2022-02-08 11:24:14 +00:00
---
title: Roundcube
---
2022-06-15 19:31:34 +00:00
< span class = "badge badge--secondary" > Support level: Community< / span >
2022-02-08 11:24:14 +00:00
## What is Roundcube
From https://roundcube.net
:::note
2022-05-09 19:22:41 +00:00
**Roundcube** is a browser-based multilingual IMAP client with an application-like user interface.
It provides full functionality you expect from an email client, including MIME support, address book, folder manipulation, message searching and spell checking
2022-02-08 11:24:14 +00:00
:::
2022-05-09 19:22:41 +00:00
This integration describes how to use Roundcube's oauth support with authentik to automatically sign into an email account.
2022-02-08 11:24:14 +00:00
The mail server must support XOAUTH2 for both SMTPD and IMAP/POP. Postfix SMTP server can also use Dovecot for authentication which provides Postfix with xoauth2 capability without configuring it separately.
## Preperation
The following placeholders will be used:
2022-05-09 19:22:41 +00:00
- `authentik.company` is the FQDN of the authentik install.
2022-02-08 11:24:14 +00:00
2022-05-09 19:22:41 +00:00
Create a new oauth2 Scope Mapping which does not return the 'group' values and associate this mapping
2022-02-08 11:24:14 +00:00
in the provider settings instead of the default oauth mapping.
2022-10-14 13:38:56 +00:00
Under _Customization_ -> _Property Mappings_ , create a _Scope Mapping_ . Give it a name like "oauth2-Scope-dovecot". Set the scope name to `dovecotprofile` and the expression to the following
2022-02-08 11:24:14 +00:00
```
return {
"name": request.user.name,
"given_name": request.user.name,
"family_name": "",
"preferred_username": request.user.username,
"nickname": request.user.username,
#DO NOT INCLUDE groups
}
```
Create an application in authentik. Create an _OAuth2/OpenID Provider_ with the following parameters:
2022-05-09 19:22:41 +00:00
- Client Type: `Confidential`
- Scopes: OpenID, Email, and the scope you created above
- Signing Key: Select any available key
2022-02-08 11:24:14 +00:00
## Roundcube Configuration
```
$config['oauth_provider'] = 'generic';
$config['oauth_provider_name'] = 'authentik';
$config['oauth_client_id'] = '< Client ID > ';
$config['oauth_client_secret'] = '< Client Secret > ';
$config['oauth_auth_uri'] = 'https://authentik.company/application/o/authorize/';
$config['oauth_token_uri'] = 'https://authentik.company/application/o/token/';
$config['oauth_identity_uri'] = 'https://authentik.company/application/o/userinfo/';
$config['oauth_scope'] = "email openid dovecotprofile";
$config['oauth_auth_parameters'] = [];
$config['oauth_identity_fields'] = ['email'];
```
2022-05-09 19:22:41 +00:00
2022-02-08 11:24:14 +00:00
## Dovecot Configuration
Add xoauth2 as an authentication mechanism and configure the following parameters in your Dovecot configuration.
```
tokeninfo_url = https://authentik.company/application/o/userinfo/?access_token=
introspection_url = https://< Client ID > :< Client Secret > @authentik.company/application/o/introspect/
introspection_mode = post
force_introspection = yes
active_attribute = active
active_value = true
username_attribute = email
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
```
:::note
2022-05-09 19:22:41 +00:00
With this setup Dovecot can also be used with other email clients that support XOAUTH2 authentication, however
2022-02-08 11:24:14 +00:00
most available software (including Fair Email for Android and Thunderbird) only come with support for Gmail,
Outlook etc with no way to configure custom email servers.
:::
## Additional Resources
Please refer to the following for further configuration information:
2022-05-09 19:22:41 +00:00
- https://roundcube.net
- https://github.com/roundcube/roundcubemail/wiki/Configuration:-OAuth2
- https://doc.dovecot.org/configuration_manual/authentication/oauth2/