Search The ForumSearch   RegisterRegister  LoginLogin

AfterLogic WebMail Pro

 AfterLogic Forum : AfterLogic WebMail Pro
Subject Topic: Trusted HEaders Auth or Generic oAuth Post ReplyPost New Topic
Author
Message << Prev Topic | Next Topic >>
kohlsalem
Newbie
Newbie


Joined: 24 January 2022
Location: Germany
Online Status: Offline
Posts: 6
Posted: 27 June 2022 at 12:48am | IP Logged Quote kohlsalem

Hi,

i run WebMail Pro (9.0.1-build-a3) on a dockerized homeserver. Great piece of Software!

Recently i started introducing Authelia as central authentication platform and 2FA.

Now I wonder, if it is possible to authenticate with WebMail as well. Options I would have are:

* oAuth (I see Google, Facebook, ..., but no generic oAuth)
* Trusted Header Auth (Basically APP gehts the authenticated user in HTTP_USER)

I can't find anything about this options in the documentation; is the any chance to get suche scenario running?

Best
Michael





Back to Top View kohlsalem's Profile Search for other posts by kohlsalem
 
Igor
AfterLogic Support
AfterLogic Support


Joined: 24 June 2008
Location: United States
Online Status: Offline
Posts: 6094
Posted: 27 June 2022 at 2:19am | IP Logged Quote Igor

Hello,

While it's possible to use an arbitrary app for 2FA purposes, OAuth2 is a different story, various OAuth2 providers act too differently. Currently, OAuth support is only available for Google, Facebook and Dropbox indeed.

As for sending authentication data in headers, you could create a custom authentication page, by adding a PHP script that gets the information you're after and sends user login details to WebMail Pro - via POST or using SSO approach.

Note that you would still need both email and password to actually log user in. If your application doesn't have user's password, then assuming the user has previously logged into WebMail Pro, you can use master password approach, or get account password via API - this sample shows how to retrieve credentials for an existing account.

And if you implement a custom login page, you may wish to direct users there when they click Logout, that's done by setting "CustomLogoutUrl" option in data/settings/modules/CoreWebclient.config.json file.

Hope this helps.

--
Regards,
Igor, Afterlogic Support
Back to Top View Igor's Profile Search for other posts by Igor
 
Igor
AfterLogic Support
AfterLogic Support


Joined: 24 June 2008
Location: United States
Online Status: Offline
Posts: 6094
Posted: 27 June 2022 at 2:41am | IP Logged Quote Igor

Also I'd like to add that we're always open for custom development requests and we can implement the features you require, please let us know if you may be interested.

--
Regards,
Igor, Afterlogic Support
Back to Top View Igor's Profile Search for other posts by Igor
 
kohlsalem
Newbie
Newbie


Joined: 24 January 2022
Location: Germany
Online Status: Offline
Posts: 6
Posted: 27 June 2022 at 3:08am | IP Logged Quote kohlsalem

What Authelia offers (and whar i called oAuth) is named "Open ID Connect" https://www.authelia.com/integration/openid-connect/introduction/

as far as i understood this is exactly what you did already, just that you have hardcoded auth_url, token_url and api_url. But i might be mistaken.

Regarding the Dev Request, the second option, trusted Headers, could be relatively simpel but yet powerful. https://www.authelia.com/integration/trusted-header-sso/introduction/

Basically, Authentification is complitely done outside, the proxy passes to you HTTP_REMOTE_USER and HTTP_REMOTE_EMAIL and you "trust it". The feature must be switchable, because it its obviously crucial that the proxy would not pass this headers from an external request.

I find that a pretty neat solution...
Back to Top View kohlsalem's Profile Search for other posts by kohlsalem
 
Igor
AfterLogic Support
AfterLogic Support


Joined: 24 June 2008
Location: United States
Online Status: Offline
Posts: 6094
Posted: 27 June 2022 at 4:07am | IP Logged Quote Igor

When dealing with OAuth2, WebMail Pro uses a connector module, for example DropboxAuthWebclient under modules/ directory - it then talks to OAuthIntegratorWebclient module. And if you take a look at oauth_configuration.json file under modules/OAuthIntegratorWebclient/Classes/OAuthClient/ directory you'll see that the library can deal with quite a few OAuth2 providers, those URLs are listed in that file (while files like login_with_dropbox.php there are merely samples).

You could create a custom connector module, with DropboxAuthWebclient module used as an example; we use Dropbox module too, to get configuration parameters, but that's not required really, you can do all that within one module.

Now whether you choose to go with OAuth2 implementation or Trusted Header Auth approach, there's going to be a problem. Authentication backend can provide information about the user, but WebMail Pro needs a password of the email account, to log into IMAP and SMTP, and it's not something you're going to get through OAuth2 or a custom header.

