In addition to the OAuth methods that Rocket.Chat provides for user authentication, you can also choose to set up a custom OAuth method.
This guide shows how to set up a custom OAuth integration between Microsoft accounts and Rocket.Chat. This is achieved with Microsoft Entra ID (formerly called Azure Active Directory), which is an identity service by Microsoft that provides single sign-on and other authentication methods. You can also define conditional access policies and role-based permissions.
Prerequisites
An account on the Azure portal.
An Azure Active Directory web application (Microsoft identity platform).
An application ID and client secret.
If you don't have an app, log in to the Azure Portal and go to the Microsoft Entra ID section.
Create a new App Registration.
Fill in the details. You will get the redirect URI from your Rocket.Chat workspace when you Create Custom O365 OAuth.
After registering your new app, note the Application (client) ID and the Directory (tenant) ID. You will need these values to configure the integration in Rocket.Chat.
On your new app's page, go to the Certificates and Secret tab to create a New client secret. Make sure you note the secret value.
Create custom OAuth
To create a custom authentication method in your Rocket.Chat workspace, follow these steps:
Go to Administration > Workspace > Settings > OAuth.
Click on Custom OAuth and enter a name for the new OAuth integration.
After creating the new integration, you are given the Callback URL. For example,
https://<your-domain>/_oauth/ms365. Enter this as the redirect URI when you are creating your Azure app.You will also need to fill in other configuration fields.
Configure custom OAuth
In your workspace, enable the custom OAuth and set the following fields as per your requirements:
Field | Description |
|---|---|
URL | Enter the URL in the format |
Token Path | Enter the token endpoint path |
Token Sent Via | For this example, select the Payload option. |
Identity Token Sent Via | For this example, select the Header option. |
Identity Path | Enter the |
Authorize Path | Enter the authorization endpoint path |
Scope | For this example, enter the scope value as |
Param Name for access token | For this example, enter the value |
Id | Enter the Azure application’s Application (client) ID value. For example, |
Secret | Enter the Azure application’s client secret value. For example, |
Login Style | Select the type of the login screen. The options are:
|
Button Text | Enter the text that will be displayed on the login button. For example, |
Button Text Color | Enter the color of the login text. For example,
|
Button Color | Enter the color of the login button. For example, |
Key Field | Select the field with which users can log in and which will maintain unique user IDs. The options are:
In this example, select the Email option. |
Username field | Enter the supported username claim key. Note that the supported claims may differ for |
Email field | Enter the supported email claim key. For example, |
Name field | Enter the supported name claim key. For example, |
After saving, you will find the O365 OAuth button on the login and signup page. Simply sign in to your Microsoft account to authenticate!
Rocket.Chat uses the identity path (userinfo) endpoint to get the information on roles. Since the MS Office 365 identity path endpoint does not return this information, the roles cannot be synced with Rocket.Chat currently.