Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User is prompted to reset their password when logging in with OAuth provider #18000

Closed
wreiske opened this issue Jun 22, 2020 · 2 comments · Fixed by #18001
Closed

User is prompted to reset their password when logging in with OAuth provider #18000

wreiske opened this issue Jun 22, 2020 · 2 comments · Fixed by #18001
Assignees
@pierre-lehnen-rc

Comments

@wreiske
Copy link
Contributor

wreiske commented Jun 22, 2020
edited
Loading

Description:

User is prompted to reset their password when logging in with OAuth provider

Steps to reproduce:

  1. Setup OAuth like GitHub or Google
  2. Have an account that already exists and is verified (this could be from a previous OAuth login predating version 3.3.0, or a manually created account, or an LDAP synced account)
  3. Try to login with OAuth

Clipboard - June 22, 2020 11_30 AM

Expected behavior:

Log in without issue.

Actual behavior:

Clipboard - June 22, 2020 11_25 AM

Users are being prompted that the email is duplicated and is not verified. They are required to reset their password even when we have password resets disabled. If they try to type in their current correct password, it shows the password can't be changed.

Clipboard - June 22, 2020 11_31 AM

Clipboard - June 22, 2020 11_54 AM

Server Setup Information:

  • Version of Rocket.Chat Server: Issue has been seen on 3.0.3 (ef1e0b3) and 3.3.0 (a987295)

Additional Information

image
@pierre-lehnen-rc pierre-lehnen-rc self-assigned this Jun 22, 2020
@pierre-lehnen-rc pierre-lehnen-rc mentioned this issue Jun 22, 2020
Merged
12 tasks
@wreiske
Copy link
Contributor Author

wreiske commented Jun 22, 2020

IMO if the allow password change setting is OFF, there's probably a good reason for it, and the user should never be able to change their password in Rocket.Chat.

It should maybe prompt the user to contact their administrator to unlock their account, or it should refuse to allow the user to log-in at all if the email isn't verified. It looks like possibly it logs the user in but keeps them on that screen. They may be able to see incoming messages, use "Router.go" to change their route to a DM, etc.

@pierre-lehnen-rc
Copy link
Contributor

pierre-lehnen-rc commented Jun 22, 2020
edited
Loading

The feature exists to protect the user in case someone tried to use their email in the past. In that case when they log in through OAuth they will be taking over the account that used their email and by changing the password they'll me locking out the old user.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pierre-lehnen-rc pierre-lehnen-rc

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[FIX] User is prompted to reset their password when logging with OAuth RocketChat/Rocket.Chat
2 participants
@wreiske @pierre-lehnen-rc