[BUG] Role obtained from oauth login are not updated at each connection

[lmopi]

Description:

The roles of a logged in user from SSO are not updated if the user has a new idp role

Steps to reproduce:

1. Configure a custom Oauth with merge roles from SSO: true
2. Sign in for the first time with user1
3. Add on the idp, a role to the user1
4. Reconnect with user1

Expected behavior:

The roles of the user must be updated at each connection

Actual behavior:

Only the roles of the first connection are taken into account
The groups are correctly seen in the debug logs but the user is not updated
The role already exists on rocketchet

Server Setup Information:

• Version of Rocket.Chat Server: 1.3.2
• Operating System: Linux
• Deployment Method: tar
• Number of Running Instances: 1
• NodeJS Version: v8.11.4
• MongoDB Version: 4.0.12

[lmopi]

@Hudell ?

[col-panic]

Does this feature even work at all? I try this using a custom oauth for keycloak, and have added the client-specific role "Admin" and "livechat-agent" - I also have enabled "Merge roles from SSO" but on register they never get attributed to the user. I also tried removing the user and doing a full logoff on keycloak site, re-registering the user - nothing is merged.

[lmopi]

Yes the feature works for the first connection. Have you correctly filled the mapper tab in your rockechat client from Keycloak side ?

[col-panic]

@lmopi I'm sorry I don't understand what tab you mean?! In Rocket.Chat I have Roles/Groups field name set to roles. In keycloak, I have no mappers. Do I need to set one here?

[lmopi]

Yes, you need to push your keycloak roles to rocketchat with a mapper like bellow but with roles

---

[col-panic]

Thanks for the help!!

The solution you show is specific to LDAP stored users (I assume!).

The mapping from the role info within rocketchat itself does not seem to work. I created a non-ldap user in keycloak, and manually assigned it the client-specific roles, and even this is not being taken into account.

Could you maybe verify, that your role mapping solution is working for a non-ldap-keycloak-provided user?

[col-panic]

I've managed to get it working for my basic scenario. I have added the required roles to the client, and the client-specific roles to the user. Mapping it to roles as shown in the images finally makes it working (for non-ldap).

[DRLDoom]

Is there any chance of role syncing, post initial user creation, is ever going to be implemented?

[col-panic]

I managed to realize this via SAML, where i provided a patch for role syncing.

[ShellyXueHan]

Also wondering if there are plans to implement role syncing in OAuth post initial user creation? Thx!