Existing users can't login via OAuth/Keycloak

[highpingblorg]

Description:

To initially access Rocketchat, users must log in through Keycloak, which is how accounts are provisioned. This functionality generally works without issue.

However, the problem arises seemingly at random. Users with existing Keycloak-created accounts are sometimes unable to successfully log in to Rocketchat. There are no error messages, password update prompts, or other indications of the issue. When the user attempts to log in through Keycloak, they are simply redirected back to the login page without gaining access.

According to Keycloak, these users have an active session for Rocketchat, but no corresponding cookies or tokens are set in the browser. As a result, the users cannot log in.

This issue forces the administrator to manually provision local Rocketchat accounts by manually resetting their password for affected users through the UI, which is an undesirable workaround.

I've tried reproducing this bug but I can't seem to find the exact cause.

Steps to reproduce:

1. Have a Rocketchat instance with Keycloak as the OAuth provider
2. Create an account via OAuth
3. Re-log in and get denied access -> No idea what the cause of this

Expected behavior:

The expected behavior is that the user is logged in successfully.

Actual behavior:

Unsuccessful log in to Rocketchat

Server Setup Information:

• Version of Rocket.Chat Server: 7.0.0
• Number of Users: 300+
• NodeJS Version: v20.18.1
• MongoDB Version: 7.0.15 / wiredTiger (oplog Enabled)

Client Setup Information

Happens in different browsers, on different versions and different operating systems.

Additional context

This issue has been around for at least 1.5-2 years, the user was able to log in fine via Keycloak until that bug occurred, no configuration settings were modified in either Rocketchat or Keycloak for affected users.

[Priyanshuthapliyal2005]

Yeah i faced same issue today one time of not logging in it doing reconnecting again and again
but after 15-20 minutes i able to login

[reetp]

Please check with 7.0.1

[reetp]

Please check with 7.0.1

Even better you should test with 7.1.0 - as per the bug guidelines "always test on the latest release"

[phagemann]

Same behavior as @highpingblorg described.
Every time a login does not complete, RocketChat log states as follows:

{
"level":50,
"time":"2025-01-09T07:20:11.715Z",
"pid":9,
"hostname":"<DOMAIN>",
"name":"System",
"msg":"Exception while invoking method login",
"err":
  {
    "type":"Error",
    "message":"remove +  is not available on the server. Please use removeAsync() instead.",
    "stack":"Error: remove +  is not available on the server. Please use removeAsync() instead.
            at Object.ret.<computed> [as remove] (packages/mongo/remote_collection_driver.js:53:15)
            at Collection.remove (packages/mongo/collection.js:1016:29)
            at Collection.Mongo.Collection.<computed> [as remove] (packages/dispatch_run-as-user.js:346:17)
            at Object.OAuth._retrievePendingCredential (app/2fa/server/loginHandler.ts:88:29)
            at processTicksAndRejections (node:internal/process/task_queues:95:5)
            at MethodInvocation.<anonymous> (packages/accounts-oauth/oauth_server.js:18:18)
            at packages/accounts-base/accounts_server.js:593:9
            at tryLoginMethod (packages/accounts-base/accounts_server.js:1560:14)
            at AccountsServer._runLoginHandlers (packages/accounts-base/accounts_server.js:592:22)
            at AccountsServer.Accounts._runLoginHandlers (app/lib/server/lib/loginErrorMessageOverride.ts:9:17)
            at MethodInvocation.methods.login (packages/accounts-base/accounts_server.js:654:22)"
   }
}

Tested against 7.2
Running MongoDB 6

[reetp]

Thanks for testing.

I'll refer to the team.