TLS Client/mutual authentication via OAuth IDP doesn't work :(

[beranPro]

Description:

Hi,
i have an IDP (keycloak) which is configured to try TLS Client Auth before password authentication.
RC is configured to use the keycloak for authentication which works fine. Also on the mobiles over the chrome browser works the TLS Client authenticate well.

Now i tried to use the app, and he redirects me correctly to my keycloak, but sadly he didn't use or ask for a certificate.

Environment Information:

• Rocket.Chat Server Version: 3.5.4
• Rocket.Chat App Version: 4.9.0
• Device Name: Nokia 5.3
• OS Version: 10

Steps to reproduce:

1. Have an running TLS Client / mSSL Authentication via IDP & Oauth up and running
2. Try to login via IDP and client certificate

Expected behavior:

That the App (or the internal browser) should ask for the certificate

Actual behavior:

Didn't ask for the certificate

Additional context:

[diegolmello]

Hi, @beranPro.
Can you reach me on https://open.rocket.chat?
I'm @diego.mello.
Thank you.

[jangaraj]

It looks like from #2624 it is even worse. I'm not able to reach my IDP (Keycloak - SAML with mutual TLS) even for login/password auth.

Issue can be reproduced with SAML configuration pointed to https://client.badssl.com/:

[jangaraj]

I believe this patch is a problem:

Rocket.Chat.ReactNative/patches/react-native-webview+10.3.2.patch

Lines 63 to 97 in eeafa7f

	+ public void onReceivedClientCertRequest(WebView view, ClientCertRequest request) {
	+ class SslStuff {
	+ PrivateKey privKey;
	+ X509Certificate[] certChain;
	+
	+ public SslStuff(PrivateKey privKey, X509Certificate[] certChain) {
	+ this.privKey = privKey;
	+ this.certChain = certChain;
	+ }
	+ }
	+
	+ if (certificateAlias != null) {
	+ AsyncTask<Void, Void, SslStuff> task = new AsyncTask<Void, Void, SslStuff>() {
	+ @Override
	+ protected SslStuff doInBackground(Void... params) {
	+ try {
	+ PrivateKey privKey = KeyChain.getPrivateKey(reactContext, certificateAlias);
	+ X509Certificate[] certChain = KeyChain.getCertificateChain(reactContext, certificateAlias);
	+
	+ return new SslStuff(privKey, certChain);
	+ } catch (Exception e) {
	+ return null;
	+ }
	+ }
	+
	+ @Override
	+ protected void onPostExecute(SslStuff sslStuff) {
	+ if (sslStuff != null) {
	+ request.proceed(sslStuff.privKey, sslStuff.certChain);
	+ }
	+ }
	+ };
	+ task.execute();
	+ }
	+ }

There is no request.proceed, when cert was not selected -> IDP login form is not loaded, when mutual TLS is offered by IDP on the TCP level -> blank login screen - empty AuthenticationWebView:

There should be also else option:

if (certificateAlias != null) {
  <current code>
} else {
  //request.proceed // of course without any client certs - server will handle this situation - for example it will return login page (login/password) in my case
 super.onReceivedClientCertRequest(view, request);
}