Nextcloud keycloak dovecot integration

Support intro

Sorry to hear you’re facing problems :slightly_frowning_face: is for home/non-enterprise users. If you’re running a business, paid support can be accessed via where we can ensure your business keeps running smoothly.

In order to help you as quickly as possible, before clicking Create Topic please provide as much of the below as you can. Feel free to use a pastebin service for logs, otherwise either indent short log examples with four spaces:


Or for longer, use three backticks above and below the code snippet:


Some or all of the below information will be requested if it isn’t supplied; for fastest response please provide as much as you can :heart:

Nextcloud version 27.1.5
Apache 2.4.58
PHP 8.2
Dovecot 2.3.16
The issue you are facing:

So I have Nextcloud fully working with normal password logins…
Mails arrive and part as expected.

I installed the Openid connect app with following

Client Id
Client ID nextcloud
Discovery endpoint
Backchannel Logout URL
Redirect URI (to be authorized in the provider client configuration)

I can login with Keycloak to Nextcloud
I can login to Dovecot with Keycloak… I tested this with a script.
I included this script just need to transform it to and make it executable

dovecot-tester.odt (33.3 KB)
When logged in via keycloak, I can create a new mail account in Nextcloud mailapp and this is seen the next login, however no mails arrive or part

This is the main part of /etc/dovecot/dovecot.conf file

auth_mechanisms = plain login xoauth2 oauthbearer

passdb {
  driver = oauth2
  mechanisms = xoauth2 oauthbearer
  args = /etc/dovecot/dovecot-oauth2.conf.ext

userdb {
  driver = static
  args = uid=vmail gid=vmail home=/var/vmail/%d/%n

# authentication debug logging
auth_debug = yes
auth_verbose = yes

# provide SASL via unix socket to postfix
service auth {
  unix_listener /var/spool/postfix/private/auth {
    mode = 0660
    # Assuming the default Postfix user and group
    user = postfix
    group = postfix

This is the part of /etc/dovecot/dovecot-oauth2-conf.ext

introspection_url =
introspection_mode = post
client_id = dovecot
client_secret = cdefkHGtkjdsfjr78fdsg855sdfgT8

The question is that when I login to Nextcloud with Keycloak
I see in the mailapp a small black circle with inside a exclamation sign, behind this is what appears my longnamed cloud federation id.
How can I use keycloak with dovecot to connect to a existing nextcloud mail account.

Thanks for reading

I’m not really sure I get your point. From what I understand you can successfully login to Nextcloud and Dovecot using your IdP but it doesn’t work when you try to access emails using Nextcloud mail-app. I’m pretty sure it can’t do any interactive login and requires user/password combination. same concept applies when you create “device passwords” in Nextcloud - clients which can’t perform login using http flow receive dedicated login credentials for direct login.

I would start with any other IMAP client - e.g. Thunderbird - once you can successfully login same credentials should work together with mail app.

Thanks for the reply,

I would like to achieve that my users only need to login via keycloak.

So they don’t need to fil in the mail password. Is this even possible with the Nextcloud today? So the first time a user does a login everything is already in place.

Kind regards,
Guy Forssman

I think this would be doable but not easy. I would start with LDAP directory and use it as back-end for both mail server and NC. You need good engineer to implement this and goes far beyond this forum can provide…

Nextcloud version 28.0.1
Operating system and version Ubuntu 22.04
Apache 2.4.58
PHP version 8.2

The issue you are facing:

I would like to create a SSO experience for my users where they even don’t have to fill in the mail password once.

I’m able to login with Keycloak in Nextcloud, dovecot/postfix and thus send mails but only If I use a mailacount made with postfixadmin.

Can one make Nextcloud for all its apps fully SSO?

I ask this because I already had a user fiddeling with his mail password in the settings

Please avoid double posts - the community under high load doesn’t required doubled workload. Merging with the other post.