Open Authorization (OAuth) is an authorization protocol that acts as an intermediary and facilitates secure access to third-party applications without sharing user credentials, thereby protecting specific resources. Instead of usernames and passwords, OAuth uses tokens, serving as temporary access keys. Rocket.Chat offers integrations with various providers such as Google, Apple, and GitHub. This provides flexibility and security so users can log in with any of these credentials. You can also configure custom OAuth methods.
This section guides you through the required configuration details of each supported method.
Key features of OAuth integration
Controlled access: With the authentication methods, you can decide the user data that the workspace can access.
Single Sign-On (SSO): Users can sign in to the workspace without creating new usernames and passwords.
Flexibility: You can choose the authentication methods you want to implement in your workspace from the list of available options. Furthermore, you can also set up your own custom OAuth methods in your Rocket.Chat workspace.
Set up your OAuth method
Go to Administration > Workspace > Settings> OAuth. You can view a list of some OAuth methods that are supported by Rocket.Chat, including Google, Github, LinkedIn, etc. Select the method that meets your needs and provide the configuration parameters. Refer to the sub-sections where we go into the details of each method.
Refresh OAuth services
To update the options shown on your workspace login page based on your saved settings, click Refresh OAuth Services.
OAuth apps will have full access to user accounts, including the ability to perform any action on behalf of the user. You must proceed carefully while logging in and refuse access if you don’t trust the OAuth app.
Add Custom OAuth
To add a custom OAuth:
Click Add custom OAuth.
Give a unique name for your custom OAuth.
Click Add.
When configuring your OAuth Provider, you must include a Rocket.Chat callback URL. You will find this URL once you add a custom OAuth method. For example,
https://yourcompany.rocket.chat/_oauth/customoauthYou can enable this method now or after you have configured the settings:
Field | Description | Example value |
|---|---|---|
URL | The URL that is issued from the identity provider. | Okta: |
Token Path | The token endpoint from the identity provider is used to obtain access tokens. |
|
Token Sent Via | Select whether the token is sent via Header or Payload. |
|
Identity Token Sent Via | Select whether the identity token is sent via Header, Payload, or the same method as the Token sent via field. |
|
Identity Path | The user information endpoint is used to retrieve user data. Enter the path from the user endpoint. | Okta: |
Authorize Path | Enter the path from the authorization endpoint. | Okta: Microsoft: |
Scope | The scope defines the user access level and permissions that you have configured in the identity provider. | Okta: Microsoft: |
Param Name for access token | The name of the access token. |
|
Id | The client ID value from your identity provider. |
|
Secret | The client secret value from your identity provider. |
|
Login Style | Select the type of the login screen. The options are:
|
|
Button Text | Enter the text that will be displayed on the login button. |
|
Button Text Color | Enter the color of the login text.
|
|
Button Color | Enter the color of the login button. |
|
Key Field | Select the field with which users can log in and which will maintain unique user IDs. The options are:
|
|
Username field | With this field, you can prevent users from selecting their own usernames while signing in for the first time. Thus, users will retain the usernames from the identity provider, maintaining consistency. | Okta: In the Okta profiles of your users, enter values in the Nickname field. In your Rocket.Chat custom OAuth method, enter Microsoft: You can refer to the userinfo endpoint for details. |
Email field | Enter the supported email claim key. | Microsoft: |
Name field | Enter the supported name claim key. | Mircosoft: |
Avatar field | Enter the user avatar field from your identity provider. | Okta: |
Show Button on Login Page | Enable this option to show the login button on the workspace login screen. | |
Sync configurations | ||
Roles/Groups field name | Enter the roles or groups field from the identity provider. This will be used to identify which roles or groups need to be merged when the Merge Roles from SSO field is enabled. |
|
Roles/Groups field for channel mapping | Enter the roles or groups field from the identity provider. This will be used to identify the field that should be used to map roles/groups to Rocket.Chat channels. | Okta: If you have groups for the users, Okta can return the Keycloak: For an example of how the mapping works in Keycloak, see the Advanced Configuration example. |
User Data Group Map | The admin user used to create rooms defined in the OAuth Group Channel Map field. |
|
Map Roles/Groups to channels | Enable this option to add users to Rocket.Chat channels. | |
Merge Roles from SSO | Enable this option to merge user roles from the identity provider to the Rocket.Chat users. | |
Roles to Sync | List the roles (comma-separated values) that should be synced when the Merge Roles from SSO option is enabled. | |
Merge users | Enable this option to allow users from OAuth to be merged with existing users on the Rocket.Chat database. | |
Merge users from distinct services | Enable this option to allow users from OAuth to be merged with existing users regardless of their origin service. | |
OAuth Group Channel Map | From this mapping, users that belong to the specific groups are inserted into all the associated Rocket.Chat rooms. Note the following points:
| Here, |
Save the changes once you’ve configured the custom OAuth method.
Next, let's delve into the configuration details of each of the supported OAuth options in the following sections.