Skip to content

OAuth2 Authentication


This is only a supplement to the existing account provisioners

Accounts must still be managed via the configured ACCOUNT_PROVISIONER (FILE or LDAP).

Reasoning for this can be found in #3480. Future iterations on this feature may allow it to become a full account provisioner.

The present OAuth2 support provides the capability for 3rd-party applications such as Roundcube to authenticate with DMS (dovecot) by using a token obtained from an OAuth2 provider, instead of passing passwords around.

Example (Authentik & Roundcube)

This example assumes you have:

Setup Instructions

Edit the following values in mailserver.env:

# -----------------------------------------------
# --- OAUTH2 Section ----------------------------
# -----------------------------------------------

# empty => OAUTH2 authentication is disabled
# 1 => OAUTH2 authentication is enabled

# Specify the user info endpoint URL of the oauth2 provider

  1. Create a new OAuth2 provider
  2. Note the client id and client secret
  3. Set the allowed redirect url to the equivalent of for your RoundCube instance.

Add the following to (documentation):

$config['oauth_provider'] = 'generic';
$config['oauth_provider_name'] = 'Authentik';
$config['oauth_client_id'] = '<insert client id here>';
$config['oauth_client_secret'] = '<insert client secret here>';
$config['oauth_auth_uri'] = '';
$config['oauth_token_uri'] = '';
$config['oauth_identity_uri'] = '';

// Optional: disable SSL certificate check on HTTP requests to OAuth server. For possible values, see:
$config['oauth_verify_peer'] = false;

$config['oauth_scope'] = 'email openid profile';
$config['oauth_identity_fields'] = ['email'];

// Boolean: automatically redirect to OAuth login when opening Roundcube without a valid session
$config['oauth_login_redirect'] = false;