Google OAuth Login broken in 4.4.0

[mr-karan]

Description:

After upgrading to 4.4.0, Google OAuth complains about redirect_uri mismatch. Nothing has changed in the config, only upgraded from 4.3.0 to 4.4.0 caused this.

Steps to reproduce:

1. Login using Google OAuth
2. See the error message

Error 400: redirect_uri_mismatch

You can't sign in to this app because it doesn't comply with Google's OAuth 2.0 policy.

Expected behavior:

Google OAuth should work normally as it was working a version before.

Actual behavior:

Server Setup Information:

• Version of Rocket.Chat Server: 4.4.0
• Operating System: Doesn't matter
• Deployment Method: docker
• Number of Running Instances: 1
• DB Replicaset Oplog: Dont know where to find this
• NodeJS Version: v14.18.2
• MongoDB Version: 4.2.18 / wiredTiger (oplog Enabled)

Client Setup Information

• Desktop App or Browser Version: Chrome Version 97.0.4692.99 (Official Build) Arch Linux (64-bit)
• Operating System: Arch Linux

Additional context

The OAuth URL is correct and unchanged in the settings:

Relevant logs:

[mr-karan]

For people coming here, I fixed it by removing ?close in my redirect_uri in the Google Console.

https://domain.tld/_oauth/google?close -> https://domain.tld/_oauth/google worked.

Did this redirect_uri change across versions? (removal of ?close )

[geekgonecrazy]

@sampaiodiego we might need to call this out as a breaking change or at least a note in release notes?

[danielfariati]

Don't know if related to this, but now in version 4.4.1, everyone trying to login with Google is getting an "Internal Server Error".
The problem is exactly the same as described here: #19856

[sampaiodiego]

@danielfariati did you end up removing ?close from callback url on Google as @mr-karan mentioned? if so, you should add it back

[danielfariati]

@sampaiodiego

No. We actually have both there.

Google:
Javascript origins: https://[our-domain]
Redirect URIs: https://[our-domain]/_oauth/google?close AND https://[our-domain]/_oauth/google

RocketChat:
ROOT_URL=https://[our-domain]

I can see in the settings that Accounts_OAuth_Google_callback_url is https://[our-domain]/_oauth/google (without the ?close). But that is not customizable and I assume is the server default.

The google auth page that open show the redirect URI as https://[our-domain]/_oauth/google?close, so it should work... But it doesn't.
The error is now no longer on the Google end, as it accepts the request just fine.
The error appears to be on the callback to RocketChat server.

[jthomaschewski]

Confirmed. We have the same issue while also having both redirect urls authorized (with and without ?close)

it logs as redirect_uri_mismatch error, so something seems to be wrong with the redirect uri matching:

rocketchat_1  | Exception while invoking method 'login' Error: Failed to complete OAuth handshake with Google. failed [400] {   "error": "redirect_uri_mismatch",   "error_description": "Bad Request" }
rocketchat_1  |     at getTokens (packages/google-oauth/google_server.js:105:7)
rocketchat_1  |     at Object.getServiceData [as handleOauthRequest] (packages/google-oauth/google_server.js:80:58)
rocketchat_1  |     at OAuth._requestHandlers.<computed> (packages/oauth2/oauth2_server.js:10:33)
rocketchat_1  |     at middleware (packages/oauth/oauth_server.js:171:5)
rocketchat_1  |     at /app/bundle/programs/server/npm/node_modules/meteor/promise/node_modules/meteor-promise/fiber_pool.js:43:40

Google auth page is opened with query parameter &redirect_uri=https%3A%2F%2Foutdomain.tld%2F_oauth%2Fgoogle%3Fclose
Which should match our authorized redirect uri https://outdomain.tld/_oauth/google?close

But settings/administrations claims that the redirect uri should be the one without ?close - Looks like rocketchat internally now provides the one with ?close to google but still verifies the one without thus always getting a mismatch...

[danielfariati]

@sampaiodiego
I believe the cause of the problem is the variable defined here:

Rocket.Chat/app/lib/server/startup/settings.ts

Line 672 in 7632f12

return this.add('Accounts_OAuth_Google_callback_url', '_oauth/google', {

As you can see, the URL is defined without the ?close. Admins also can't change that, as it is readonly.

