Author |
|
kohlsalem Newbie
Joined: 24 January 2022 Location: Germany
Online Status: Offline Posts: 6
|
Posted: 27 June 2022 at 12:48am | IP Logged
|
|
|
Hi,
i run WebMail Pro (9.0.1-build-a3) on a dockerized homeserver. Great piece of Software!
Recently i started introducing Authelia as central authentication platform and 2FA.
Now I wonder, if it is possible to authenticate with WebMail as well. Options I would have are:
* oAuth (I see Google, Facebook, ..., but no generic oAuth)
* Trusted Header Auth (Basically APP gehts the authenticated user in HTTP_USER)
I can't find anything about this options in the documentation; is the any chance to get suche scenario running?
Best
Michael
|
Back to Top |
|
|
Igor AfterLogic Support
Joined: 24 June 2008 Location: United States
Online Status: Offline Posts: 6094
|
Posted: 27 June 2022 at 2:19am | IP Logged
|
|
|
Hello,
While it's possible to use an arbitrary app for 2FA purposes, OAuth2 is a different story, various OAuth2 providers act too differently. Currently, OAuth support is only available for Google, Facebook and Dropbox indeed.
As for sending authentication data in headers, you could create a custom authentication page, by adding a PHP script that gets the information you're after and sends user login details to WebMail Pro - via POST or using SSO approach.
Note that you would still need both email and password to actually log user in. If your application doesn't have user's password, then assuming the user has previously logged into WebMail Pro, you can use master password approach, or get account password via API - this sample shows how to retrieve credentials for an existing account.
And if you implement a custom login page, you may wish to direct users there when they click Logout, that's done by setting "CustomLogoutUrl" option in data/settings/modules/CoreWebclient.config.json file.
Hope this helps.
--
Regards,
Igor, Afterlogic Support
|
Back to Top |
|
|
Igor AfterLogic Support
Joined: 24 June 2008 Location: United States
Online Status: Offline Posts: 6094
|
Posted: 27 June 2022 at 2:41am | IP Logged
|
|
|
Also I'd like to add that we're always open for custom development requests and we can implement the features you require, please let us know if you may be interested.
--
Regards,
Igor, Afterlogic Support
|
Back to Top |
|
|
kohlsalem Newbie
Joined: 24 January 2022 Location: Germany
Online Status: Offline Posts: 6
|
Posted: 27 June 2022 at 3:08am | IP Logged
|
|
|
What Authelia offers (and whar i called oAuth) is named "Open ID Connect" https://www.authelia.com/integration/openid-connect/introduction/
as far as i understood this is exactly what you did already, just that you have hardcoded auth_url, token_url and api_url. But i might be mistaken.
Regarding the Dev Request, the second option, trusted Headers, could be relatively simpel but yet powerful. https://www.authelia.com/integration/trusted-header-sso/introduction/
Basically, Authentification is complitely done outside, the proxy passes to you HTTP_REMOTE_USER and HTTP_REMOTE_EMAIL and you "trust it". The feature must be switchable, because it its obviously crucial that the proxy would not pass this headers from an external request.
I find that a pretty neat solution...
|
Back to Top |
|
|
Igor AfterLogic Support
Joined: 24 June 2008 Location: United States
Online Status: Offline Posts: 6094
|
Posted: 27 June 2022 at 4:07am | IP Logged
|
|
|
When dealing with OAuth2, WebMail Pro uses a connector module, for example DropboxAuthWebclient under modules/ directory - it then talks to OAuthIntegratorWebclient module. And if you take a look at oauth_configuration.json file under modules/OAuthIntegratorWebclient/Classes/OAuthClient/ directory you'll see that the library can deal with quite a few OAuth2 providers, those URLs are listed in that file (while files like login_with_dropbox.php there are merely samples).
You could create a custom connector module, with DropboxAuthWebclient module used as an example; we use Dropbox module too, to get configuration parameters, but that's not required really, you can do all that within one module.
Now whether you choose to go with OAuth2 implementation or Trusted Header Auth approach, there's going to be a problem. Authentication backend can provide information about the user, but WebMail Pro needs a password of the email account, to log into IMAP and SMTP, and it's not something you're going to get through OAuth2 or a custom header.
