I am attempting to set up Single Sign-On (SSO) using Keycloak. I've completed all the necessary configurations within the Roundcube configuration file. However, after logging in with my credentials, I encounter the following issue which is Page not found and the URL looks like this:
http://webmail.campusna.fr/index.php/login/oauth?state=LxVCJdHR6Nu4&session_state=194df5c6-90e6-481c-b034-54c04ca7d2dc&code=cff2919b-6360-475f-bbac-ff7bcbfc6928.194df5c6-90e6-481c-b034-54c04ca7d2dc.730260b4-cf48-4c89-8250-5a07307620e0
Hello
first of all I had some problem and finds a solution. I try to put the answer in this post :
https://www.roundcubeforum.net/index.php/topic,29984.msg76539.html#msg76539
Then with your screenshot It is hard to answer.
You have to tell us more about your configuration.
Some question that can help :
- could you give us your configuration (OS/VM/Docker ; postfix/dovecot/roudcube ; apache/nginx ; keycloak ; all on the same HW / VM ?)
- have you modifiy postfix conf file ?
- have you adapted your dovecot conf ?
- how have you adapt roundcube conf fot oauth2 ? (only the specific conf... not all the roundcube conf ;-) )
- is your keycloak working for another client ?
and "of course" have you check the log of keycloak, roundcube, nginx, postfix, dovecot?
Yes Sure !
Sorry about the missing information
This is the nginx config:
# Server globals
user www-data;
worker_processes auto;
worker_rlimit_nofile 65535;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /etc/nginx/conf.d/main/*.conf;
include /etc/nginx/modules-enabled/*.conf;
# Worker config
events {
worker_connections 1024;
use epoll;
multi_accept on;
}
http {
# Main settings
sendfile on;
tcp_nopush on;
tcp_nodelay on;
client_header_timeout 180s;
client_body_timeout 180s;
client_header_buffer_size 2k;
client_body_buffer_size 256k;
client_max_body_size 1024m;
large_client_header_buffers 4 8k;
send_timeout 60s;
keepalive_timeout 30s;
keepalive_requests 10000;
reset_timedout_connection on;
server_tokens off;
server_name_in_redirect off;
server_names_hash_max_size 512;
server_names_hash_bucket_size 512;
charset utf-8;
# FastCGI settings
fastcgi_buffers 512 4k;
fastcgi_buffer_size 256k;
fastcgi_busy_buffers_size 256k;
fastcgi_temp_file_write_size 256k;
fastcgi_connect_timeout 30s;
fastcgi_read_timeout 300s;
fastcgi_send_timeout 180s;
fastcgi_cache_lock on;
fastcgi_cache_lock_timeout 5s;
fastcgi_cache_background_update on;
fastcgi_cache_revalidate on;
# Proxy settings
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header Early-Data $rfc_early_data;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass_header Set-Cookie;
proxy_buffers 256 4k;
proxy_buffer_size 32k;
proxy_busy_buffers_size 32k;
proxy_temp_file_write_size 256k;
proxy_connect_timeout 30s;
proxy_read_timeout 300s;
proxy_send_timeout 180s;
# Log format
log_format main '$remote_addr - $remote_user [$time_local] $request "$status" $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for"';
log_format bytes '$body_bytes_sent';
log_not_found off;
access_log off;
# Mime settings
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Compression
gzip on;
gzip_vary on;
gzip_static on;
gzip_comp_level 6;
gzip_min_length 1024;
gzip_buffers 128 4k;
gzip_http_version 1.1;
gzip_types text/css text/javascript text/js text/plain text/richtext text/shtml text/x-component text/x-java-source text/x-markdown text/x-script text/xml image/bmp image/svg+xml image/vnd.microsoft.icon image/x-icon font/otf font/ttf font/x-woff multipart/bag multipart/mixed application/eot application/font application/font-sfnt application/font-woff application/javascript application/javascript-binast application/json application/ld+json application/manifest+json application/opentype application/otf application/rss+xml application/ttf application/truetype application/vnd.api+json application/vnd.ms-fontobject application/wasm application/xhtml+xml application/xml application/xml+rss application/x-httpd-cgi application/x-javascript application/x-opentype application/x-otf application/x-perl application/x-protobuf application/x-ttf;
gzip_proxied any;
# Cloudflare IPs
include /etc/nginx/conf.d/cloudflare.inc;
# SSL PCI compliance
ssl_buffer_size 1369;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256";
ssl_dhparam /etc/ssl/dhparam.pem;
ssl_early_data on;
ssl_ecdh_curve auto;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_session_cache shared:SSL:20m;
ssl_session_tickets on;
ssl_session_timeout 7d;
resolver 213.186.33.99 valid=300s ipv6=off;
resolver_timeout 5s;
# Error pages
error_page 403 /error/404.html;
error_page 404 /error/404.html;
error_page 410 /error/410.html;
error_page 500 501 502 503 504 505 /error/50x.html;
# Proxy cache
proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;
proxy_cache_key "$scheme$request_method$host$request_uri";
proxy_temp_path /var/cache/nginx/temp;
proxy_ignore_headers Cache-Control Expires;
proxy_cache_use_stale error timeout invalid_header updating http_502;
proxy_cache_valid any 1d;
# FastCGI cache
fastcgi_cache_path /var/cache/nginx/micro levels=1:2 keys_zone=microcache:10m inactive=30m max_size=1024m;
fastcgi_cache_key "$scheme$request_method$host$request_uri";
fastcgi_ignore_headers Cache-Control Expires Set-Cookie;
