How to configure Rocket.Chat to use OAuth API in IPB 4.3?

[ossipetz]

Hello

We use Rocket.Chat as chat solution for our community. For now we use the OAuth Server Application to authenticate. That works quite nice. But since there is now a native OAuth API I wonder if it is possible to move over.

Currently it does not work. What I have:

IPB Side:

• Client Type: Custom Confidential OAuth Client
• Available Grant Types: Authorization Code 
• Redirection URIs: https://chat.tolkienforum.de/_oauth/tolkienforumipb 
  (copy paste from what rocket chat told us)
• Authorization Prompt: New sign ins only
• Show in Account Settings?: on

IPB generated a client-id and a secret-id (used below).

I left the scopes tab untouched but added groups. But I don't really understand that part.

Rocket.Chat side, added a custom OAuth application:

• Url: https://www.tolkienforum.de
• Token Path: /oauth/token
• Token sent via: Payload
• Identity Token sent via: Payload
• Identity Path: /api/core/me
• Authorize Path: /oauth/authorize
• Scope: profile email groups
  (tried to match this with scopes from the forum, but not sure what this is)
• Id: copy paste client-id from the forum
• Secret: copy paste secret-id from the forum
• Login Style: Popup
• Username field: name
• Merge Users: true

These are the settings. When logging in to the chat server the login popup show up, I can log in but get an error message:

Quote

 

Invalid Client ID

Fehlercode: 3S361/1

 

since the Client-Id is copy pasted I'm not sure if that error is actually correct. But well: anything is possible 

 

Did someone manage this to work? And if so what are your settings? Any hints welcome!

 

[Gill]

@ossipetz Hi :) I visited your site and used the rocket chat it is very cool. i would like to implement same with my community too. My question did u use the IPB out of box or used wohali Oauth server for this ? How Profile pics from your forum IPB imported to rocket CHAT ? I would be highly thankful to u for this Help :)

Thanks 

 

[ossipetz]

hello!

Thanks for visiting ?

We currently still use the extension from wohali with rocket.chat. I still can't get the integrated oauth server to work with the chat and I have trouble to diagnose whats wrong. The profile pictures are not imported into the chat, users just re-upload them or use different ones.

We also published a widget to show who's online in the chat: 

 

So if anyone get can get the integrated oauth to work and can share the settings? 

 

[ossipetz]

So. Did another attempt to use the OAuth server that comes with Invisionboard. I could get it to work with these settings:

Invisionboard:

• in the AdminCP: System - Rest & OAuth - OAuth Clients, create new
  • Client Type: Custom Confidential OAuth Client 
  • Available Grant Types: Authorization Code 
  • Redirection URIs: the Uri shown in Rocket.Chat when creating a custom OAuth provider, for our chat server it looks like: https://chat.host.domain/_oauth/tolkienforum
  • Authorization Prompt: Always
  • left the rest at its defaults. notice the "scopes" tab, having profile and email available
  • write down the client id and secret id! (needed for rocket.chat settings)

Rocket.Chat:

• Administration: OAuth (not OAuth Apps)
• Create Custom OAuth Account
• Activate: true
• it will show the redirect uri on top to use above
• Url: the uri of your community
• Token path: /oauth/token/
• Token sent via: Header
• Identity path: /api/core/me
• Authorization path: /oauth/authorize/
• Id: from invisionboard setting above
• Secret Id: from invisionboard setting above
• Login Style: redirect
• Scope: profile email
  (both scopes "profile" and "email" separated with a space)
• Button Text: something like "login via our forum"
• Avatar field: photoUrl

I could not yet get the groups / roles to work as the auth response for primaryGroup is a structure.

that should be it 🙂

 

 

 

Edited May 5, 2019 by ossipetz
fix scope setting

[DaffyDuck]

I've pretty much followed these instructions, but the 'USERS ONLINE' widget doesn't show any of the users in the Rocket.Chat.

Any suggestions?

This is with using the IPB OAuth API.

[DaffyDuck]

Also, if I attempt to login using IPB account credentials, that's not working for me either.

[ossipetz]

13 hours ago, DaffyDuck said:

I've pretty much followed these instructions, but the 'USERS ONLINE' widget doesn't show any of the users in the Rocket.Chat.

Any suggestions?

This is with using the IPB OAuth API.

The Widget itself does not use the OAuth credentials. When you configure the Widget you need to use an account configured in the rocket.chat administration. I use a bot, so I manually set a password for that user and use that one. The widget uses Basic Auth and the REST Api. In the future it may rely on OAuth too but currently it should work also when the chat is not connected to the forum.

 

13 hours ago, DaffyDuck said:

Also, if I attempt to login using IPB account credentials, that's not working for me either.

Well that is hard to tell what is going on. Since the Authentication is sent via Headers those may be a problem. Is nothing happening at all? You should get redirected to the forum and asked about permissions for the username and email. And then redirected back to chat and logged in.

I would check if the redirects happen (in the browser dev tools and console) and the system logs in the forum. Also the rocket.chat log might give you a hint if something is happening. I had to tweak the settings quite a bit but the ones above are the ones I currently use.

[ossipetz]

The above config is from rocket.chat 1.3.2 (note its not in OAuth Apps but in OAuth - there are two sections). 