One of the options would be to create a user but not creating an email account for it. For example, when user logs into WebMail Pro, they can be directed to Settings > Add New Account, and there they will supply their email and password. Things might be slightly different if mailserver you use actually supports OAuth2 authentication for IMAP and SMTP, just like Gmail - and we have implemented Gmail connector with the use of OAuth2 there. But even in this case, we're talking about logging into user account first, and then adding a email account.
Should you require any further assistance with this from our developers team, please contact us via HelpDesk. Thank you.
--
Regards,
Igor, Afterlogic Support
|
Back to Top |
|
|
kohlsalem Newbie
Joined: 24 January 2022 Location: Germany
Online Status: Offline Posts: 6
|
Posted: 28 June 2022 at 4:35am | IP Logged
|
|
|
password indeed is a problem - but how exactly do you handle that with the oAuth logins? They should be (per definition) passwordless as well, should#nt they?
i was assuming, you cache the password of an ordinary login, right?
|
Back to Top |
|
|
Igor AfterLogic Support
Joined: 24 June 2008 Location: United States
Online Status: Offline Posts: 6094
|
Posted: 28 June 2022 at 5:01am | IP Logged
|
|
|
If we're speaking of Gmail access via OAuth2, we actually use OAuth2 authentication method for IMAP and SMTP as Gmail supports that, so password isn't needed.
In case of OAuth2 login using Dropbox, Facebook or Google (exactly Google, not Gmail) - that login method is added for email account which is already there in WebMail Pro. As in, user first logs into WebMail Pro with their email address and password, and then adds another login method for that account. So yes, we do store email account password for such a case indeed.
For one of our customers, we've developed an approach where they first log into their OAuth2 provider and then add email account in settings, but this doesn't change the fact that we need the user to enter their actual password at some point - unless we're speaking of Gmail-like access where OAuth2 can be used for authentication on mail server level.
--
Regards,
Igor, Afterlogic Support
|
Back to Top |
|
|
oktaya Newbie
Joined: 21 September 2023
Online Status: Offline Posts: 3
|
Posted: 21 September 2023 at 2:13pm | IP Logged
|
|
|
" unless we're speaking of Gmail-like access where OAuth2 can be used for authentication on mail server level. "
Igor, I have this and I am using it with another webmail solution already. Is Afterlogic capable of logging it via single-sign-on using oauth ?
Also, the modules all seem to be dual licensed. Is oauth available on Lite?
|
Back to Top |
|
|
Igor AfterLogic Support
Joined: 24 June 2008 Location: United States
Online Status: Offline Posts: 6094
|
Posted: 22 September 2023 at 12:00am | IP Logged
|
|
|
Quote:
Igor, I have this and I am using it with another webmail solution already. Is Afterlogic capable of logging it via single-sign-on using oauth ? |
|
|
Currently, our single sign-on approach supports username/password authentication only.
Quote:
Is oauth available on Lite? |
|
|
Generally speaking, OAuth2 is available there, it lets you login with your Google, Facebook or Dropbox accounts, and attach files from Dropbox or Google Drive storage (note that we're speaking of a specifically Google account, not a Gmail one).
Gmail access, however, is another story and this isn't really about licensing - Gmail accounts are added additionally to a main account, and multiaccount feature itself isn't available in Lite.
--
Regards,
Igor, Afterlogic Support
|
Back to Top |
|
|
oktaya Newbie
Joined: 21 September 2023
Online Status: Offline Posts: 3
|
Posted: 22 September 2023 at 3:52am | IP Logged
|
|
|
Igor, If I am understanding this correctly, it doesn't seem possible to log into Afterlogic using an identity provider via oauth/saml etc AND having it access IMAP/SMTP using xoauth at the same time without requiring the user to give Afterlogic their password at all. Further, this is the same for Lite and Pro?
|
Back to Top |
|
|
Igor AfterLogic Support
Joined: 24 June 2008 Location: United States
Online Status: Offline Posts: 6094
|
Posted: 22 September 2023 at 3:55am | IP Logged
|
|
|
This is available for Gmail using OAuth2 Connector, WebMail Pro doesn't have user's password in such a case. This only works for the Pro version.
--
Regards,
Igor, Afterlogic Support
|
Back to Top |
|
|
oktaya Newbie
Joined: 21 September 2023
Online Status: Offline Posts: 3
|
Posted: 23 September 2023 at 12:59am | IP Logged
|
|
|
Got it. Thanks a lot.
|
Back to Top |
|
|