Archive-Team
/
docker-mailserver
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Apply suggestions from code review 

Co-authored-by: Brennan Kinney <5098581+polarathene@users.noreply.github.com>
This commit is contained in:
Keval Kapdee 2023-12-23 09:53:47 +00:00
parent 413ae1ecf6
commit 43f121d92e
3 changed files with 16 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
docs/content/config/advanced/auth-oauth2.md
View File

@ -4,16 +4,23 @@ title: 'Advanced | Basic OAuth2 Authentication'
## Introduction ## Introduction
**Warning** - This is only a supplement to the existing account provisioners; FILE and LDAP. Accounts must still be created using the `setup` command or added to the LDAP directory respectively. Reasoning for this can be found in [#3480](https://github.com/docker-mailserver/docker-mailserver/pull/3480). Future iterations on this feature may allow it to be a full account provisioner. !!! warning "This is only a supplement to the existing account provisioners"
For now, this adds the ability for a 3rd party application such as Roundcube to authenticate with DMS (dovecot) using a token obtained from an OAuth2 provider instead of passing passwords around. Accounts must still be managed via the configured [`ACCOUNT_PROVISIONER`][env::account-provisioner] (FILE or LDAP).
Reasoning for this can be found in [#3480][gh-pr::oauth2]. Future iterations on this feature may allow it to become a full account provisioner.
[gh-pr::oauth2]: https://github.com/docker-mailserver/docker-mailserver/pull/3480
[env::account-provisioner]: ../environment.md#account_provisioner
The present OAuth2 support provides the capability for 3rd-party applications such as Roundcube to authenticate with DMS (dovecot) by using a token obtained from an OAuth2 provider, instead of passing passwords around.
## Example (Authentik & Roundcube) ## Example (Authentik & Roundcube)
???+ example "Authentik" ???+ example "Authentik"
1. Create a new OAuth2 provider 1. Create a new OAuth2 provider
2. Note the client id and client secret 2. Note the client id and client secret
3. Set the allowed redirect url to `https://roundcube.domain.com/index.php/login/oauth` (obviously changing your domain as needed) 3. Set the allowed redirect url to the equivalent of `https://roundcube.example.com/index.php/login/oauth` for your RoundCube instance.
???+ example "Docker Mailserver `mailserver.env`" ???+ example "Docker Mailserver `mailserver.env`"
```env ```env
@ -35,7 +42,7 @@ For now, this adds the ability for a 3rd party application such as Roundcube to
# empty => https://oauth2.domain.com/userinfo/ # empty => https://oauth2.domain.com/userinfo/
# Specify the user info endpoint URL of the oauth2 provider # Specify the user info endpoint URL of the oauth2 provider
OAUTH2_INTROSPECTION_URL=https://authentik.domain.com/application/o/userinfo/ OAUTH2_INTROSPECTION_URL=https://authentik.example.com/application/o/userinfo/
``` ```
???+ example "Roundcube `oauth2.inc.php` ([documentation](https://github.com/roundcube/roundcubemail/wiki/Configuration))" ???+ example "Roundcube `oauth2.inc.php` ([documentation](https://github.com/roundcube/roundcubemail/wiki/Configuration))"
@ -44,9 +51,9 @@ For now, this adds the ability for a 3rd party application such as Roundcube to
$config['oauth_provider_name'] = 'Authentik'; $config['oauth_provider_name'] = 'Authentik';
$config['oauth_client_id'] = '<insert client id here>'; $config['oauth_client_id'] = '<insert client id here>';
$config['oauth_client_secret'] = '<insert client secret here>'; $config['oauth_client_secret'] = '<insert client secret here>';
$config['oauth_auth_uri'] = 'https://authentik.domain.com/application/o/authorize/'; $config['oauth_auth_uri'] = 'https://authentik.example.com/application/o/authorize/';
$config['oauth_token_uri'] = 'https://authentik.domain.com/application/o/token/'; $config['oauth_token_uri'] = 'https://authentik.example.com/application/o/token/';
$config['oauth_identity_uri'] = 'https://authentik.domain.com/application/o/userinfo/'; $config['oauth_identity_uri'] = 'https://authentik.example.com/application/o/userinfo/';
// Optional: disable SSL certificate check on HTTP requests to OAuth server // Optional: disable SSL certificate check on HTTP requests to OAuth server
// See http://docs.guzzlephp.org/en/stable/request-options.html#verify for possible values // See http://docs.guzzlephp.org/en/stable/request-options.html#verify for possible values

2
mailserver.env
View File

@ -434,7 +434,7 @@ OAUTH2_CLIENT_ID=
# Specify the OAuth2 client secret # Specify the OAuth2 client secret
OAUTH2_CLIENT_SECRET= OAUTH2_CLIENT_SECRET=
# empty => https://oauth2.domain.com/userinfo/ # empty => https://oauth2.example.com/userinfo/
# Specify the user info endpoint URL of the oauth2 provider. The trailing slash is MANDATORY (at least for Authentik) # Specify the user info endpoint URL of the oauth2 provider. The trailing slash is MANDATORY (at least for Authentik)
OAUTH2_INTROSPECTION_URL= OAUTH2_INTROSPECTION_URL=

2
target/dovecot/dovecot-oauth2.conf.ext
View File

@ -1,3 +1,3 @@
client_id = verySecretId client_id = verySecretId
client_secret = verySecretSecret client_secret = verySecretSecret
introspection_url = https://oauth2.domain.com/userinfo/ introspection_url = https://oauth2.example.com/userinfo/