Roundcube Community Forum

 

[SOLVED] Keycloak and Roundcube problem

Started by ewok2, June 02, 2022, 05:02:02 PM

Previous topic - Next topic

ewok2

Hello
I have a keycloak runing in a vm on esxi => auth.mydomain.net
I have another vm with postfix dovecot ans roundcube

The roundcube mail server works fine
The keycloak works fine (with nextcloud ans grafana)

But I would like to connect roundcube on the keycloak
I have follow a howto and it's almost working...

When selecting the "connecting with keycloak" button on roundcube page I get the keycloak login page.
The keycloak login works (If I check with grafana and nextcloud it works)
But after the keycloak successfull auth I arrive on a "ugly round cube page"  (page with text only...)
And it is not connected...

I try to watch at mail.log dovecot.log or roundcube.log but I don't see any error message

Any idee to go further?

manythanks

ewok2

#1
Still trying to make it works...
I strat from a fresh unbuntu 22.04 install
add postfix / dovecot / roundcube
Configure roundcube to log in using a openldap
=> everything to this point work fine (with ssl or without)

then I add a client in keycloak called "roundcube"
- with URL pointing to "https://round.mydomain.net/index.php/login/oauth"
- with protocol openid-connect
- with access type to confidential
- and default for other option

I get  the secret from keycloak to put in the config.inc.php from roundcube conf with other set to :
Quote$config['oauth_provider'] = 'generic';
$config['oauth_provider_name'] = 'Keycloak mydomain';
$config['oauth_client_id'] = "roundcube";
$config['oauth_client_secret'] = "secret from keycloak";
$config['oauth_auth_uri'] = "https://auth.mydomain.net/realms/myrealms/protocol/openid-connect/auth";
$config['oauth_token_uri'] = "https://auth.mydomain.net/realms/myrealms/protocol/openid-connect/token";
$config['oauth_identity_uri'] = "https://auth.mydomain.net/realms/myrealms/protocol/openid-connect/userinfo";
$config['oauth_verify_peer'] = true;
$config['oauth_scope'] = "email profile openid";
$config['oauth_auth_parameters'] = [];
$config['oauth_identity_fields'] = ['preferred_username'];
$config['oauth_login_redirect'] = false;
$config['login_password_maxlen'] = 4096;

and that's all...

Did I miss something ?

In keycloak log I can see the "LOGIN" request working
I can see the answer of login going from keycloak to roundcube.
But I did not see the "CODE_TO_TOKEN" stage in keycloak...

What is supose toi do roundcube when receiving an url from keycloak like this ?
Quotehttps://round.mydomain.net/index.php/login/oauth?state=wewpDJttkEAw&session_state=21601475-f142-448f-bc0b-1eaf39ca2a57&code=0da14bae-cd8f-4566-b84c-faf20bb03f10.21601475-f142-448f-bc0b-1eaf39ca2a57.c9b27c45-74ae-42dc-948e-1701a37f2e9b

I thought roundcube will continue the protocol with keycloak to get the Token ?

any idea to debug will be appreciated (even if you don't have the solution :-) ) because i don't have any idea to continue further without any error log ...

PS : I also configure dovecot oauth connexion but I think dovecot did not receive anything (tcpdump on imaps port does not see any trafic) so the problem is between roundcube and keycloak...

ewok2

#2
Still trying to make it work...

I was wondering if the problem is not due to the fact that I connect to roundcube with a username/password and not with email/password ?
The user/password database is on a openldap base.
=> maybe keycloak send with the scope the email in stad of the username?

I try to connect to roundcube with email/password
The password check seem's to works but I get this
PHP Error: Access denied for new user user@domain.net. 'auto_create_user' is disabled in....
in the "/var/www/roundcube/logs/errors.log"

I try to change in dovecot the %u by %n but without effect...
($config['smtp_user'])

any idee ?

Thanks

SKaero

Do you have "auto_create_user" set to false in your Roundcube config? By default its set to true and would need to be set to true for new users to login.

// Automatically register user in Roundcube database on successful (IMAP) logon.
// Set to false if only registered users should be allowed to the webmail.
// Note: If disabled you have to create records in Roundcube users table by yourself.
// Note: Roundcube does not manage/create users on a mail server.
$config['auto_create_user'] = true;

ewok2

Yes "auto_create_user" is set on purpose to false
In my case user1 has is account created

When he log as "user1" he as access to his directory with all his mail send to user1@mydomain

but if he try to connect as "user1@mydomain" I get the error message because roundcube/dovecot try to log in a Maildir "user1@mydomain" in steadd of "user1".
=> I want if user1 connect with "user1@mydomain" that he be connected to "user1" maildir directory

ewok2

Hello
Still trying to make it work
With a friend who has also roundcube connected to keyclok we made some cross check.

his roundcube pointing to my keycloak => works
my roundcube pointing to his keycloak => does not work

Some intersesting point, his username are identical to adress mail
My username is the email without the "@domain,.name"

And when not working I get the following error message in dovecot log:
Nov 20 19:21:33 auth: Error: oauth2([b]user1[/b],XX.YY.ZZ.SS,<Yi02AuvtMeBVDoA8>): oauth2 failed: Introspection failed: No username returned

I have the feeling it is link to dovecot and roundcube sending username without the @domaine.name .... but don't know how to go further...

Any idee to find the error?

Thanks


ewok2

Yes !!! it works

2 errors in my conf:
1rst => the nginx in the roundcube VM was removing the info send by the keycloak

I change my conf from :
Quotelocation ~ \.php$ {
    try_files $uri =404;
    fastcgi_pass unix:/run/php/php8.1-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
  }
to
Quotelocation ~ [^/]\.php(/|$) {
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    fastcgi_pass unix:/run/php/php8.1-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
  }

I also add in the nginx fastcgi
Quotefastcgi_param  PATH_INFO          $fastcgi_path_info;
fastcgi_param  PATH_TRANSLATED    $document_root$fastcgi_path_info;


And at last I change in /etc/dovecot/dovecot-oauth2.conf.ext
Quoteintrospection_mode = post
to
Quoteintrospection_mode = auth



violetdragon

Just out of interest did you manage to get this working? Any other configuration required?

Regards

ewok2

Hello
Yes Subject tagged SOLVED
So it works since 2 year whitout any trouble ;-)