Keycloak and Roundcube problem

[ewok2]

Hello
I have a keycloak runing in a vm on esxi => auth.mydomain.net
I have another vm with postfix dovecot ans roundcube

The roundcube mail server works fine
The keycloak works fine (with nextcloud ans grafana)

But I would like to connect roundcube on the keycloak
I have follow a howto and it's almost working...

When selecting the "connecting with keycloak" button on roundcube page I get the keycloak login page.
The keycloak login works (If I check with grafana and nextcloud it works)
But after the keycloak successfull auth I arrive on a "ugly round cube page"  (page with text only...)
And it is not connected...

I try to watch at mail.log dovecot.log or roundcube.log but I don't see any error message

Any idee to go further?

manythanks

[ewok2]

Still trying to make it works...
I strat from a fresh unbuntu 22.04 install
add postfix / dovecot / roundcube
Configure roundcube to log in using a openldap
=> everything to this point work fine (with ssl or without)

then I add a client in keycloak called "roundcube"
 - with URL pointing to "https://round.mydomain.net/index.php/login/oauth"
 - with protocol openid-connect
 - with access type to confidential
 - and default for other option

I get  the secret from keycloak to put in the config.inc.php from roundcube conf with other set to :

$config['oauth_provider'] = 'generic';
$config['oauth_provider_name'] = 'Keycloak mydomain';
$config['oauth_client_id'] = "roundcube";
$config['oauth_client_secret'] = "secret from keycloak";
$config['oauth_auth_uri'] = "https://auth.mydomain.net/realms/myrealms/protocol/openid-connect/auth";
$config['oauth_token_uri'] = "https://auth.mydomain.net/realms/myrealms/protocol/openid-connect/token";
$config['oauth_identity_uri'] = "https://auth.mydomain.net/realms/myrealms/protocol/openid-connect/userinfo";
$config['oauth_verify_peer'] = true;
$config['oauth_scope'] = "email profile openid";
$config['oauth_auth_parameters'] = [];
$config['oauth_identity_fields'] = ['preferred_username'];
$config['oauth_login_redirect'] = false;
$config['login_password_maxlen'] = 4096;

and that's all...

Did I miss something ?

In keycloak log I can see the "LOGIN" request working
I can see the answer of login going from keycloak to roundcube.
But I did not see the "CODE_TO_TOKEN" stage in keycloak...

What is supose toi do roundcube when receiving an url from keycloak like this ?

https://round.mydomain.net/index.php/login/oauth?state=wewpDJttkEAw&session_state=21601475-f142-448f-bc0b-1eaf39ca2a57&code=0da14bae-cd8f-4566-b84c-faf20bb03f10.21601475-f142-448f-bc0b-1eaf39ca2a57.c9b27c45-74ae-42dc-948e-1701a37f2e9b

I thought roundcube will continue the protocol with keycloak to get the Token ?

any idea to debug will be appreciated (even if you don't have the solution :-) ) because i don't have any idea to continue further without any error log ...

PS : I also configure dovecot oauth connexion but I think dovecot did not receive anything (tcpdump on imaps port does not see any trafic) so the problem is between roundcube and keycloak...