SSO auto-discovery might require the set up of a .well-known/webfinger
endpoint described in this spec via external means (not provided here).
Here is an architecture diagram showing how Single Log Out works for this example, using the backchannel OIDC flow:
Here is an architecture diagram showing how to authenticate JAMES IMAP/SMTP using OIDC Provider:
Just do:
docker-compose up
There is no frontend in this example to interact directly with Keycloak and get a valid JWT token from it.
However, you can use the Keycloak playground example:
Save
:http://localhost:8080/auth
oidc
oidc
Sign in
and you will get redirected to your Keycloak login screenjames-user@localhost / secret
access_token
sent back from KeycloakMailbox/get
) with curl, Postman, ... towards the /oidc/jmap
endpoint of Krakend:POST http://localhost:8090/oidc/jmap
fe100f0103112aa50a585b7ca037c6b9387352991fc35cec15faf7ce4edd8d03
Authorization
header as a Bearer tokenAccept
header as well with the value application/json; jmapVersion=rfc-8621
to use the JMAP spec from the RFC-8621If everything goes well, you should get a valid response back.
When user is logging out, we use Keycloak back-channel logout to send a message to the jwt-revoker side container that will parse the logout_token
, fetch the sid
claim (id of the session the user decided to terminate) and add it to the bloomfilter of Krakend. Then Krakend will reject tokens having the same sid
, because that session has been revoked.
You can try it out with our example by :
Logout
button in the Keycloak appWe would use Thunderbird version 91.4.1 as a mail client (above versions should work).
Open /thunderbird/omni.ja
in your host, find and modify OAuth2Providers.jsm
:
["localhost", ["james.local", "email"]],
james-thunderbird
Keycloak client in kIssuers:[ "james.local", [ "james-thunderbird", //client_id from keycloak "Xw9ht1veTu0Tk5sMMy03PdzY3AiFvssw", // client_secret from keycloak "http://keycloak.local:8080/auth/realms/oidc/protocol/openid-connect/auth", "http://keycloak.local:8080/auth/realms/oidc/protocol/openid-connect/token", ], ]
Adding a line 127.0.0.1 keycloak.local
to your /etc/hosts
so Thunderbird can resolve the address of keycloak.
Run Thunderbird, configure it using james-user@localhost
account against these IMAP/SMTP settings:
Click Get Messsages
in your INBOX tab, a popup will show up ask you to login against Keycloak. After logging in succeed, you can use James IMAP/SMTP. Let try to send a mail to yourself: Then it should work:
A remark here is that if you generate a new client_secret for james-thunderbird
client in Keycloak, you have to modify it accordingly in OAuth2Providers.jsm
.