Hi, Thank you this, makes more sense. I have no access to the database behind the oidc provider, so I'll have to either: - implement it in sogo to create the user automatically if the domain is whitelisted and a new switch is enabled Or - create some wrapper interface one that directly adds it to sogo and also registers the user over api
canAuthenticate is interesting, but I'll keep it YES then. Your help was greatly appreciated. Some of these details could be considered as a nice addition to this new oidc feature's documentation as examples. Best Regards Levi > >> Is there a way to get sogo register new users automatically as they > >> login > with the oidc successfully? > > Nope, SOGo has not been designed to do that. The sso is juste here to tell > Sogo "hey, the user with the mail [email protected] is authenticated and can access > the webmail". SOGo will then check its user source to see if the user > [email protected] exist and give him access. > With sql user source you must have a table with at least : > * c_uid: the mail [email protected] in your case > * c_name: also the mail [email protected] > * c_password: password of the user. With OICD it will only be used if your user > use caldav/cardav with thunderbird for example. In the setup, it will have to > use this password. > * c_cn: the user's common name > * mail: [email protected] > In fact, you must set your user source as if there were no oicd, so follow the > guideline here -> > https://www.sogo.nu/files/docs/SOGoInstallationGuide.html#Authentication > -usi > ng-SQL > > To match sogo user source with your oauth source. You have to create the > users in both sources. OR you could use your oauth source if it uses a ldap > server. > > I'm not 100% sure, but canAuthenticate seems to be required to YES event > with oauth. > > Quentin > > -----Original Message----- > From: [email protected] <[email protected]> On Behalf Of > "Levente Tamas" > Sent: mardi 8 avril 2025 11:41 > To: [email protected] > Subject: RE: [SOGo] OIDC login endless loop on successful login > > Hi Quentin, > Yes I have a usersource, but probably that is where the process is failing at the > moment. Am I understanding it correctly that a view must be created? > I am using pgsql as the backend. > > Is there a way to get sogo register new users automatically as they login with > the oidc successfully? Or I have to create some hand crafted solution that > registers the users in the oauth source and then create it in pgsql as well, but > without the password. Or how is password even handled? Does the > canAuthenticate YES or NO in the usersource when using oauth? > > I appreciate your prompt response! > BR > Levi > > > -----Original Message----- > > From: [email protected] <[email protected]> On Behalf Of > > qhivert > > Sent: Tuesday, April 8, 2025 9:43 AM > > To: [email protected] > > Subject: RE: [SOGo] OIDC login endless loop on successful login > > > > Hello, > > > > Did you configure a usersource after all? It is mandatory, openid is > > just > for the > > authentication but sogo will still need a user source to fetch infos > > of > the user. > > This endless loop probably means that the email fetch from the openid > server > > is not found in your user source. > > > > Quentin > > > > -----Original Message----- > > From: [email protected] <[email protected]> On Behalf Of > "Levi" > > Sent: mardi 8 avril 2025 01:34 > > To: [email protected] > > Subject: [SOGo] OIDC login endless loop on successful login > > > > Hi, > > I have installed v5.12.0 and trying to make OIDC login to work. The > > first > hitch > > was that SOGo requires the end_session_endpoint key present in the > > openid- configuration. That has been solved. > > After that without user source configured