7.6.1 login in android app with disabled user registration and only OIDC keycloak login enabled not working

[ruslantum]

Description:

7.6.1 login in android app with disabled user registration and login form and only OIDC keycloak login enabled not working, it shows: "New user registration is currently disabled"

Steps to reproduce:

1. enable keycloak oidc/oauth
2. disable registration and login form
   Workspace > Settings > Layout > Login > Show Default Login Form > Disabled
   Workspace > Settings > Accounts > Registration > Registration Form > Disabled
3. install app
4. try to login

Expected behavior:

Expected Login Button for Keycloak.

Actual behavior:

No Keycloak Button, only "New user registration is currently disabled" text.

Server Setup Information:

• Version of Rocket.Chat Server: 7.6.1
• License Type: Community
• Number of Users: ~350
• Operating System: Alma 9
• Deployment Method: helm
• Number of Running Instances: 1
• DB Replicaset Oplog: Enabled
• NodeJS Version: v22.13.1
• MongoDB Version: 6.0.10 / wiredTiger (oplog Enabled)

Client Setup Information

• Desktop App or Browser Version: 4.60.0.79290
• Operating System: Android 15

Additional context

[rekup]

We observe the same behavior in the iOS App with server version 7.6.1

[rekup]

I used burp to look at the traffic between the iOS app and the rocket.chat server. I first started a local rocket.chat server with version 7.5.1 and then compared the requests to those with rocket.chat 7.6.1. Early in the sign-in process the app makes a request to /api/v1/settings.oauth, the server sends this response:

(response of server version 7.6.1)

{
  "services": [
    {
      "_id": "<some id>",
      "service": "mysso",
      "clientId": "my_client_id",
      "custom": true,
      "serverURL": "https://sso.example.org/auth",
      "tokenPath": "/realms/myrealm/protocol/openid-connect/token",
      "identityPath": "/realms/myrealm/protocol/openid-connect/userinfo",
      "authorizePath": "/realms/myrealm/protocol/openid-connect/auth",
      "scope": "openid",
      "buttonLabelText": "Login with SSO",
      "buttonLabelColor": "#1f2329",
      "loginStyle": "redirect",
      "buttonColor": "#e4e7ea",
      "tokenSentVia": "header",
      "identityTokenSentVia": "default",
      "usernameField": "preferred_username",
      "mergeUsers": true,
      "keyField": "username",
      "rolesToSync": "",
      "mergeUsersDistinctServices": false,
      "accessTokenParam": null,
      "avatarField": null,
      "channelsAdmin": null,
      "channelsMap": null,
      "emailField": null,
      "groupsClaim": null,
      "mapChannels": null,
      "mergeRoles": null,
      "nameField": null,
      "rolesClaim": null,
      "showButton": null
    }
  ],
  "success": true
}

All the lower field (showButton, rolesClaim etc.) are null whereas with server version 7.5.1 these fields are populated. If I intercept the response and modify the showButton field from null to true I am able to log in using my sso provider.

I don't know the code base of rocket.chat at all and can not assess whether this behavior is intended or not, but maybe it helps in someone else to fix the bug.

[tcdev0]

i could fix this issue with creating a new custom oauth account-setting in rocketchat for keycloak (you will notice new config fields) and disabling the old one.

In this new config block you will see a field Show Button on Login Page which defaults to true.

[rekup]

We recreated the oauth config in our setup and I can confirm that this solves to login issue. Thanks @tcdev0 !

[ruslantum]

ok, after config recreate is seems to work again