Author Topic: [SOLVED] Keycloak and Roundcube problem  (Read 6839 times)

Offline ewok2

  • Jr. Member
  • **
  • Posts: 17
[SOLVED] Keycloak and Roundcube problem
« on: June 02, 2022, 05:02:02 PM »
Hello
I have a keycloak runing in a vm on esxi => auth.mydomain.net
I have another vm with postfix dovecot ans roundcube

The roundcube mail server works fine
The keycloak works fine (with nextcloud ans grafana)

But I would like to connect roundcube on the keycloak
I have follow a howto and it's almost working...

When selecting the "connecting with keycloak" button on roundcube page I get the keycloak login page.
The keycloak login works (If I check with grafana and nextcloud it works)
But after the keycloak successfull auth I arrive on a "ugly round cube page"  (page with text only...)
And it is not connected...

I try to watch at mail.log dovecot.log or roundcube.log but I don't see any error message

Any idee to go further?

manythanks
« Last Edit: December 21, 2022, 07:55:42 AM by ewok2 »

Offline ewok2

  • Jr. Member
  • **
  • Posts: 17
Re: Keycloak and Roundcube problem
« Reply #1 on: June 23, 2022, 04:14:24 PM »
Still trying to make it works...
I strat from a fresh unbuntu 22.04 install
add postfix / dovecot / roundcube
Configure roundcube to log in using a openldap
=> everything to this point work fine (with ssl or without)

then I add a client in keycloak called "roundcube"
 - with URL pointing to "https://round.mydomain.net/index.php/login/oauth"
 - with protocol openid-connect
 - with access type to confidential
 - and default for other option

I get  the secret from keycloak to put in the config.inc.php from roundcube conf with other set to :
Quote
$config['oauth_provider'] = 'generic';
$config['oauth_provider_name'] = 'Keycloak mydomain';
$config['oauth_client_id'] = "roundcube";
$config['oauth_client_secret'] = "secret from keycloak";
$config['oauth_auth_uri'] = "https://auth.mydomain.net/realms/myrealms/protocol/openid-connect/auth";
$config['oauth_token_uri'] = "https://auth.mydomain.net/realms/myrealms/protocol/openid-connect/token";
$config['oauth_identity_uri'] = "https://auth.mydomain.net/realms/myrealms/protocol/openid-connect/userinfo";
$config['oauth_verify_peer'] = true;
$config['oauth_scope'] = "email profile openid";
$config['oauth_auth_parameters'] = [];
$config['oauth_identity_fields'] = ['preferred_username'];
$config['oauth_login_redirect'] = false;
$config['login_password_maxlen'] = 4096;

and that's all...

Did I miss something ?

In keycloak log I can see the "LOGIN" request working
I can see the answer of login going from keycloak to roundcube.
But I did not see the "CODE_TO_TOKEN" stage in keycloak...

What is supose toi do roundcube when receiving an url from keycloak like this ?
Quote
https://round.mydomain.net/index.php/login/oauth?state=wewpDJttkEAw&session_state=21601475-f142-448f-bc0b-1eaf39ca2a57&code=0da14bae-cd8f-4566-b84c-faf20bb03f10.21601475-f142-448f-bc0b-1eaf39ca2a57.c9b27c45-74ae-42dc-948e-1701a37f2e9b

I thought roundcube will continue the protocol with keycloak to get the Token ?

any idea to debug will be appreciated (even if you don't have the solution :-) ) because i don't have any idea to continue further without any error log ...

PS : I also configure dovecot oauth connexion but I think dovecot did not receive anything (tcpdump on imaps port does not see any trafic) so the problem is between roundcube and keycloak...
« Last Edit: June 23, 2022, 04:38:22 PM by ewok2 »

Offline ewok2

  • Jr. Member
  • **
  • Posts: 17
Re: Keycloak and Roundcube problem
« Reply #2 on: October 07, 2022, 08:57:47 AM »
Still trying to make it work...