fastcgi_cache_use_stale error timeout invalid_header updating http_500 http_503;
add_header X-FastCGI-Cache $upstream_cache_status;
# Cache bypass
map $http_cookie $no_cache {
default 0;
~SESS 1;
~wordpress_logged_in 1;
}
# File cache (static assets)
open_file_cache max=10000 inactive=30s;
open_file_cache_valid 60s;
open_file_cache_min_uses 2;
open_file_cache_errors off;
# Wildcard include
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/conf.d/domains/*.conf;
}
And this is the web mail config:
root@mail:/etc/nginx/conf.d/domains# cat webmail.campusna.fr.conf
server {
listen 137.74.95.153:80;
server_name webmail.campusna.fr mail.campusna.fr;
root /var/lib/roundcube;
index index.php;
access_log /var/log/nginx/domains/webmail.campusna.fr.log combined;
error_log /var/log/nginx/domains/webmail.campusna.fr.error.log error;
include /home/smtp-admin/conf/mail/campusna.fr/nginx.forcessl.conf*;
location ~ /\.(?!well-known\/) {
deny all;
return 404;
}
location ~ ^/(README.md|config|temp|logs|bin|SQL|INSTALL|LICENSE|CHANGELOG|UPGRADING)$ {
deny all;
return 404;
}
location / {
try_files $uri $uri/ =404;
location ~* ^.+\.(ogg|ogv|svg|svgz|swf|eot|otf|woff|woff2|mov|mp3|mp4|webm|flv|ttf|rss|atom|jpg|jpeg|gif|png|webp|ico|bmp|mid|midi|wav|rtf|css|js|jar)$ {
expires 7d;
fastcgi_hide_header "Set-Cookie";
}
location ~ ^/(.*\.php)$ {
include /etc/nginx/fastcgi_params;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass 127.0.0.1:9000;
}
}
location /error/ {
alias /var/www/document_errors/;
}
include /home/smtp-admin/conf/mail/campusna.fr/nginx.conf_*;
}
I do have another client in my realm and it work perfectly
Argh ;-)
to much data...
I try to summarise :
- We assume at first that your keycloak is working as another client works
- As you have nginx configuration file you have also nginx in front of roundcube
- what about your mail server? is it postfix/dovecot/roundcube?
- is your mail server fully working? (no error il log?)
- how does your authentification works ? local batabase "with" your mail server? or attach to a ldap external database?
My roundcube is inside the /etc/
I am using ldap and it is linked with keycloak
I got this from dovecot.log inside the var/log :
Aug 09 16:04:33 imap-login: Info: Aborted login (no auth attempts in 1 secs): user=<>, rip=185.165.190.17, lip=137.74.95.153, TLS, session=<oFeqon8C7te5pb4R>
Aug 09 16:04:34 imap-login: Info: Disconnected (no auth attempts in 1 secs): user=<>, rip=185.165.190.17, lip=137.74.95.153, TLS: SSL_read failed: error:140940F5:SSL routines:ssl3_read_bytes:unexpected record, session=<CM61on8CRNu5pb4R>
This is my dovecot.conf file :
Quoteroot@mail:/etc/dovecot# cat dovecot.conf
protocols = imap pop3
listen = *, ::
base_dir = /run/dovecot/
login_greeting = Mail Delivery Agent
!include conf.d/*.conf
!include_try conf.d/domains/*.conf
service stats {
unix_listener stats-writer {
group = mail
mode = 0660
user = dovecot
}
}
namespace {
type = private
separator = /
inbox = yes
list = yes
mailbox Archive {
auto = subscribe
special_use = \Archive
}
mailbox Drafts {
auto = subscribe
special_use = \Drafts
}
mailbox Trash {
auto = subscribe
special_use = \Trash
}
mailbox "Deleted Messages" {
auto = no
special_use = \Trash
}
mailbox Spam {
auto = subscribe
special_use = \Junk
}
mailbox Junk {
auto = no
special_use = \Junk
}
mailbox Sent {
auto = subscribe
special_use = \Sent
}
mailbox "Sent Mail" {
auto = no
special_use = \Sent
}
mailbox "Sent Messages" {
auto = no
special_use = \Sent
}
}
Please tell me if you need any other information
Thank you for your help
I think you have a configuration part missing :-)
In your /etc/dovecot/conf.d/ you should have some configurations files.
Some of them should be adapted depending on the way you want to autenticate
fot exemple if previously your roundcube was using ldap you should have a "auth-ldap.conf.ext"
And now with keycloak you shoud have a "auth-oauth2.conf.ext"
In mine I have :
Quotepassdb {
driver = oauth2
mechanisms = xoauth2 oauthbearer
args = /etc/dovecot/dovecot-oauth2.conf.ext
}
then in the "/etc/dovecot/dovecot-oauth2.conf.ext" you have a specific conf link to your keycloak client :
In mine I have
Quote### OAuth2 password database configuration
## introspection endpoint, used to gather extra fields and other information.
introspection_url = https://"my keycloak url"/realms/"my realms"/protocol/openid-connect/userinfo
## How introspection is made, valid values are
## auth = GET request with Bearer authentication
## get = GET request with token appended to URL
## post = POST request with token=bearer_token as content
## local = perform local validation only
introspection_mode = auth
## username attribute in response (default: email)
username_attribute = preferred_username
## username normalization format (default: %Lu)
username_format = %n
## URL to RFC 7628 OpenID Provider Configuration Information schema
openid_configuration_url = https://"my keycloak url"/realms/"my realms"/.well-known/openid-configuration
Of course there are other parameter than can be usefull and you have to adapt depending of your keycloak and ldap....
=> I advise you to search for a tuto to configure your dovecot. And once done in case of error ask for new question :-)