|
| 1 | +# universal_oidc_mail_sso |
| 2 | + |
| 3 | +Roundcube plugin for: |
| 4 | +- OIDC Provider OIDC SSO (Authorization Code + PKCE) |
| 5 | +- One-time mailbox credential setup |
| 6 | +- Encrypted mailbox credentials at rest |
| 7 | +- Automatic IMAP/SMTP authentication after OIDC login |
| 8 | + |
| 9 | +## Features |
| 10 | + |
| 11 | +- OIDC discovery from `OIDC_ISSUER` |
| 12 | +- PKCE (`S256`) + `state` + `nonce` |
| 13 | +- ID token validation via JWKS (`RS256`) |
| 14 | +- Required claim mapping: |
| 15 | + - stable user id: `sub` |
| 16 | + - email/login id: `email` (required) |
| 17 | +- Optional domain allow-list check (`ALLOWED_EMAIL_DOMAIN`; empty or `*` allows all) |
| 18 | +- One-time connect screen storing mailbox password/app-password encrypted in DB |
| 19 | +- Encryption backends: |
| 20 | + - preferred: `libsodium` (`sodium_secretbox`) |
| 21 | + - fallback: OpenSSL `aes-256-gcm` |
| 22 | +- Auto-injection of IMAP/SMTP credentials in Roundcube hooks (`authenticate`, `storage_connect`, `smtp_connect`) |
| 23 | +- Optional SMTP auth toggle for servers that allow relay without SMTP AUTH |
| 24 | +- Supports `ssl`, `tls`, `starttls`, and `none` security modes |
| 25 | +- Built-in IMAP/SMTP credential test before saving profile |
| 26 | +- Audit log table for authentication/provisioning events |
| 27 | +- Admin dashboard for mapped accounts + audit history (restricted by OIDC group) |
| 28 | +- Session-based setup form throttle + CSRF protection |
| 29 | +- Reverse proxy aware redirect URI construction (`X-Forwarded-Proto`, `X-Forwarded-Host`, `FORCE_HTTPS`) |
| 30 | + |
| 31 | +## Plugin layout |
| 32 | + |
| 33 | +- `universal_oidc_mail_sso.php` main plugin |
| 34 | +- `lib/OidcClient.php` OIDC discovery/token flow |
| 35 | +- `lib/JwksValidator.php` JWT + JWKS signature/claim validation |
| 36 | +- `lib/Crypto.php` encryption wrapper and key validation |
| 37 | +- `lib/Storage.php` DB access for identity + mailbox records |
| 38 | +- `skins/elastic/templates/connect_mailbox.html` one-time mailbox setup view |
| 39 | +- `SQL/mysql.initial.sql` schema |
| 40 | +- `misc/crypto_tool.php` CLI helper for key/encryption checks |
| 41 | +- `misc/run_tests.php` minimal tests |
| 42 | + |
| 43 | +## Database schema |
| 44 | + |
| 45 | +Apply `SQL/mysql.initial.sql` to your Roundcube DB (it uses `{$prefix}` placeholders for Roundcube table prefix handling). |
| 46 | + |
| 47 | +Tables: |
| 48 | +- `oidc_mail_sso_oidc_user` minimal mapping (`oidc_sub`, `email`, `last_login_at`, optional `user_id`) |
| 49 | +- `oidc_mail_sso_mailbox` encrypted mailbox config and app-password |
| 50 | +- `oidc_mail_sso_audit_log` structured event/audit history |
| 51 | + |
| 52 | +## Required env vars |
| 53 | + |
| 54 | +- `OIDC_ISSUER` (e.g. `https://oidc.example.com`) |
| 55 | +- `OIDC_CLIENT_ID` |
| 56 | +- `RCUBE_MAILBOX_KEY` (base64 of exactly 32 random bytes) |
| 57 | + |
| 58 | +Optional: |
| 59 | +- `OIDC_CLIENT_SECRET` (for confidential clients) |
| 60 | +- `OIDC_REDIRECT_URI` (if omitted, plugin computes from request/proxy headers) |
| 61 | +- `OIDC_POST_LOGOUT_REDIRECT_URI` |
| 62 | +- `ALLOWED_EMAIL_DOMAIN` (optional; empty or `*` allows all domains) |
| 63 | +- `FORCE_HTTPS=true` |
| 64 | +- `DISABLE_PASSWORD_LOGIN=true` |
| 65 | +- `ADMIN_GROUP_NAME=webmail_admin` |
| 66 | + |
| 67 | +Generic defaults (override as needed): |
| 68 | +- `DEFAULT_IMAP_HOST=imap.example.com` |
| 69 | +- `DEFAULT_IMAP_PORT=993` |
| 70 | +- `DEFAULT_IMAP_SECURITY=ssl` |
| 71 | +- `DEFAULT_SMTP_HOST=smtp.example.com` |
| 72 | +- `DEFAULT_SMTP_PORT=587` |
| 73 | +- `DEFAULT_SMTP_SECURITY=tls` |
| 74 | +- `DEFAULT_SMTP_AUTH=1` |
| 75 | + |
| 76 | +Generate key: |
| 77 | + |
| 78 | +```sh |
| 79 | +php -r 'echo base64_encode(random_bytes(32)), PHP_EOL;' |
| 80 | +``` |
| 81 | + |
| 82 | +## Docker (roundcube/roundcubemail) setup |
| 83 | + |
| 84 | +Example `docker-compose.yml` fragment: |
| 85 | + |
| 86 | +```yaml |
| 87 | +services: |
| 88 | + roundcube: |
| 89 | + image: roundcube/roundcubemail:latest |
| 90 | + ports: |
| 91 | + - "8080:80" |
| 92 | + volumes: |
| 93 | + - ./plugins/universal_oidc_mail_sso:/var/www/html/plugins/universal_oidc_mail_sso |
| 94 | + environment: |
| 95 | + ROUNDCUBEMAIL_PLUGINS: "universal_oidc_mail_sso" |
| 96 | + OIDC_ISSUER: "https://oidc.example.com" |
| 97 | + OIDC_CLIENT_ID: "roundcube" |
| 98 | + OIDC_CLIENT_SECRET: "" |
| 99 | + ALLOWED_EMAIL_DOMAIN: "" |
| 100 | + RCUBE_MAILBOX_KEY: "<base64-32-byte-key>" |
| 101 | + FORCE_HTTPS: "true" |
| 102 | + DISABLE_PASSWORD_LOGIN: "true" |
| 103 | +``` |
| 104 | +
|
| 105 | +Roundcube plugin config can be copied from `config.inc.php.dist` into `config.inc.php` if needed. |
| 106 | + |
| 107 | +## Local test quickstart (this repository) |
| 108 | + |
| 109 | +Files provided: |
| 110 | +- `docker-compose.yml` |
| 111 | +- `.env.example` |
| 112 | +- `plugins/universal_oidc_mail_sso/SQL/mysql.local.sql` |
| 113 | + |
| 114 | +Steps: |
| 115 | + |
| 116 | +```sh |
| 117 | +cd <repo-dir> |
| 118 | +cp .env.example .env |
| 119 | +# edit .env: set OIDC Provider client values and RCUBE_MAILBOX_KEY |
| 120 | +docker compose up -d |
| 121 | +docker compose exec -T db mariadb -u"$DB_USER" -p"$DB_PASSWORD" "$DB_NAME" < plugins/universal_oidc_mail_sso/SQL/mysql.local.sql |
| 122 | +``` |
| 123 | + |
| 124 | +Then open `http://localhost:8080`. |
| 125 | + |
| 126 | +## Where secrets/config go |
| 127 | + |
| 128 | +Primary method (recommended): container environment variables in `.env` (consumed by `docker-compose.yml`): |
| 129 | +- `OIDC_CLIENT_ID` |
| 130 | +- `OIDC_CLIENT_SECRET` |
| 131 | +- `OIDC_ISSUER` |
| 132 | +- `OIDC_REDIRECT_URI` |
| 133 | +- `RCUBE_MAILBOX_KEY` |
| 134 | +- `ADMIN_GROUP_NAME` |
| 135 | + |
| 136 | +## Admin dashboard |
| 137 | + |
| 138 | +URL: |
| 139 | + |
| 140 | +`/?_task=settings&_action=plugin.universal_oidc_mail_sso_admin` |
| 141 | + |
| 142 | +Access control: |
| 143 | +- only users with OIDC `groups` claim containing `webmail_admin` (or `ADMIN_GROUP_NAME` override) |
| 144 | + |
| 145 | +Alternative method: Roundcube plugin config file: |
| 146 | +- copy `plugins/universal_oidc_mail_sso/config.inc.php.dist` |
| 147 | +- to `plugins/universal_oidc_mail_sso/config.inc.php` |
| 148 | +- and set `$config['universal_oidc_mail_sso_*']` values there. |
| 149 | + |
| 150 | +## CLI utility |
| 151 | + |
| 152 | +Run key and crypto self-test: |
| 153 | + |
| 154 | +```sh |
| 155 | +php plugins/universal_oidc_mail_sso/misc/crypto_tool.php self-test |
| 156 | +``` |
| 157 | + |
| 158 | +Encrypt demo value: |
| 159 | + |
| 160 | +```sh |
| 161 | +php plugins/universal_oidc_mail_sso/misc/crypto_tool.php encrypt "secret" |
| 162 | +``` |
| 163 | + |
| 164 | +Decrypt: |
| 165 | + |
| 166 | +```sh |
| 167 | +php plugins/universal_oidc_mail_sso/misc/crypto_tool.php decrypt <alg> <password_enc_b64> <nonce_b64> |
| 168 | +``` |
| 169 | + |
| 170 | +## Tests |
| 171 | + |
| 172 | +```sh |
| 173 | +php plugins/universal_oidc_mail_sso/misc/run_tests.php |
| 174 | +``` |
| 175 | + |
| 176 | +Covers: |
| 177 | +- encryption/decryption round-trip |
| 178 | +- OIDC discovery retrieval and JWKS-backed ID token validation (mocked endpoints) |
| 179 | + |
| 180 | +## Security notes / threat model |
| 181 | + |
| 182 | +- App-password is never stored plaintext in DB. |
| 183 | +- Master key is external (`RCUBE_MAILBOX_KEY`), not persisted by plugin. |
| 184 | +- Decrypted credentials are used only in memory at auth/connect time. |
| 185 | +- Logs intentionally avoid secrets/tokens/passwords. |
| 186 | +- Missing claim/domain mismatch/missing mailbox/decrypt failures fail closed. |
| 187 | +- CSRF token enforced on connect form submission. |
| 188 | +- Basic session-based rate limit applied to setup submissions. |
| 189 | + |
| 190 | +## Operational notes |
| 191 | + |
| 192 | +- Ensure Roundcube runs behind HTTPS and trusted reverse proxy headers are set correctly. |
| 193 | +- Keep `RCUBE_MAILBOX_KEY` in secret manager/runtime env, rotate carefully. |
| 194 | +- If key changes, previously stored mailbox passwords cannot be decrypted and must be re-provisioned. |
0 commit comments