-
Notifications
You must be signed in to change notification settings - Fork 10.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Oauth2 (auth0) users can't log in #18391
Comments
Two RC are used to test OAuth login, but an error is reported me too |
Is there any reaction to this? This is a show stopper for us. Users simply can't login. |
I've been manually updating the user records in Mongo to mitigate this. 😒 |
Thank you @aforsythe. This is a big problem. We have reproduced this behavior repeatedly, as we doubly- and triply-checked to make sure we had not configured something incorrectly. It is exactly as described above. (Except that we are using OAuth2 with google.) Seems OAuth2 should not be advertised as something RC can do, when it in fact cannot. Other features are flagged as "beta" in the settings panel. Perhaps this one should be as well? Any idea on timeline of resolution? |
@tofr This is exceedingly frustrating. The rocketchat team even gave specific instructions on how to set this up with my provider (auth0) here https://forums.rocket.chat/t/anyone-auth0-sso-experience/2060/8 I'm wondering if SAML might work better but frankly I don't know where to start to set that up. |
Workaround
|
@adraut Sorry but how does one go about implementing this workaround? |
Is the error still present on the latest version of Rocket.Chat? I've tested it with multiple OAuths (Including Auth0) but I was unable to replicate it. |
@pierre-lehnen-rc I'm on 3.6.2 because that's what appears to be in the snap channel.. Issue still exists in 3.6.2. User attempts to login 1st time, gets thrown back to login screen with no message, attempts to login 2nd time and recieves "This email has already been used and has not been verified. Please change your password. Type your new password" |
@pierre-lehnen-rc when can we expect 3.7 to be in the snap channel so I can check that? |
I was just able to reproduce this on version 3.7.1. |
@pierre-lehnen-rc Any updates? Seems like others can reproduce on the latest version. |
The same thing. Same error message with my custom openid provider. I can see that rocket chat does not take into account email_verified field from USERINFO openid endpoint. But it should. And when creating user with email_verified eq TRUE it should not ask user to verify email again. |
I think I found solution. You need to go to /admin/Accounts settings, then Registration tab and check Verify Email for External Accounts. Then new users will be created with email verified set to true and error is gone I thinks this is bug, because if checkbox is checked (active), email verified flag must be false, and otherwise true. It must be fixed somewhere here https://github.com/RocketChat/Rocket.Chat/blob/develop/app/authentication/server/startup/index.js#L180 |
This work around sorta works ... on the first login attempt the user is kicked back to the login window as they always have been. On the second, and subsequent attempts they can get in. Obviously this is still a bug. |
Any news on this? Actually i use the workaround from #18391 (comment) |
We're on 3.9.1, and still seeing this issue. Our user records are marked as verified, and we still see this. I finally setup a cron job to run this script every minute: |
This has become a HUGE issue for our rollout. We are working around it by logging in as Admin and toggling the "Verify email" fag for the user affected. However if this continues to happen we may be forced to roll back our implementation. Custom OAuth using AzureAD, RC 3.9.1 |
I've had this issue too. But I seem to have fixed it with this configuration: |
I have another issue with nextcloud OAuth login. Actually two issues. First, if I use the built-in nextcloud OAuth config, that login button is not shown in the RC iOS app. So I've set up a custom OAuth handler which is doing fine. Except, every successful login is logged as a failed login attempt in nextcloud. Resulting in the brute-force app to block all connections to RC and making the OAuth login impossible. An "udefined" error is shown in the top right corner and the console shows "websocket connection timeout". Also, see my comment on the related brute-force nextcloud app: |
We got this issue with brand new RC Oauth-endpoint-config. Old endpoints don't seem to be affected. |
I found a scenario that leads to the error described in this issue:
The last setting is described as:
Disabling |
@amottier - your workaround does not help with my configuration. |
I'm sorry @GeorgSommer but I'm no longer using oAuth authentication (I switched to LDAP) so I'll not be able to help you. |
Description:
Users logging in for the 2nd time via OAuth2 receive “email has already been used” error.
I’m using Auth0 to manage users. Users are able to login without trouble the first time. When trying to log in the second time they receive an message that “email has already been used” and are prompted to change their password. This doesn’t make sense as passwords are mostly managed through social accounts (e.g. github, google, etc.)
Server Setup Information
Steps to reproduce:
Expected behavior:
User should be logged in with all user metadata sync'd from Auth0 database
Actual behavior:
User is presented with "this email has already been used and has not been verified. Please change your password. Type new password." dialog.
User shows up in user list in rocket.chat users section. Listed as verified. Listed as online.
Server Setup Information:
Client Setup Information
Additional context
Followed instructions located here:
https://github.com/RocketChat/Rocket.Chat/issues/8492
and here
https://forums.rocket.chat/t/anyone-auth0-sso-experience/2060
Relevant logs:
The text was updated successfully, but these errors were encountered: