Mailcow as OAuth2/OpenID Connect Provider

[HerHde]

Ahoj,
Mails are a central service in organisational environments, as well as identity management, so why not use Mailcow for both? Is it possible implement an OAuth2 or OpenID Connect provider, so other services like Nextcloud or GitLab could authenticate against Mailcow?

[mkuron]

That should be possible without much effort as Mailcow has its user accounts and password hashes stored in MySQL. Nobody has done it yet though, but pull requests are welcome.

[lavdnone]

SSO with SOGo and for example NextCloud
For mc/docker

[Braintelligence]

@mkuron By the way, what algorithm is used for the hashes?

[lavdnone]

Used this info

$config['password_driver'] = 'sql';
$config['password_algorithm'] = 'ssha256';
$config['password_algorithm_prefix'] = '{SSHA256}';
$config['password_query'] = "UPDATE mailbox SET password = %P WHERE username = %u";

from
https://mailcow.github.io/mailcow-dockerized-docs/third_party-roundcube/

maybe you mean session browser hash? guess can be found around

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[HerHde]

So, before this gets closed, has anybody made progress here?

[andryyy]

Yes, but I’m not sure if we push it to master. :/

[HerHde]

I can't find a PR or something. And what's the problem?

[andryyy]

I think it still is in dev (yes, shame on me).

It probably just needs some testing. Do you think it will be used? I'm just not sure.

[HerHde]

Ah, I've just found #1204, which references your commits.

I'm not sure either, but from what I've seen there is not that much code that needs maintenance etc.
Some people are interested in this, but it seems like it is more a professional feature, which fills a certain gap "on the market". Also it creates many opportunities of interoperability. Not too bad, I guess.

[ghost]

I will use it.
Is there a API too?

[andryyy]

Don’t know. Not really working on it anymore.

[leona-ya]

I would also use this. It's better than building own oauth service. If you want I can test it

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[andryyy]

Y u close

[Braintelligence]

Maybe you could incorporate Gluu into the stack @andryyy?

[andryyy]

I just need to add a label. :)

[andryyy]

Still working on it, but enotime. :(

[asifbacchus]

Not sure if there's any interest, but I thought I'd throw it in this thread for reference. It's not that difficult to set up an openLDAP server and have it use SASL-rimap through stunnel for secure password authentication against mailcow. That way you get all the benefits of LDAP with directory information but mailcow is handling the passwords so it's easy for users -- "oh, I just use my email password!". Basically taking advantage of the already present imap password verification mailcow offers but extending it via LDAP for programs (like seafile) that choose to not support imap auth. If there's interest I can make a write-up or can maybe try to setup some kind of docker container to integrate with mailcow? Just thought I'd put it out there as an alternative.

[HerHde]

I generally like your approach, had a LDAP + Mailcow + GitLab + Own-/Nextcloud setup myself some time ago (I guess it was pre-Docker Mailcow). Yes, it is very convenient indeed. However my personal experience was, that the LDAP ecosystem really much lacked a good, free/libre administration frontend 😢

I've just seen #2316, mentioning LDAP and several implementations, including Gluu, as mentioned by @Braintelligence. Would spare you the work to create a docker container.

@andryyy What do you think? Or how's it going, what are you doing, like which approach, if I may ask?

[l00ptr]

I generally like your approach, had a LDAP + Mailcow + GitLab + Own-/Nextcloud setup myself some time ago (I guess it was pre-Docker Mailcow). Yes, it is very convenient indeed. However my personal experience was, that the LDAP ecosystem really much lacked a good, free/libre administration frontend cry

I've just seen #2316, mentioning LDAP and several implementations, including Gluu, as mentioned by @Braintelligence. Would spare you the work to create a docker container.

@andryyy What do you think? Or how's it going, what are you doing, like which approach, if I may ask?

What about fusiondirectory to manage your LDAP content ?

[HerHde]

It broke several times while updating. Also I don't like their schemata and documentation, but I'd consider it still the best FOSS tool around from those I've tested.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[Adorfer]

i run plenty of services which need user credentials. Having OAuth in mailcow would really help, since people have some kind of email anyway and the other services are "on top" like seafile, forum, pad etc.

[Braintelligence]

It looks to me like Nextcloud can work as OAuth-Provider: nextcloud/server#3599

Would that solve your problem?

[Adorfer]

Would that solve your problem?

where are all/the most users already?
Here it's mail (->account somewhere in mailcow)
i do not use nextcloud at the moment (seafile with it's web-office stuff), but if i could move auth for mail (inc. 2FA for initial client setup and webmail) into nextcould: woud be nice.

[Braintelligence]

My thought-process was that Nextcloud is (was?) able to use Mailcow users as external users and maybe you could just bridge them to the Nextcloud OAuth.
If that would be possible there would be no need to make OAuth available in Mailcow directly; don't you think?

[mkuron]

Nextcloud's IMAP authentication hasn't been that reliable, so I don't think Mailcow uses it anymore. OAuth2 in Mailcow would be the cleanest solution, both for Nextcloud and for external services. Since @andryyy is quite busy with other things, you could consider implementing it yourself; a pull request would be appreciated. I don't think it's a lot of work; someone with PHP experience could probably hook an existing OAuth2 library into Mailcow in little time.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[Tcharl]

What about keycloak?

Configuring it to delegate authentication to ldap won't cost anything, but we could have OIDC for Sogo or any frontend

[Keridos]

Seems Mailcow has OAuth. But not OpenID connect. Would it be possible to implement OpenID Connect, too? I want to add mailcow to my keycloak as authentication provider but it only supports openID connect. Specifically It requires the scope "openid", which I cannot turn off so Mailcow gives back an error because of invalid scopes when I try to add it.

[chris2fr]

I just tried this and the weirdest thing happened. I put HTTPS in the redirect, but got back to HTTP