These are the settings from the created OAuth Client in the IPB Admin CP: (with the url you get from rocket.chat above)

 

 

I think all other settings are set to default. Maybe check the scopes section if there is anything missing (I have two scopes: profile and email)

[DaffyDuck]

Made a little bit of progress - I figured out that I mistyped the actual URL of the oath location. Whoops. Before, it stated that 'this page does not exist'.

After I corrected that, it properly gives me the button login option via the forum - but when I click that, it sits there thinking for 2-3 seconds, clears the screen, and then drops right back to the same login window. Grrr...

Two steps forward, one step back.

 

[DaffyDuck]

When I do go to : https://chat.mywebserver.com/_oauth/mywebserver it does spit back a nice message of "Login completed. Click here to close this window.", which I guess is a positive indication that things ARE somewhat working the proper way...

7 hours ago, ossipetz said:

Also the rocket.chat log might give you a hint if something is happening.

Where could I find the logs of rocket.chat? I feel that I am incredibly close to making this work (thanks, in large part, with your help. THANK YOU!)

Found the logs 🙂

There's a whole lot of gobble-dee-gook about 'handshake failure'. I PM'd you the actual log entires, since it contains some information specific to my server, but maybe you see something that stands out?

 

[Schaken]

hello, this is from 3 years ago so im only hoping someone out there reads this soon. Im experiencing an "Invalid Client ID" following these instructions. I am using the latest RocketChat, and latest Invision community. 

[ossipetz]

On 6/11/2022 at 5:19 PM, Schaken said:

hello, this is from 3 years ago so im only hoping someone out there reads this soon. Im experiencing an "Invalid Client ID" following these instructions. I am using the latest RocketChat, and latest Invision community. 

could you dig into the log's of Rocket.Chat and the error events in invision board? are there any hints? The client id that you used is correctly copy-pasted? and the scopes are also correct? I assume the error is from rocket.chat? Or is it visible in the browser?

Also the communication between rocket.chat and invisionboard needs to be https - oauth is quite exact when it comes to the communication between the two tools 🤔

[Schaken]

On 6/13/2022 at 8:10 AM, ossipetz said:

could you dig into the log's of Rocket.Chat and the error events in invision board? are there any hints? The client id that you used is correctly copy-pasted? and the scopes are also correct? I assume the error is from rocket.chat? Or is it visible in the browser?

Also the communication between rocket.chat and invisionboard needs to be https - oauth is quite exact when it comes to the communication between the two tools 🤔

I appreciate your help! I just got it working, sorry for the long wait. Now all i need left is to get the profile avatar photo's to sync. have you figured that part out yet by any chance?

[Schaken]

turns out rocketchat is grabbing the users profile image, but not applying it yet. I can login as a random user and the avatar shows just the first letter of their name, and when i go to profile, their avatar from my website shows in the list of ones they can use. So I guess i need to find a way to disable the letter avatar thing so it will fallback on the websites avatar?

I feel pretty lucky, so far I got webhooks working and everything. Im almost 100% all set up, all thanks to your screenshots! I really appreciate it!

[ossipetz]

16 hours ago, Schaken said:

turns out rocketchat is grabbing the users profile image, but not applying it yet. I can login as a random user and the avatar shows just the first letter of their name, and when i go to profile, their avatar from my website shows in the list of ones they can use. So I guess i need to find a way to disable the letter avatar thing so it will fallback on the websites avatar?

I feel pretty lucky, so far I got webhooks working and everything. Im almost 100% all set up, all thanks to your screenshots! I really appreciate it!

as far as I remember: the avatar is only updated on login. if you change it in the forum and move over to the chat, it does not refresh. And even login in again sets it, but the user sometimes has to select it in the profile. It is at least there to be selected.

[Schaken]

2 hours ago, ossipetz said:

as far as I remember: the avatar is only updated on login. if you change it in the forum and move over to the chat, it does not refresh. And even login in again sets it, but the user sometimes has to select it in the profile. It is at least there to be selected.

Correct, It is there to select. BUT about 4 years ago, I paid someone to do all this for me and they had it where it would not only just be there, but it would be already selected as well. The person that did it for me is long gone, so I cant even ask questions. now im trying to do it on my own and Rocket.Chat has changed dang near everything. there is a toggle that tells it to do a smart select for the avatar, to choose the avatar that is given via Oauth, i have it turned on and i thought that would do it, but it seems to do nothing.

I realize this goes beyond the invision community, But at this point I have come to realize that there is almost no support for rocket.chat anywhere. They made a github with super outdated instructions, and anytime I ask a question there people point to it, and i ask them to show me where it evenmentions anything related and they cant, because every question I have, no one knows.

anyways.. here is the toggle that either dont work or it does something else, Or i misunderstand it.

[ossipetz]

hard to say. if people modify stuff they probably should add it to its sources to have it supported, or create an app nowadays. Hard to tell. We have never brought the integration from the forum with the chat that far.

[Schaken]

well, short of the Oauth Avater being set to default, I got it all setup, I even learned how to find all the custom CSS keys to edit dang near any colors and styles, I got it setup real nice, I appreciate you helping and posting this information, I dont think I could have got this without you! I got webhooks, im using IFTTT for almost everything as it is WAAAAY cheaper than Zapier. Im not smart enough to have the webhooks directly from my site to Rocket.Chat. here is a preview!