OAuth server requires an optional parameter 'state' after 6.3.6 update (from 4.6.3)

[sanyappc]

Description:

We using Rocket.Chat as OAuth server for Wiki.js.
Authorization broke after updating Rocket.Chat to 6.3.6

Steps to reproduce:

1. Add Rocket.Chat authentification to Wiki.js
2. Add new OAuth Application in Rocket.Chat->Administration->OAuth Applications
3. Try authentificate in Wiki.js with Rocket.Chat

Expected behavior:

1. Press auth with Rocket.Chat in Wiki.js
2. Select auth profile in Rocket.Chat
3. Redirect to Wiki.js

Actual behavior:

1. Press auth with Rocket.Chat in Wiki.js
2. Select auth profile in Rocket.Chat
3. Get an error 400

request
https://[rc]/oauth/authorize?response_type=code&redirect_uri=[redirect_uri]&scope=openid%20profile%20email&client_id=[client_id]
returns 400
{"error":"invalid_request","error_description":"Missing parameter: `state`"}

Server Setup Information:

• Version of Rocket.Chat Server: 6.3.6
• Operating System: debian
• Deployment Method: docker
• Number of Running Instances: 1
• DB Replicaset Oplog: enabled
• NodeJS Version: v14.21.3
• MongoDB Version: 6.0.9 / wiredTiger

Additional context

It looks like after the update the 'state' property became mandatory, while it should be optional. When any state value (&state=1 as example) is appended to the url, authorization is successful.

[KarolKski]

Any update on this ? Every few weeks we get messages about the OAuth login not working due to this issue.

[y0uCeF]

I faced this same issue on Rocket.Chat version 7.5.1 connecting to Wiki.js 2.5.308.
Is the mistake from RocketChat or Wiki.js?

[sanyappc]

@y0uCeF I am sure this is a Wiki.js issue. As you have noticed yourself, Wiki.js ignores my pull requests.

requarks/wiki#7342
requarks/wiki#7792

So I just patch their docker images with my fix.

Closing this issue because the error is not on Rocket's side, but on Wiki.js's side.