Login Screen OAuth 2 stuck with Firefox

[ChefNouille]

Description:

Hello,

I'm in trouble since some days with my Rocket.Chat instance. It's was impossible to login with Firefox from any OS (Tested on Windows, Linux, MacOS).

My Rocket.Chat use only OAuth 2 authentication method. All work fine with Chrome / Chromium / Safari.

No erros found in Firefox console or server logs

Did someone have an idea ?

Regards

Steps to reproduce:

1. Have Rocket.Chat link with OAuth 2 provider as unique authentication method
2. Try to login with Firefox

Expected behavior:

Redirection to home channel of instance

Actual behavior:

Login page reload without redirection, you can click endlessly on the login button

Server Setup Information:

• Version of Rocket.Chat Server: 3.10.4
• Operating System: Ubuntu 20.04 LTS
• Deployment Method: Docker
• Number of Running Instances: 1
• DB Replicaset Oplog:
• NodeJS Version: 12.18.4
• MongoDB Version: 4.0

Client Setup Information

• Desktop App or Browser Version: Firefox 84.0
• Operating System: Windows / Fedora / Unbuntu / MacOS

Additional context

Relevant logs:

No specific logs found

[ChefNouille]

Up,

I have took a look again but I definitively don't find any logs related to this issue. Maybe someone can point me to the rights location to find all Authentication logs ?

Regards

[LeSuisse]

When looking at the differences between Firefox and Chrome it seems that the call POST /api/v1/method.callAnon/login is never sent when using Firefox.

[LeSuisse]

The issue seems to affect relatively recent version of Firefox. It is possible to connect with a Firefox 78.0.1 but not with a Firefox 85.0.1.

Edit: After a few more tests FF 78 is the last working version, starting FF 79 it becomes impossible to login.

[gabriellsh]

@LeSuisse how did you setup the OAuth? I'm trying for a while now to reproduce this bug, but it works fine for me. Tested with FF 80.0 and 85.0.1, both on macOS and Windows. Any information helps

Also, can you test with the github OAuth if possible? I used it in my tests, as well as a mocked oauth provider. Thanks in advance!

[LeSuisse]

@gabriellsh I can confirm it works fine when using GitHub as the provider.

In my situation I'm using a custom OAuth provider. You can see the live server here: https://chat.tuleap.org/

[LeSuisse]

Also, if it can help with the reproduction I can provide a client ID/secret for the custom OAuth provider we are using. It might make easier to reproduce the issue on a dev instance ;)

[gabriellsh]

@LeSuisse I could reproduce the bug in your server. Indeed, the call to the login method is not issued. I still couldn't reproduce it using my custom oauth though. I think before we go to such measures as sharing your client ID and Secret, it'd be nice if you sent a few screenshots of your custom oauth config. (Please, omit the ids and secret for now). If you wan't to share any other setting you've modified and think might be useful, please do;

Also, can you test setting the Login Style to popup? Maybe it'll work while we figure out this bug.

[LeSuisse]

@gabriellsh The provider is configured like this, I kept the client ID since it is a public information (you can also find a textual description of our config here: https://docs.tuleap.org/user-guide/integration/rocketchat.html#authenticate-with-oauth-openid-connect):

I think before we go to such measures as sharing your client ID and Secret, it'd be nice if you sent a few screenshots of your custom oauth config.

Just to be clear, I was not proposing to send you the actual credentials of the production OAuth app but to create a new app dedicated to the test on the same OAuth provider 🙂

If you wan't to share any other setting you've modified and think might be useful, please do;

I do not see something particularly relevant. Note that I have been able to reproduce the issue on a development instance of Rocket.chat (based on yesterday develop branch) for which the only action done was adding a custom OAuth provider.

Also, can you test setting the Login Style to popup? Maybe it'll work while we figure out this bug.

Interesting, I'm sometime able to log in when the "Login Style" is set to popup. When it does not work I get a "No matching login attempt found" error but the error also happen with Chrome.

[gabriellsh]

Hey, thanks a lot! You've been really helpful! I think this is what I need for now, I'll comment again if I need anything more.

[gabriellsh]

I think I'll need that test App. You can contact me at open.rocket.chat as gabriel.henriques or I'm logged in at your chat server too (as gabriellsh).

[gabriellsh]

Is there any aditional logs in the console when using via popup?

[LeSuisse]

I have been to test the fix/workaround and I can confirm it works on my end :tada:

Thanks for your work @gabriellsh!

[cpra-lcoffe]

Hello,

We updated from 3.11.0 to 3.12.0 today and firefox users were not able to login using oauth (with keycloak). It would exactly do what is described in this issue. Changing Login Style from redirect to popup solves the problem in the interim.

[MarekRzewuski]

I have the same issue. Firefox not working, unless popup is on.

Version 3.13.0-develop Apps Engine Version 1.23.0 Node Version v12.18.4 Database Migration 218 (10. mars 2021 kl. 23:46 MongoDB 4.0.18 / unknown (oplog Enabled)