Rocket.Chat SSO + embed plugin

I have added this feature to the plugin. Just update it to the latest version and then set the discourse rocketchat default channel setting to empty.

1 Like

Thatā€™s great! Iā€™m going to update and test it as soon as I will be back to my place next week.
Thank you again!

This plugin is causing some problems on my end to all of the users:

After pressing the Login CAS button, a pop-up emerges with the following link

rocketchat.domain/_cas/BJZ6ef4aSDdeEf5C?ticket=c27a3525gg4ggff7f859f4a3a37c

(I randomized some parts of the pasted tokens for security reasons).

itā€™s a blank page that doesnā€™t close itself and the login is not proceeding unless the user closes the window. Once the user closes the this pop-up window the login proceeds and everything works fine afterwards. Happens every time someone tries to login, even for users that logged in previously.

Were you able to make the auto-redirect working? Iā€™ve tired @RGJ custom script as well as this CAS Plugin: Add direct login redirect for a CAS-enabled RC instance Ā· Issue #2327 Ā· RocketChat/Rocket.Chat Ā· GitHub but to no avail.

There is an inline script there to close that window which is probably not being whitelisted in your CSP.
As a quick fix, on Rocket.Chat side, go to Admin - General and disable ā€œEnable Content-Security-Policyā€. Please note that this might open up your site to security issues. You should address the underlying problem.

Please limit all reports and requests here to issues concerning the plugin. Any error that is happening within Rocket.Chat or on your Rocket.Chat hostname, should be considered a Rocket.Chat issue and not an issue of Discourse or the plugin.

1 Like

I tested the new version and it works great! Thank you so much!

1 Like

@Mr.X_Mr.X , I was experiencing the same problem with the blank window that was not closing and I was thinking that the problem was due to something wrong that I was doing in the CAS configuration.
I disabled Content-Security-Policy and now the white windows autoclose. Thank you Richard for explaining where was the problem!
Still, it would be great to be able to understand how to add the exception and enable this security feature.

@RGJ Sorry for asking but isnĀ“t this problem related to your plug-in? IsnĀ“t the inline script embedded in your plug-in? Or were you talking about an inline script manually added on the rocket chat side?
Thank you very much again

No, itā€™s in the CAS popup within Rocket.Chat (you can see that the URL of the popup window is on the RC hostname).

alright, sorry, I promise I will not ask more after this single question:
then would you suggest to add a whitelist to the rocketchat CSP (probably adding the discourse domain, I guess)?

No, this is 100% an issue on Rocket.Chat side. The Rocket.Chat Javascript is trying to close a Rocket.Chat popup window but it is not allowed to per the Rocket.Chat CSP.
It happens with every login popup in Rocket.Chat like CAS or OAuth2. If you search for it then you will find other reports as well.

Great. Thank you very much again for your explanation!

Would there be any way to have topic-specific channels? So if the plugin were displayed on this topic, the channel would automatically be set to ā€œrocket-chat-sso-embed-plugin-for-discourseā€?