It's possible to authenticate users inside Rocket.Chat automatically from a third-party application, useful when embedding the chat inside another application or to make the users' life easier.
There are two ways to use the Iframe integration for this purpose and we will describe them below. It's important to note that both options require you to handle the user creation from your own application server using our APIs and make the login to retrieve the user's session token in order to pass it to the Rocket.Chat client via one of those ways:
Embedding Rocket.Chat inside an Iframe
If you already have the Rocket.Chat inside an iframe you can use call commands inside the Rocket.Chat's an iframe, there is a command to login the user passing a token, for that you need to make your own way to retrieve the token from your own APIs and then pass it to the iframe.
We suggest one common way, once your application loads:
Call your own API to retrieve the token, let's say /api/rocketchat/token
Your API will validate your own session, probably via cookies
Embedding your own "Loading page" inside the Rocket.Chat
Even using Rocket.Chat inside an iframe you can still use this method to make the login flow rather than use the iframe commands above.
This flow requires a page to be rendered in place of the normal Rocket.Chat's login page, it can be a basic loading screen since it's used just for information purposes.
Rocket.Chat will call the configured API and Method to retrieve the token
The API should validate your own session via cookies
The API will then call the Rocket.Chat APIs to check if the user exists
If it doesn't exists call the Rocket.Chat APIs to create the user
If the user exists, call the Rocket.Chat APIs to make the login and receive the token
Return the token in your API response in JSON format as described here
Rocket.Chat will use the token automatically to make the authentication
For this implementation you will need to configure CORS and X-FRAME:
Your server should not block the page you want to load inside the iframe, check the X-FRAME for more information on how to prevent this.
Your server should not block the calls from the Rocket.Chat's domain to your configured API endpoint, calls between domains are often blocked by default, please check the CORS for more information on how to prevent this.