Open derfabianpeter opened 9 months ago
I can see this is still a issue
I can confirm that OIDC does not work with authentik. Also clicking "Test connection" does not work and shows a strange response.
Support for authentik was also discussed here: https://github.com/mailcow/mailcow-dockerized/issues/2316
{"type":"error","msg":"Cannot edit item"}
Please update your mailcow nightly and try again. I found an issue which was caused by removing all trailing /
from the IdP URLs before saving. All HTTP requests then ended up at the wrong endpoint and Authentik returned 405 Method not allowed
Not sure if it was the only issue.
Test Connection will continue to fail because for Authentik, client_id
and client_secret
are not enough to test the credentials with grant_type=client_credentials
https://goauthentik.io/docs/providers/oauth2/client_credentials
Commit: https://github.com/mailcow/mailcow-dockerized/commit/1a302d8335289aa455d81d040b4cd814755795c8
Awesome, thank you! Fixed and working, except for mailboxes not being created on first login.
Probably because generic-oidc provider is only requesting hardcoded scopes openid profile email
. I'll try to add a input field to set custom scopes
The requested client scopes are now configurable for generic-oidc. Now mailbox creation on first login is working for me.
Commit: https://github.com/mailcow/mailcow-dockerized/commit/dc2f61a27c3ca1eecf412478a94a75f2cef45637
Which scopes do you specify to get mailbox creation working?
In Authentik, go to Providers -> click the Edit button of your OAuth provider, then expand “Advanced protocol settings” and in Scopes select openid, email, profile and your created Property Mapping. In my case it was mailcow_template
in your case it should be maildow-dedicated
. In mailcow add maildow-dedicated
to the scopes separated by whitespace.
Hmm, there seems to be something wrong at my end. Maybe because I have multiple domains?
Property mapping is set correctly, log in is working, but protocols are all red and logging into Webmail is unauthorized.
My expression:return { "mailcow_template": "default" }
Can you log in as admin and check the mailcow UI Logs? Maybe there is a hint.
Not really ...
["logged_in_as","mail@example.com"] Call ["identity_provider","mail@example.com","user"]
Did you change anything with the template?
The user seems to be recognized and created, but no mailbox. I can't even find that user anywhere in the admin view.
I've updated and while the original error has vanished, I now see the following in the logs after trying to login via IDP (which fails):
["identity_provider",null,null]
@derfabianpeter i have added some additional log messages. Please update and try again. https://github.com/mailcow/mailcow-dockerized/commit/89ed9147a658bd9004354d742e2fc2472b6e7699
@davidus05 Seems like some error occurred on mailbox creation. This is the function https://github.com/mailcow/mailcow-dockerized/blob/89ed9147a658bd9004354d742e2fc2472b6e7699/data/web/inc/functions.mailbox.inc.php#L1318. I'll try to add more error handling
@FreddleSpl0it I've updated as you suggested. Logging has improved:
I've configured the attribute mapping as you suggested in one of your previous comments and additionally added mailcow-dedicated
to the claims in Mailcow. Same result unfortunately.
EDIT: I actually changed the property mapping and scope name in Authentik to mailcow_template
(instead of mailcow-dedicated
) and now it all works!
Would one of you folks be willing to fully document the steps for getting this working as a Gist or similar?
I'd be happy to see if I can convert it into documentation on the Authentik community pages.
Had a crack at getting this working today but was getting curl failures against the token endpoint.
["login_failed","cURL error 28: Failed to connect to auth.domain.com port 443 after 131001 ms: Couldn't connect to server (see https:\/\/curl.haxx.se\/libcurl\/c\/libcurl-errors.html) for https:\/\/auth.domain.com\/application\/o\/token\/"]
Hi there,
I'm trying to setup mailcow to work with Authentik following the instructions provided for Keycloak and the comments add to this thread.
I'm not getting any authentication error, but after authenticating on Authentik I'm getting redirected to the URL https://authentik.example.com/application/o/mailcow/.well-known/openid-configuration with the following content.
Does anybody know what could be missing on my configuration?
