![(please configure the [header_logo] section in trac.ini)](/chrome/site/your_project_logo.png){kind=logo}
Opened 4 weeks ago
Last modified 3 weeks ago
#694 accepted defect
Keycloak/Mailcow Integration Broken
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | major | Milestone: | |
| Component: | Infrastructure | Keywords: | emal infrastructure mailcow keycloak idp |
| Cc: |
Description
Keycloak is not allowing Mailcow to query its identity service. Either the Mailcow service account in Keycloak needs to be designated as such, or the template that Mailcow looks for in attributes in Keycloak is missing. Finn's account is specifically not provisioning and user imports are failing in Mailcow generally. https://docs.mailcow.email/manual-guides/mailcow-UI/u_e-mailcow_ui-keycloak/#configure
Change History (3)
comment:1 by , 4 weeks ago
| Component: | Hackery → Infrastructure |
|---|
comment:2 by , 3 weeks ago
comment:3 by , 3 weeks ago
| Owner: | set to |
|---|---|
| Status: | new → accepted |
Note:
See TracTickets
for help on using tickets.
After some diagnosing, we discovered that the code in causing the problem[1] is checking for the oidc email field, and using that as the user's intended inbox. For many devhackers, that field is populated with their external email address.
According to Keycloak Slack[2], Keycloak cannot mutate the value before sending without a custom plugin.
Reading the the code in [1] makes it clear that there is no way to customize it on the mailcow side, so I have started a thread on their forum[3] to ask about it and maybe talk them into improving the situation. Talija might look at building a PR for them.
[1]: https://github.com/mailcow/mailcow-dockerized/blob/master/data/web/inc/functions.auth.inc.php#L560C49-L560C82
[2]: https://cloud-native.slack.com/archives/C056HC17KK9/p1743972743347509 requires being a member of the CNCF Slack, sign up at https://slack.cncf.io
[3]: https://community.mailcow.email/d/4791-oauth-use-alternate-field-for-email-address