You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/configuration/mailserver-admin.md
+39-6Lines changed: 39 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,13 +2,43 @@
2
2
3
3
## OAuth2
4
4
5
-
To use OAuth2, you need to create a new OAuth2 client in your OAuth2 provider. The redirect URI should be
6
-
`https://example.com/login/check-oauth`. The client ID and client secret should be added to the `.env` file.
5
+
The `mailserver-admin` application supports OAuth2/OIDC authentication for user login. When OAuth2 is enabled, users authenticate through an external identity provider instead of using local credentials.
7
6
8
-
Depending on your needs, you can configure `mailserver-admin` to give admin rights to a user by testing for a specific group in the groups
9
-
field of the OAuth user information. Set the name of your administrator group to the `OAUTH_ADMIN_GROUP` variable in the `.env` file. If you
10
-
leave `OAUTH_ADMIN_GROUP` empty, all authenticated users will have admin rights. You must make sure to handle the login permissions in your
11
-
OAuth2 provider.
7
+
### Authentication Flow
8
+
9
+
1. User clicks the OAuth2 login button and is redirected to the configured identity provider
10
+
2. After successful authentication, the provider redirects back to `https://example.com/login/check-oauth`
11
+
3. The application retrieves user information from the provider's userinfo endpoint
12
+
4. The application extracts the user identifier from the field specified in `OAUTH_PATHS_IDENTIFIER`
13
+
5. The application attempts to match this identifier with existing users in the database
14
+
6. If a match is found, the user is logged in with their existing account
15
+
7. If no match is found and `OAUTH_CREATE_USER` is enabled, a new user account is created automatically
16
+
8. If no match is found and `OAUTH_CREATE_USER` is disabled, login is denied
17
+
18
+
### User Identifier Configuration
19
+
20
+
The `OAUTH_PATHS_IDENTIFIER` configuration specifies which field from the OAuth2 provider's user information contains the user identifier. This field must contain an email address that matches an existing domain configured in the mailserver.
21
+
22
+
**Important requirements:**
23
+
24
+
- The identifier must be a valid email address with a domain that exists in the domain list
25
+
- The field must be write-protected in the OAuth2 provider (not user-editable)
26
+
- Do not use the standard `email` field from common identity providers, as users can typically change their email address
27
+
28
+
**Recommended OAuth2 Providers:**
29
+
30
+
[pocket-id](https://pocket-id.org) is a tested solution that provides write-protected email attributes suitable for this use case. When using pocket-id or similar providers, configure `OAUTH_PATHS_IDENTIFIER` to point to a field that contains the user's email address and cannot be modified by the user.
31
+
32
+
### Administrator Access Control
33
+
34
+
Administrator rights can be granted based on the groups claim in the OAuth2 provider. Configure the `OAUTH_ADMIN_GROUP` variable with the name of the administrator group in your identity provider. Users who are members of this group will receive administrator privileges in `mailserver-admin`.
35
+
36
+
### OAuth2 Client Setup
37
+
38
+
To use OAuth2, create a new OAuth2 client in your identity provider with the following settings:
39
+
40
+
-**Redirect URI:**`https://example.com/login/check-oauth` (replace with your actual domain)
41
+
-**Client ID and Secret:** Add these values to the `.env` file as `OAUTH_CLIENT_ID` and `OAUTH_CLIENT_SECRET`
0 commit comments