Nextcloud keycloak dovecot integration

example

longer
example
here

Nextcloud version 27.1.5
OS UBUNTU 22.04
Apache 2.4.58
PHP 8.2
Dovecot 2.3.16
The issue you are facing:

So I have Nextcloud fully working with normal password logins…
Mails arrive and part as expected.

I installed the Openid connect app with following

Client ID nextcloud
Discovery endpoint https://auth.example.org/realms/ArealRealmName/.well-known/openid-configuration
Backchannel Logout URL
https://nextcloud.example.org/apps/user_oidc/backchannel-logout/keycloak
Redirect URI (to be authorized in the provider client configuration)
https://nextcloud.example.org/apps/user_oidc/code

I can login with Keycloak to Nextcloud
I can login to Dovecot with Keycloak… I tested this with a script.
I included this script just need to transform it to name.sh and make it executable

dovecot-tester.odt (33.3 KB)
.
When logged in via keycloak, I can create a new mail account in Nextcloud mailapp and this is seen the next login, however no mails arrive or part

This is the main part of /etc/dovecot/dovecot.conf file

auth_mechanisms = plain login xoauth2 oauthbearer

passdb {
  driver = oauth2
  mechanisms = xoauth2 oauthbearer
  args = /etc/dovecot/dovecot-oauth2.conf.ext
}

userdb {
  driver = static
  args = uid=vmail gid=vmail home=/var/vmail/%d/%n
}

# authentication debug logging
auth_debug = yes
auth_verbose = yes

# provide SASL via unix socket to postfix
service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    # Assuming the default Postfix user and group
    user = postfix
    group = postfix
  }
}

This is the part of /etc/dovecot/dovecot-oauth2-conf.ext

introspection_url = https://auth.example.org/realms/whataname/protocol/openid-connect/token/introspect
introspection_mode = post
client_id = dovecot
client_secret = cdefkHGtkjdsfjr78fdsg855sdfgT8

The question is that when I login to Nextcloud with Keycloak
I see in the mailapp a small black circle with inside a exclamation sign, behind this is what appears my longnamed cloud federation id.
How can I use keycloak with dovecot to connect to a existing nextcloud mail account.

Thanks for reading
Guy

I’m not really sure I get your point. From what I understand you can successfully login to Nextcloud and Dovecot using your IdP but it doesn’t work when you try to access emails using Nextcloud mail-app. I’m pretty sure it can’t do any interactive login and requires user/password combination. same concept applies when you create “device passwords” in Nextcloud - clients which can’t perform login using http flow receive dedicated login credentials for direct login.

I would start with any other IMAP client - e.g. Thunderbird - once you can successfully login same credentials should work together with mail app.

Thanks for the reply,

I would like to achieve that my users only need to login via keycloak.

So they don’t need to fil in the mail password. Is this even possible with the Nextcloud today? So the first time a user does a login everything is already in place.

Kind regards,
Guy Forssman

I think this would be doable but not easy. I would start with LDAP directory and use it as back-end for both mail server and NC. You need good engineer to implement this and goes far beyond this forum can provide…

Nextcloud version 28.0.1
Operating system and version Ubuntu 22.04
Apache 2.4.58
MariaDB-1:11.2.2
PHP version 8.2

The issue you are facing:

I would like to create a SSO experience for my users where they even don’t have to fill in the mail password once.

I’m able to login with Keycloak in Nextcloud, dovecot/postfix and thus send mails but only If I use a mailacount made with postfixadmin.

Can one make Nextcloud for all its apps fully SSO?

I ask this because I already had a user fiddeling with his mail password in the settings

Please avoid double posts - the community under high load doesn’t required doubled workload. Merging with the other post.