RocketChat User Authentication for Nextcloud (Social Login OAuth2)

Description

We set up RocketChat (RC) with internal Authentication / User Management.
Now - few weeks later - i try to connect Nextcloud (NC) to it by OAuth, so RC users can login into NC with their RC credentials too.

We did so far:

  • set up a OAuth App for our NC instance in RC
  • installed “Social Login” on NC and set up OAuth2 with the RC Server

On NC, after clicking on Rocketchat, loggin in to RC and click to “allow”, RC leads back to NC, but
NC throws thhe error:

“Can not get identifier from provider”

It seems the “authorization state” is provided and consumed, but NC expects some kind of further “indentifier” from RC?..

Any ideas / experiences / hints with this or such a setup? I know this is probably more NC related (will ask there too), but no clue so far.

Is OAuth2 (NC “Social Login”) the right way to do that?

Any help or hint is very welcome.

many thanks,

niels.

Server Setup Information

  • Version of Nextcloud: 22.2.3
  • version of Social Login: 4.9.3
  • Version of Rocket.Chat Server: 3.18.3
  • Operating System: Gentoo Linux
  • Proxy: nginx
  • Firewalls involved: pfSense / FreeBSD (NAT / port forwading)

Any additional Information

nothing in the logs of RC nor RC

In RC:
Redirect URL: *ttps://nextcloud.yxz/apps/sociallogin/custom_oauth2/rchat
Auth URL: *ttps://rchat.xyz/oauth/authorize
Access token: *ttps://rchat.yxz/oauth/token
ID: xxx
Secret: xxx

In NC (Social Login):
OAuth2
API base URL: *ttps://rchat.yxz/oauth
Authorize URL: *ttps://rchat.yxz/oauth/authorize
Token URL: *ttps://rchat.xyz/oauth/token
Profile URL: *ttps://rchat.yxz/oauth/userinfo (???)
Client ID: xxxx (ID from RC)
Client Secret: xxxxx (secret from RC)
Scope (optional): (empty)
Profile Fields (optional): (empty)
Groups Claim (optional): (empty)
Default Group: “staff”

The output of your config.php file in /path/to/nextcloud (make sure you remove any identifiable information!):

<?php
$CONFIG = array (
  'instanceid' => 'xxxxxx,
  'passwordsalt' => 'xxxxx',
  'secret' => '+xxxxxx',
  'trusted_domains' =>
  array (
    0 => 'nextcloud.xyz',
  ),
  'datadirectory' => '/cloud_data',
  'default_phone_region' => 'DE',
  'dbtype' => 'sqlite3',
  'version' => '22.2.3.0',
  'overwrite.cli.url' => 'http://nextcloud.xyz:8888',
  'memcache.local' => '\\OC\\Memcache\\Redis',
  'memcache.distributed' => '\\OC\\Memcache\\Redis',
  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'redis' =>
  array (
    'host' => '/var/run/redis/redis.sock',
    'port' => 0,
    'dbindex' => 0,
    'password' => 'xxxx',
    'timeout' => 2.0,
  ),
  'installed' => true,
  'mail_from_address' => 'cloud',
  'mail_smtpmode' => 'smtp',
  'mail_sendmailmode' => 'smtp',
  'mail_domain' => 'xyz',
  'mail_smtpauthtype' => 'PLAIN',
  'mail_smtpauth' => 1,
  'mail_smtphost' => '192.168.x.y',
  'mail_smtpport' => '25',
  'mail_smtpname' => 'localsmtp.yxyz',
  'mail_smtppassword' => 'xxxx',
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 9,
  'app_install_overwrite' =>
  array (
    0 => 'user_external',
  ),
  'overwriteprotocol' => 'https',
  'updater.secret' => '$xxx',
);

The output of your Apache/nginx/system log in /var/log/____:

...
192.168.bbb.254 - - [26/Nov/2021:11:47:28 +0100] "POST /oauth/token HTTP/2.0" 200 158 "-" "Hybridauth, PHP Social Authentication Library (*ttps://github.com/hybridauth/hybridauth)"
192.168.bbb.254 - - [26/Nov/2021:11:47:28 +0100] "GET /oauth/userinfo? HTTP/2.0" 200 268 "-" "Hybridauth, PHP Social Authentication Library (*ttps://github.com/hybridauth/hybridauth)"
217.aaa.182.171 - - [26/Nov/2021:11:47:28 +0100] "GET /apps/sociallogin/custom_oauth2/rchat?code=xxxx&state=HA-xxxx HTTP/2.0" 401 4674 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"
217.aaa.182.171 - - [26/Nov/2021:11:47:28 +0100] "POST /sockjs/014/s0ejiv6n/xhr HTTP/2.0" 499 0 "*ttps://rchat.xyz/oauth/authorize?response_type=code&client_id=xxxx&redirect_uri=*ttps%3A%2F%2Fnextcloud.xyz%2Fapps%2Fsociallogin%2Fcustom_oauth2%2Frchat&scope=&state=HA-xxxx" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"
217.aaa.182.171 - - [26/Nov/2021:11:47:30 +0100] "GET /index.php/apps/photos/service-worker.js HTTP/2.0" 401 43 "*ttps://nextcloud.xyz/index.php/apps/photos/service-worker.js" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"
217.aaa.182.171 - - [26/Nov/2021:11:47:50 +0100] "GET /_timesync HTTP/2.0" 200 13 "*ttps://rchat.xyz/admin/oauth-apps/edit/xxx" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"
217.aaa.182.171 - - [26/Nov/2021:11:48:50 +0100] "GET /_timesync HTTP/2.0" 200 13 "*ttps://rchat.xyz/admin/oauth-apps/edit/xxx" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36"
``