{ "issuer": "https://authentik.example.com/application/o/mailcow/", "authorization_endpoint": "https://authentik.example.com/application/o/authorize/", "token_endpoint": "https://authentik.example.com/application/o/token/", "userinfo_endpoint": "https://authentik.example.com/application/o/userinfo/", "end_session_endpoint": "https://authentik.example.com/application/o/mailcow/end-session/", "introspection_endpoint": "https://authentik.example.com/application/o/introspect/", "revocation_endpoint": "https://authentik.example.com/application/o/revoke/", "device_authorization_endpoint": "https://authentik.example.com/application/o/device/", "response_types_supported": [ "code", "id_token", "id_token token", "code token", "code id_token", "code id_token token" ], "response_modes_supported": [ "query", "fragment", "form_post" ], "jwks_uri": "https://authentik.example.com/application/o/mailcow/jwks/", "grant_types_supported": [ "authorization_code", "refresh_token", "implicit", "client_credentials", "password", "urn:ietf:params:oauth:grant-type:device_code" ], "id_token_signing_alg_values_supported": [ "RS256" ], "subject_types_supported": [ "public" ], "token_endpoint_auth_methods_supported": [ "client_secret_post", "client_secret_basic" ], "acr_values_supported": [ "goauthentik.io/providers/oauth2/default" ], "scopes_supported": [ "openid", "email", "profile", "ak_proxy", "mailcow_template" ], "request_parameter_supported": false, "claims_supported": [ "sub", "iss", "aud", "exp", "iat", "auth_time", "acr", "amr", "nonce", "sid", "ak_proxy", "email", "email_verified", "mailcow_template", "name", "given_name", "preferred_username", "nickname", "groups" ], "claims_parameter_supported": false, "code_challenge_methods_supported": [ "plain", "S256" ] }
I've just found the issue on my configuration. There was a redirect URI missing on Authentik with the value http://mail.example.com
After adding the URI http://mail.example.com to service provider and updating Mailcow it worked just fine for me.
It will be nice to have the instruction for authentik too... Like you write for keycloak.
It worked for me with Authentik. Basic instructions:
mailcow_template
. On expression, add the following:
return {
"mailcow_template": user.attributes.get("mailcow_template", "default"),
}
This allows you to add a template for each user in their custom attributes, or use default
if none is set.
Under Applications > Providers create a new OAuth2/OpenID Provider.
https://mail.example.com
).Advanced protocol settings
section, include the mailcow_template
scope besides the default ones.Under Applications > Applications, create a new application.
mailcow
On the list of applications, click on the mailcow provider name. This will get you to the provider page with all the URLs.
Go to System > Configuration. Then Access > Identity Provider.
https://authentik.example.com/application/o/authorize/
https://authentik.example.com/application/o/token/
https://authentik.example.com/application/o/userinfo/
https://mail.example.com
).openid profile email mailcow_template
default -> Default
, so the attribute set as default
in Authentik will use the Default
mailbox template in mailcow).Do not bother clicking on "Test Connection" because it won't work for the reasons mentioned before in this issue.
This should be enough. You can create a new user to test the login. Their email address will be set as a new mailbox in mailcow.
If you want a different mailbox template, you can add this to the user's Attributes box in Authentik:
mailcow_template: some_template
Assuming that some_template
is mapped to a template in the mailcow config.
I hope this is helpful for anyone trying this.
Is there a way to add the users display name from authentik to mailcow thats now not getting trough to mailcow when the users mailbox is created.
@vnen Did you ever tried setting up authentik ldap as provider in mailcow? i would like to auto setup email in nextcloud for the users but for that to work the passwords need to be the same with oidc the user needs to create an app password in mailcow thats not great solution i would rather use there authentik password.
but Ive i can connect mailcow to authentik ldap that no issue the passwords would be the same except you probably cant use both in mailcow at the moment you should be able to use oidc and ldap at the same time that also solves the problem. But for now i rather have ldap with auto email setup in nextcloud that also has SSO and users that can use there normal password for imap connections instead of app password.
Creating an app password is an issue most of my users use there own desktop or mobile clients for email and dont have any clue where to do that i dont want to create an helpdesk for this.
the instructions from vnen work for me, except i get
["login_failed","mailbox creation failed"]
["identity_provider","aep@domain"]
how do you even debug the oidc flow? is there a way to get a proper log? the docker logs dont show anything useful and the ui is very high level
with a pre-created mailbox i get one step further. login to the mailcow webui works, but sogo says "Unauthorized"
ok finally got it working. after setting up oidc, you need to still create the users in mailcow, and then restart sogo.
@pbvdven sorry to bump such an old thread, but did you manage to get Mailcow to import display names from Authentik?
Contribution guidelines
I've found a bug and checked that ...
Description
Logs:
Steps to reproduce:
Which branch are you using?
nightly
Operating System:
Ubuntu 22.04
Server/VM specifications:
16GB Ram, 4 Cores
Is Apparmor, SELinux or similar active?
no
Virtualization technology:
KVM
Docker version:
24.0.6
docker-compose version or docker compose version:
Docker Compose version v2.21.0
mailcow version:
2023-09
Reverse proxy:
-
Logs of git diff:
Logs of iptables -L -vn:
Logs of ip6tables -L -vn:
Logs of iptables -L -vn -t nat:
Logs of ip6tables -L -vn -t nat:
DNS check: