oAuth Server Hand-shake Error with Rocket Chat

adnanbutt050 2020-04-24 11:26:58 UTC #1

Hello Dear,

I am struggling to set up Rocket chat on my Egroupware server, but unfortunately, there is a handshake problem with the rocket chat server and Oauth server, I followed all the instructions on how to configure custom Egroupware Oauth in Rocket chat

W20200424-10:12:19.392(0) (oauth_server.js:69) Unable to base64 decode state from OAuth query: undefined
W20200424-10:12:19.396(0) (oauth_server.js:69) Unable to base64 decode state from OAuth query: undefined
W20200424-10:12:19.397(0) (oauth_server.js:392) Error in OAuth Server: Failed to complete OAuth handshake with egroupware at https://xxxxxxxxxxxx.com/egroupware/openid/endpoint.php/access_token. failed [400] {“error”:“invalid_request”,“error_description”:“The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.”,“hint”:“Cannot decrypt the authorization code”,“message”:“The request is missing a required parameter, includes an invalid parameter value, includes a parameter more than once, or is otherwise malformed.”}
W20200424-10:19:14.153(0) (oauth_server.js:392) Error in OAuth Server: access_denied
W20200424-10:19:27.055(0) (oauth_server.js:392) Error in OAuth Server: access_denied
W20200424-10:22:41.617(0) (oauth_server.js:392) Error in OAuth Server: access_denied
W20200424-10:52:22.713(0) (oauth_server.js:69) Unable to base64 decode state from OAuth query: undefined
W20200424-10:52:22.715(0) (oauth_server.js:69) Unable to base64 decode state from OAuth query: undefined
W20200424-10:52:22.718(0) (oauth_server.js:392) Error in OAuth Server: access_denied
W20200424-10:54:37.483(0) (oauth_server.js:69) Unable to base64 decode state from OAuth query: undefined
W20200424-10:54:37.484(0) (oauth_server.js:69) Unable to base64 decode state from OAuth query: undefined
W20200424-10:54:37.485(0) (oauth_server.js:392) Error in OAuth Server: access_denied
W20200424-10:59:30.584(0) (oauth_server.js:69) Unable to base64 decode state from OAuth query: undefined
W20200424-10:59:30.586(0) (oauth_server.js:69) Unable to base64 decode state from OAuth query: undefined
W20200424-10:59:30.587(0) (oauth_server.js:392) Error in OAuth Server: access_denied
W20200424-11:01:07.391(0) (oauth_server.js:392) Error in OAuth Server: access_denied

RalfBecker 2020-04-24 15:43:16 UTC #2

With all the access denied the Rocket.Chat logs, I would first check client secrets and id’s on EGroupware macht what you put into Rocket.Chat or try setting a new secret in EGroupware and Rocket.Chat.

The Rocket.Chat log is to me not as useful then the request log of the OpenID Connect / OAuth2 server, which you can enable inside EGroupware und Admin > OpenID Connect / OAuth2 server > Request log

Ralf

adnanbutt050 2020-04-25 08:27:49 UTC #3

Hello @RalfBecker,

The Client secret and Id on Egroupware are following

The Custom oAuth setting on rocket chat is following.

The opnid Log shows of the following error.

[2020-04-25 08:15:55] openid.DEBUG: GET /egroupware/openid/endpoint.php/authorize?client_id=rocket&redirect_uri=https%3A%2F%2Fxxxxxxxxxx.com%2Frocketchat%2F_oauth%2Fegroupware&response_type=code&state=eyJsb2dpblN0eWxlIjoicmVkaXJlY3QiLCJjcmVkZW50aWFsVG9rZW4iOiJMRjhORUl6bWpwQ0V1c181T3RvU0pCRFRJUVpuZlUwbExNZGxJYTk0MHBkIiwiaXNDb3Jkb3ZhIjpmYWxzZSwicmVkaXJlY3RVcmwiOiJodHRwczovL2NvbS5wbGFudGFjb3JwLmNvbS9yb2NrZXRjaGF0L2hvbWUifQ==&scope=openid%20email%20profile%20roles HTTP/1.1
Connection: Keep-Alive
X-Forwarded-Server: xxxxxxxxxx.com
X-Forwarded-Host: xxxxxxxxxxx.com
X-Forwarded-For: 77.6.168.167
X-Forwarded-Proto: https
Cookie: eGW_cookie_test=enabled; last_domain=default; _ga=GA1.2.358113346.1584051437; last_loginid=hafiz.adnan; sessionid=a5tl40hgfbo8ood4etgboq2ed4; kp3=Ggag80Z0j0NO0TmY9OEBQpBe; domain=default; rc_uid=FeQtqJiiXZfxYuiNG; rc_token=pmNhSqFHcahoB3cwg6jKEu9mqCL4_Lrhn6FTUPSKaY0
Accept-Language: en,en-GB;q=0.9,en-US;q=0.8,de;q=0.7
Accept-Encoding: gzip, deflate, br
Referer: https://xxxxxxxxxx.com/rocketchat/home
Sec-Fetch-Dest: iframe
Sec-Fetch-User: ?1
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36
Upgrade-Insecure-Requests: 1
Host: xxxxxxxxxxx.com
Content-Length:
Content-Type:

[2020-04-25 08:15:55] openid.DEBUG: HTTP/1.1 302 Found
Content-Type: text/html; charset=UTF-8
Location: https://xxxxxxxxxx.com/rocketchat/_oauth/egroupware?state=eyJsb2dpblN0eWxlIjoicmVkaXJlY3QiLCJjcmVkZW50aWFsVG9rZW4iOiJMRjhORUl6bWpwQ0V1c181T3RvU0pCRFRJUVpuZlUwbExNZGxJYTk0MHBkIiwiaXNDb3Jkb3ZhIjpmYWxzZSwicmVkaXJlY3RVcmwiOiJodHRwczovL2NvbS5wbGFudGFjb3JwLmNvbS9yb2NrZXRjaGF0L2hvbWUifQ%3D%3D&error=access_denied&error_description=The+resource+owner+or+authorization+server+denied+the+request.&hint=The+user+denied+the+request&message=The+resource+owner+or+authorization+server+denied+the+request.

RalfBecker 2020-04-25 08:30:34 UTC #4

Paste the secret from Rocket.Chat again into the client on the EGroupware side and store it, making sure they match.

If that does not help, enable the request log and try logging in again …

Ralf

adnanbutt050 2020-04-25 08:57:41 UTC #5

Hi @RalfBecker,

Created a new secret and saved the secret code into rocketcaht secret field and also store this secret code on the groupware side.

The problem still persists.

[2020-04-25 08:53:09] openid.DEBUG: GET /egroupware/openid/endpoint.php/authorize?client_id=rocket&redirect_uri=https%3A%2F%2Fxxxxxxxxxxx.com%2Frocketchat%2F_oauth%2Fegroupware%3Fclose&response_type=code&state=eyJsb2dpblN0eWxlIjoicG9wdXAiLCJjcmVkZW50aWFsVG9rZW4iOiJDQlYxQkhsTWg3cHppWjljVDIxQklEZmtNeXRMVHZ6R3M4eDVvbEk5QmtwIiwiaXNDb3Jkb3ZhIjpmYWxzZX0=&scope=openid%20email%20profile%20roles HTTP/1.1
Connection: Keep-Alive
X-Forwarded-Server: xxxxxxxxxx.com
X-Forwarded-Host: xxxxxxxxxx.com
X-Forwarded-For: 77.6.168.67
X-Forwarded-Proto: https
Cookie: eGW_cookie_test=enabled; last_domain=default; _ga=GA1.2.358113346.1584051437; last_loginid=hafiz.adnan; rc_uid=FeQtqJiiXZfxYuiNG; sessionid=d7387dv8e70hf471gr00ll5r4p; kp3=Dp2SG1mSBrng5p4dpbbe8tVY; domain=default; rc_token=FKTG8jJGwlrm095TjGGLiN0hBpFOvKZN78Q2KtMZjlZ
Accept-Language: en,en-GB;q=0.9,en-US;q=0.8,de;q=0.7
Accept-Encoding: gzip, deflate, br
Referer: https://xxxxxxxxxx.com/rocketchat/home
Sec-Fetch-Dest: document
Sec-Fetch-User: ?1
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/81.0.4044.113 Safari/537.36
Upgrade-Insecure-Requests: 1
Host: xxxxxxxxxx.com
Content-Length:
Content-Type:

[2020-04-25 08:53:09] openid.DEBUG: HTTP/1.1 401 Unauthorized
Content-Type: application/json

{“error”:“invalid_client”,“error_description”:“Client authentication failed”,“message”:“Client authentication failed”}

RalfBecker 2020-04-25 09:37:27 UTC #6

Then you still have a problem with your credentials:

maybe space or tab characters due copy-n-paste
none-ascii chars in the secret could also be a problem

It works once you get identical credentials in both side!

Ralf