One of the options would be to create a user but not creating an email account for it. For example, when user logs into WebMail Pro, they can be directed to Settings > Add New Account, and there they will supply their email and password. Things might be slightly different if mailserver you use actually supports OAuth2 authentication for IMAP and SMTP, just like Gmail - and we have implemented Gmail connector with the use of OAuth2 there. But even in this case, we're talking about logging into user account first, and then adding a email account.

Should you require any further assistance with this from our developers team, please contact us via HelpDesk. Thank you.

--
Regards,
Igor, Afterlogic Support
Back to Top View Igor's Profile Search for other posts by Igor
 
kohlsalem
Newbie
Newbie


Joined: 24 January 2022
Location: Germany
Online Status: Offline
Posts: 6
Posted: 28 June 2022 at 4:35am | IP Logged Quote kohlsalem

password indeed is a problem - but how exactly do you handle that with the oAuth logins? They should be (per definition) passwordless as well, should#nt they?

i was assuming, you cache the password of an ordinary login, right?
Back to Top View kohlsalem's Profile Search for other posts by kohlsalem
 
Igor
AfterLogic Support
AfterLogic Support


Joined: 24 June 2008
Location: United States
Online Status: Offline
Posts: 6094
Posted: 28 June 2022 at 5:01am | IP Logged Quote Igor

If we're speaking of Gmail access via OAuth2, we actually use OAuth2 authentication method for IMAP and SMTP as Gmail supports that, so password isn't needed.

In case of OAuth2 login using Dropbox, Facebook or Google (exactly Google, not Gmail) - that login method is added for email account which is already there in WebMail Pro. As in, user first logs into WebMail Pro with their email address and password, and then adds another login method for that account. So yes, we do store email account password for such a case indeed.

For one of our customers, we've developed an approach where they first log into their OAuth2 provider and then add email account in settings, but this doesn't change the fact that we need the user to enter their actual password at some point - unless we're speaking of Gmail-like access where OAuth2 can be used for authentication on mail server level.

--
Regards,
Igor, Afterlogic Support
Back to Top View Igor's Profile Search for other posts by Igor
 
oktaya
Newbie
Newbie


Joined: 21 September 2023
Online Status: Offline
Posts: 3
Posted: 21 September 2023 at 2:13pm | IP Logged Quote oktaya

" unless we're speaking of Gmail-like access where OAuth2 can be used for authentication on mail server level. "

Igor, I have this and I am using it with another webmail solution already. Is Afterlogic capable of logging it via single-sign-on using oauth ?

Also, the modules all seem to be dual licensed. Is oauth available on Lite?
Back to Top View oktaya's Profile Search for other posts by oktaya
 
Igor
AfterLogic Support
AfterLogic Support


Joined: 24 June 2008
Location: United States
Online Status: Offline
Posts: 6094
Posted: 22 September 2023 at 12:00am | IP Logged Quote Igor

Quote:
Igor, I have this and I am using it with another webmail solution already. Is Afterlogic capable of logging it via single-sign-on using oauth ?


Currently, our single sign-on approach supports username/password authentication only.

Quote:
Is oauth available on Lite?


Generally speaking, OAuth2 is available there, it lets you login with your Google, Facebook or Dropbox accounts, and attach files from Dropbox or Google Drive storage (note that we're speaking of a specifically Google account, not a Gmail one).

Gmail access, however, is another story and this isn't really about licensing - Gmail accounts are added additionally to a main account, and multiaccount feature itself isn't available in Lite.

--
Regards,
Igor, Afterlogic Support
Back to Top View Igor's Profile Search for other posts by Igor
 
oktaya
Newbie
Newbie


Joined: 21 September 2023
Online Status: Offline
Posts: 3
Posted: 22 September 2023 at 3:52am | IP Logged Quote oktaya

Igor, If I am understanding this correctly, it doesn't seem possible to log into Afterlogic using an identity provider via oauth/saml etc AND having it access IMAP/SMTP using xoauth at the same time without requiring the user to give Afterlogic their password at all. Further, this is the same for Lite and Pro?
Back to Top View oktaya's Profile Search for other posts by oktaya
 
Igor
AfterLogic Support
AfterLogic Support


Joined: 24 June 2008
Location: United States
Online Status: Offline
Posts: 6094
Posted: 22 September 2023 at 3:55am | IP Logged Quote Igor

This is available for Gmail using OAuth2 Connector, WebMail Pro doesn't have user's password in such a case. This only works for the Pro version.

--
Regards,
Igor, Afterlogic Support
Back to Top View Igor's Profile Search for other posts by Igor
 
oktaya
Newbie
Newbie


Joined: 21 September 2023
Online Status: Offline
Posts: 3
Posted: 23 September 2023 at 12:59am | IP Logged Quote oktaya

Got it. Thanks a lot.
Back to Top View oktaya's Profile Search for other posts by oktaya
 

If you wish to post a reply to this topic you must first login
If you are not already registered you must first register

  Post ReplyPost New Topic
Printable version Printable version

Forum Jump

Powered by Web Wiz Forums version 7.9
Copyright ©2001-2004 Web Wiz Guide