search

RocketChat / Rocket.Chat

The communications platform that puts data protection first.
https://rocket.chat/
Other
40.65k stars 10.65k forks source link

Is Keycloak auth fully working? #24844

Open verbeckii opened 2 years ago

verbeckii commented 2 years ago

Description:

I set up Keycloak authentication and noticed that not all functions work Keycloak is a SSO provider, which means not only a user provider, but also provides additional features such as Singel Sign In and Single Sign Out between all applications connected to Keycloak.

Steps to reproduce:

  1. I have my custom app which connected to Keycloak
  2. I have my Rocket chat which connected to Keycloak by this guide
  3. I did login in my custom app
  4. I go to Rocket chat and see login page which requires login or Keycloak login button
  5. I go to Keycloak login button and anyway should login
  6. After login to Rocket chat I tested logout (it should logout ALL Keycloak apps)
  7. I did Rocket Chat logout
  8. I tried login again I rocket chat and right after clicking Keycloak login button its login without asking me a username and password

Expected behavior:

I expected that Rocket Chat can be working with Keycloak Single Sign On and Single Sign Out

  1. I expected that after login with Keycloak in my custom app on step 1 it's will NOT require me to login again in my Rocket Chat
  2. I expected that after logout in Rocket Chat it will also logout in my custom app (both connected to one Keycloak Realm)
  3. Is it possible to have only one login method? I mean step 4, can it be only Keycloak login form(not require click Keycloak login button)

Actual behavior:

Actual behavior is Keycloak work with Rocket Chat Only like users provider and not like full SSO Is it any way how to do Single Sign On and Single Sign Out too?

Server Setup Information:

Client Setup Information

Additional context

Relevant logs:

emikolajczak commented 2 years ago

Hi, it is known, very old issue. I have workaround it by

  1. Go to "Administration -> Layout -> Custom scripts
  2. In "Custom Script for Logout Flow" add 
    window.location.href = "https://<keycloak_url>/auth/realms/<realm>/protocol/openid-connect/logout?redirect_uri=https%3A%2F%2F<chat_url>";
verbeckii commented 2 years ago

Hi, it is known, very old issue. I have workaround it by

  1. Go to "Administration -> Layout -> Custom scripts
  2. In "Custom Script for Logout Flow" add
window.location.href = "https://<keycloak_url>/auth/realms/<realm>/protocol/openid-connect/logout?redirect_uri=https%3A%2F%2F<chat_url>";

thanks I also set custom script for logout flow and its work fine okay now I have only one question How I can make auto login via Keycloak provider? Right now when unauthorized users go to my rocket chat they see login page and should firstly click Keycloak button How I can instantly redirect unauthorized users to Keycloak Login page? I'm tried to do something like your solution and create custom script for unauthorized users by it's just not working For testing case I wrote console.log('test script') in both unauthorized and authorized sections And custom sctip works as expect for authorized and doesn't work for unauthorized(on login page)

aminr99 commented 1 year ago

when i use this script for SSO its work and it logout completely, but redirect happens twice once for scripts another for default rocket chat. how can i resolve this? Thanks for help. @verbeckii