Keycloak/Mailcow Integration Broken

[talijacoyote@…]

Keycloak is not allowing Mailcow to query its identity service. Either the Mailcow service account in Keycloak needs to be designated as such, or the template that Mailcow looks for in attributes in Keycloak is missing. Finn's account is specifically not provisioning and user imports are failing in Mailcow generally. ​https://docs.mailcow.email/manual-guides/mailcow-UI/u_e-mailcow_ui-keycloak/#configure

[Finn]

After some diagnosing, we discovered that the code in causing the problem[1] is checking for the oidc email field, and using that as the user's intended inbox. For many devhackers, that field is populated with their external email address.

According to Keycloak Slack[2], Keycloak cannot mutate the value before sending without a custom plugin.

Reading the the code in [1] makes it clear that there is no way to customize it on the mailcow side, so I have started a thread on their forum[3] to ask about it and maybe talk them into improving the situation. Talija might look at building a PR for them.

[1]: ​https://github.com/mailcow/mailcow-dockerized/blob/master/data/web/inc/functions.auth.inc.php#L560C49-L560C82
[2]: ​https://cloud-native.slack.com/archives/C056HC17KK9/p1743972743347509 requires being a member of the CNCF Slack, sign up at ​https://slack.cncf.io
[3]: ​https://community.mailcow.email/d/4791-oauth-use-alternate-field-for-email-address

[talija@…]

Fixed this by patching the server to use the mailcow_email attribute instead of the email