both Rocket.Chat and Wekan finishing with:

2019-05-05T05:59:54Z wekan.wekan[29194]: XXX: profile: { name: 't.mcxxrdy', email: 't.mclxxxdy@xxxxxacademy.org' }

I still have to hit oidc login again in Wekan to get logged in though... :-)