We’ve configured our egroupware instance in a multi-domain setup with email (imap) authentication using mail server login-type “user@domainname” (Virtual Mail Manager) . In this scenario, eGroupware will then distinct between domains and to which database / context it should connect to. Unfortunately, with this setup, it seems not to be possible to use Rocket.Chat (which uses OpenID / oauth). It seems that authentication on egroupware Open-ID / oauth server will happen only with username (part before the “@” of email address) and not the full e-mail address, what would be required in our setup (to distinct database contexts).
For such accounts, we always get the following error message:
{"error":"invalid_client","error_description":"Client authentication failed","message":"Client authentication failed"}
And within log output from rocketchat docker container we see something like this:
{"line":"403","file":"oauth_server.js","message":"Error in OAuth Server: Failed to complete OAuth handshake with egroupware at https://groupware.ownspace.ch/egroupware/openid/endpoint.php/access_token. failed [400] {\"error\":\"invalid_request\",\"error_description\":\"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.\",\"hint\":\"Cannot decrypt the authorization code\",\"message\":\"The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.\"}","time":{"$date":1600518775014},"level":"warn"}
We then tryed to create a seperate oauth provider “egroupwareauthwithemail” under Rocket.Chat -> Application configuration with a sepearate client-id “Rocket.Chat.emailauth” that uses “email” as Username field (insted of “id”), then linked that one within egroupware rocket.chat configuration with that OAuth Client-ID and also created an Client Instance within “OpenID / OAuth2 Server” application configuration section, which refers to the custom oauth provider, referring its client-id (“Rocket.Chat.emailauth” and using the custom provider name within forwarding address field (https://groupware.ownspace.ch/rocketchat/_oauth/egroupwareauthwithemail).
But even that didn’t help so for authentication to succeed, resulting in the same error message displayed in frontend as stated above, and this message within rocketchat container log:
{"line":"403","file":"oauth_server.js","message":"Error in OAuth Server: Failed to complete OAuth handshake with egroupwareauthwithemail at https://groupware.ownspace.ch/egroupware/openid/endpoint.php/access_token. failed [401] {\"error\":\"invalid_client\",\"error_description\":\"Client authentication failed\",\"message\":\"Client authentication failed\"}","time":{"$date":1600704122208},"level":"warn"}
Has someone an idea what would be further required for that to work? Because for users within default context, like the system-created “sysop” admin user, rocket.chat oauth login works well, so we were at least able to configure rocket.chat under “Administration”. Also with a self-created user (but only within default context) login to rocket.chat works.