I was wondering if the problem is not due to the fact that I connect to roundcube with a username/password and not with email/password ?
The user/password database is on a openldap base.
=> maybe keycloak send with the scope the email in stad of the username?

I try to connect to roundcube with email/password
The password check seem's to works but I get this
Code: [Select]
PHP Error: Access denied for new user user@domain.net. 'auto_create_user' is disabled in....in the "/var/www/roundcube/logs/errors.log"

I try to change in dovecot the %u by %n but without effect...
($config['smtp_user'])

any idee ?

Thanks
« Last Edit: August 09, 2023, 05:19:15 AM by ewok2 »

Offline SKaero

  • Administrator
  • Hero Member
  • *****
  • Posts: 5,876
    • SKaero - Custom Roundcube development
Re: Keycloak and Roundcube problem
« Reply #3 on: October 07, 2022, 09:12:38 AM »
Do you have "auto_create_user" set to false in your Roundcube config? By default its set to true and would need to be set to true for new users to login.
Code: [Select]
// Automatically register user in Roundcube database on successful (IMAP) logon.
// Set to false if only registered users should be allowed to the webmail.
// Note: If disabled you have to create records in Roundcube users table by yourself.
// Note: Roundcube does not manage/create users on a mail server.
$config['auto_create_user'] = true;

Offline ewok2

  • Jr. Member
  • **
  • Posts: 17
Re: Keycloak and Roundcube problem
« Reply #4 on: October 07, 2022, 09:30:08 AM »
Yes "auto_create_user" is set on purpose to false
In my case user1 has is account created

When he log as "user1" he as access to his directory with all his mail send to user1@mydomain

but if he try to connect as "user1@mydomain" I get the error message because roundcube/dovecot try to log in a Maildir "user1@mydomain" in steadd of "user1".
=> I want if user1 connect with "user1@mydomain" that he be connected to "user1" maildir directory

Offline ewok2

  • Jr. Member
  • **
  • Posts: 17
Re: Keycloak and Roundcube problem
« Reply #5 on: November 21, 2022, 05:07:23 PM »
Hello
Still trying to make it work
With a friend who has also roundcube connected to keyclok we made some cross check.

his roundcube pointing to my keycloak => works
my roundcube pointing to his keycloak => does not work

Some intersesting point, his username are identical to adress mail
My username is the email without the "@domain,.name"

And when not working I get the following error message in dovecot log:
Code: [Select]
Nov 20 19:21:33 auth: Error: oauth2([b]user1[/b],XX.YY.ZZ.SS,<Yi02AuvtMeBVDoA8>): oauth2 failed: Introspection failed: No username returned
I have the feeling it is link to dovecot and roundcube sending username without the @domaine.name .... but don't know how to go further...

Any idee to find the error?

Thanks


Offline ewok2

  • Jr. Member
  • **
  • Posts: 17
Re: [SOLVED] Keycloak and Roundcube problem
« Reply #6 on: December 21, 2022, 08:09:03 AM »
Yes !!! it works

2 errors in my conf:
1rst => the nginx in the roundcube VM was removing the info send by the keycloak

I change my conf from :
 
Quote
location ~ \.php$ {
    try_files $uri =404;
    fastcgi_pass unix:/run/php/php8.1-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
  }
to
Quote
  location ~ [^/]\.php(/|$) {
    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
    fastcgi_pass unix:/run/php/php8.1-fpm.sock;
    fastcgi_index index.php;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    include fastcgi_params;
  }

I also add in the nginx fastcgi
Quote
fastcgi_param  PATH_INFO          $fastcgi_path_info;
fastcgi_param  PATH_TRANSLATED    $document_root$fastcgi_path_info;


And at last I change in /etc/dovecot/dovecot-oauth2.conf.ext
Quote
introspection_mode = post
to
Quote
introspection_mode = auth