OAuth authentication with RoundCube

[idmacdonald]

Hi,

I am thinking that it would be very nice to set up RoundCube to authenticate against Stalwart via OAuth. That way, there would be a single sign-on that would give access to webmail as well as the account admin functions offered by the Stalwart web interface. Also, 2FA could be enabled in Stalwart and would also provide additional security for access to RoundCube.

Has anyone got this working?

A sample OAuth config for Roundcube looks like this:

$config['oauth_provider'] = 'generic';
$config['oauth_provider_name'] = 'authentik';
$config['oauth_client_id'] = '<Client ID>';
$config['oauth_client_secret'] = '<Client Secret>';
$config['oauth_auth_uri'] = 'https://authentik.company/application/o/authorize/';
$config['oauth_token_uri'] = 'https://authentik.company/application/o/token/';
$config['oauth_identity_uri'] = 'https://authentik.company/application/o/userinfo/';
$config['oauth_scope'] = "email openid dovecotprofile";
$config['oauth_auth_parameters'] = [];
$config['oauth_identity_fields'] = ['email'];

I have tried to set up something similar so that RoundCube will authenticate against Stalwart via OAuth, but I haven't managed to get it working yet. I don't see where I would get the client ID and client secret to set in the RoundCube configuration. Is RoudCube's OAuth compatible with the Stalwart OAuth server? Or are they using different versions of OAuth, perhaps?

Any help or tips would be appreciated.

Best wishes,
-Ian

[idmacdonald]

So far, I haven't gotten this to work. Though I am using the RoundCube version from Debian stable, and I see that a bunch of improvements have been made to its OAuth client code since then. I might try with the version from Debian testing when I get a chance.

[mdecimus]

The easiest way to configure OAuth is using the autodiscovery endpoint at /.well-known/oauth-authorization-server as it provides all the information required about endpoints and available scopes.
Please note that OpenID support is going to be released this week so the identity_uri endpoint won't be available until then. Once it is released you can use OpenID autodiscovery at /.well-known/openid-configuration".

[idmacdonald]

The latest release of RoundCube, v1.6.9, doesn't appear to include support for RFC8414 (the .well-known endpoint). I tried manually configuring everything. RoundCube correctly redirected me to the Stalwart login "Authorize" page, but after entering a username and password there, I just get the Stalwart login page once again and am not redirected back to RoundCube. No errors are logged anywhere, so I am not sure what is going on.

I think I will wait until RoundCube 1.7 is released with the improved OAuth support. It sounds like by that point, Stalwart should support OpenID and so hopefully this will all work better.

[idmacdonald]

Actually, I experimented more with getting RoundCube to be an OAuth client authenticating against Stalwart. Even using the RoundCube version that doesn't support the .well-known config, I was eventually able to get RoundCube to authenticate against Stalwart with OAuth. But then of course RoundCube will need to use OAuth for IMAP authentication, as RoundCube doesn't have access to the user's password. With the current release of Stalwart, this fails, as Stalwart doesn't support OAuth as an IMAP authentication mechanism.

However, it looks like 6a5f963 has added support for IMAP authentication via OAuth/OIDC. Is that correct? If that's the case, I look forward to testing those new features and seeing if I can get this all to work.

[mdecimus]

Version 0.10.2 has been released a few days ago including OIDC support.

[PaddyPat]

Is there now a guide to test it on 0.10.2 with roundcube?
Got it working on dockermailserver but not on stalwart 0.10.2 (with old webmin)

[mdecimus]

There are no guides on how to configure external clients with Stalwart but you can try asking on Discord.