[jthomaschewski]

@danielfariati good idea.
Manually changing the value in DB doesnt help though. temporarily tried it by running this:

db.rocketchat_settings.update({
  _id: 'Accounts_OAuth_Google_callback_url'
}, {
  $set: { value: "_oauth/google?close" }
})

(of course be careful when tinkering with DB...)

[jthomaschewski]

Workaround for now:

• change migration version in db from 254 to 253:

db.migrations.update({_id: "control", version: 254}, {$set: {version: 253}})

• downgrade to v4.4.0
• make sure the redirect uri without ?close is authorized in google api console

Migration 254 will be re-applied when upgrading again but this shouldnt be an issue as its only gracefully re-creating some indexes.

[toantc]

I downgraded to 4.4.0 from 4.4.1 and added both URL with and without ?close to the Google Console.
It's working on the web and desktop app but the mobile app isn't.

Step to reproduce

1. Open mobile app
2. Login with Google Auth
3. Choose the email to login with
4. Clicked "Open this page in Chat"

Expected behavior

The mobile app should be logged in

Actual behavior

The login screen is shown again

[sampaiodiego]

looks like there was a missing piece on the fix.. I'm working in a new fix right now

[cooljeanius]

looks like there was a missing piece on the fix.. I'm working in a new fix right now

so... does that mean this should be reopened, then?

[sampaiodiego]

the missing part was already done (#24450) and released on 4.4.2

[cooljeanius]

the missing part was already done (#24450) and released on 4.4.2

Then why is it still broken for the MacPorts Rocket.Chat instance?

[sampaiodiego]

not sure @cooljeanius .. can you please provide more information? any error message on the logs?

[cooljeanius]

Just the "Internal Server Error" in the upper right-hand corner:
I dunno where to look for the logs? Maybe @g5pw has some if you mean server-side?

[g5pw]

The exact error we see in the logs is:

rocket-chat_rocketchat.1.x94i0noq42cp@docker    | {"level":40,"time":"2022-05-20T21:34:48.125Z","pid":9,"hostname":"76618ccfda4d","name":"System","msg":"Automatically added ?close to 'redirect_uri' for github, this behavior will be removed in v5.0.0.\nPlease update your OAuth config to accept both with and without ?close as the 'redirect_uri'."}
rocket-chat_rocketchat.1.x94i0noq42cp@docker    | Exception while invoking method 'login' TypeError: emails.find is not a function
rocket-chat_rocketchat.1.x94i0noq42cp@docker    |     at Object.handleOauthRequest (packages/github-oauth/github_server.js:10:31)
rocket-chat_rocketchat.1.x94i0noq42cp@docker    |     at OAuth._requestHandlers.<computed> (packages/oauth2/oauth2_server.js:10:33)
rocket-chat_rocketchat.1.x94i0noq42cp@docker    |     at middleware (packages/oauth/oauth_server.js:171:5)
rocket-chat_rocketchat.1.x94i0noq42cp@docker    |     at /app/bundle/programs/server/npm/node_modules/meteor/promise/node_modules/meteor-promise/fiber_pool.js:43:40

[sidmohanty11]

Same error in v4.8.1 :(

The toast error we're getting is: undefined

[cooljeanius]

The exact error we see in the logs is:

rocket-chat_rocketchat.1.x94i0noq42cp@docker    | {"level":40,"time":"2022-05-20T21:34:48.125Z","pid":9,"hostname":"76618ccfda4d","name":"System","msg":"Automatically added ?close to 'redirect_uri' for github, this behavior will be removed in v5.0.0.\nPlease update your OAuth config to accept both with and without ?close as the 'redirect_uri'."}
rocket-chat_rocketchat.1.x94i0noq42cp@docker    | Exception while invoking method 'login' TypeError: emails.find is not a function
rocket-chat_rocketchat.1.x94i0noq42cp@docker    |     at Object.handleOauthRequest (packages/github-oauth/github_server.js:10:31)
rocket-chat_rocketchat.1.x94i0noq42cp@docker    |     at OAuth._requestHandlers.<computed> (packages/oauth2/oauth2_server.js:10:33)
rocket-chat_rocketchat.1.x94i0noq42cp@docker    |     at middleware (packages/oauth/oauth_server.js:171:5)
rocket-chat_rocketchat.1.x94i0noq42cp@docker    |     at /app/bundle/programs/server/npm/node_modules/meteor/promise/node_modules/meteor-promise/fiber_pool.js:43:40

Downstream issue on the MacPorts Trac: https://trac.macports.org/ticket/65937