it is telling on boot: > > Apr 08 01:25:16 sogod [9]: [WARN] > <0x0x7f7790e3c180[WOxElemBuilder]> > > could not locate builders: WOxExtElemBuilder,WOxExtElemBuilder > > Apr 08 01:25:16 sogod [9]: [ERROR] > > <0x0x5558161cd7e0[SOGoUserManager]> No authentication sources > defined > > - nobody will be able to login. Check your defaults. > > > > I am not sure if this has any effect, I can make it go away by > > specifying > a user > > source. > > > > Given these configurations: > > SOGoAuthenticationType = "openid"; > > SOGoOpenIdConfigUrl = > > "https://[MYOIDCURL]/.well-known/openid-configuration";; > > SOGoOpenIdClient = "sogo"; > > SOGoOpenIdClientSecret = "sogo"; > > SOGoOpenIdScope = "openid offline_access"; > > SOGoOpenIdEmailParam = "email"; > > SOGoOpenIdEnableRefreshToken = YES; > > SOGoOpenIdTokenCheckInterval = 300; > > SOGoOpenIdLogoutEnabled = NO; > > > > I am getting into an endless loop on the oauth provider login, even > > though seemingly the user and its email has been fetched correctly > > from the > userinfo > > endpoint: > > Apr 08 02:03:11 sogod [7]: |SOGo| starting method 'GET' on uri '/SOGo' > > Apr 08 02:03:11 sogod [7]: <0x0x5555de4e2c80[SOGoCache]> Cache > cleanup > > interval set every 300.000000 seconds Apr 08 02:03:11 sogod [7]: > > <0x0x5555de4e2c80[SOGoCache]> Using host(s) 'memcached' as server(s) > > Apr 08 > > 02:03:11 sogod [7]: [WARN] <0x0x7fa5e0cdb180[WOxElemBuilder]> could > > not locate builders: WOxExtElemBuilder,WOxExtElemBuilder > > 2025-04-08 02:03:11.795 sogod[7:7] PG0x0x5555de66fa50 SQL: SELECT > > c_defaults FROM sogo_user_profile WHERE c_uid = 'anonymous' > > 2025-04-08 02:03:11.940 sogod[7:7] PG0x0x5555de66fa50 SQL: select > > character_octet_length as CHARACTER_MAXIMUM_LENGTH from > > information_schema.columns where table_name = 'sogo_user_profile' AND > > column_name = 'c_defaults' > > 2025-04-08 02:03:12.277 sogod[7:7] OpenId perform request: GET > > https://[MYOIDCURL]/.well-known/openid-configuration > > 2025-04-08 02:03:12.277 sogod[7:7] OpenId perform request, headers > > (null) Apr 08 02:03:12 sogod [7]: |SOGo| request took 0.987919 seconds > > to execute Apr 08 02:03:12 sogod [7]: [MYOIDCURL] "GET /SOGo HTTP/1.1" > > 302 > > 0/0 1.018 - > > - 4M - 11 Apr 08 02:03:25 sogod [7]: |SOGo| starting method 'GET' on > > uri '/SOGo/? > > code=[CODE_RETURNED]' > > 2025-04-08 02:03:25.084 sogod[7:7] OpenId perform request: POST > > https://[MYOIDCURL]/auth/token > > 2025-04-08 02:03:25.084 sogod[7:7] OpenId perform request, headers > > {"content- type" = "application/x-www-form-urlencoded"; } > > 2025-04-08 02:03:25.162 sogod[7:7] fetch token response: > {"access_token" > > = "[ACCESS_TOKEN]"; "expires_in" = 3600; "id_token" = "[ID_TOKEN]"; > > "refresh_token" = "[REFRESH_TOKEN]"; "token_type" = bearer; } > > 2025-04-08 02:03:25.162 sogod[7:7] OpenId perform request: GET > > https://[MYOIDCURL]/auth/userinfo > > 2025-04-08 02:03:25.162 sogod[7:7] OpenId perform request, headers > > {authorization = "Bearer [ACCESS_TOKEN]"; "content-type" = > > "application/x-www- form-urlencoded"; } > > >>>> > > 2025-04-08 02:03:25.199 sogod[7:7] OpenId fetch user info, profile is > {email > > = "test@[MAIL_DOMAIN]"; "email_verified" = 1; name = "Test"; > > "preferred_username" = "[DOMAIN]_test"; sub = 59; } > > >>>> > > 2025-04-08 02:03:25.370 sogod[7:7] PG0x0x5555de821250 SQL: BEGIN > > TRANSACTION > > 2025-04-08 02:03:25.371 sogod[7:7] PG0x0x5555de821250 SQL: SELECT > > t1.c_access_token_expires_in, t1.c_old_session, t1.c_refresh_token, > > t1.c_refresh_token_expires_in, t1.c_session_started, t1.c_user_session > FROM > > sogo_openid t1 WHERE t1.c_user_session='[ACCESS_TOKEN]' > > 2025-04-08 02:03:25.385 sogod[7:7] PG0x0x5555de821250 SQL: > ROLLBACK > > TRANSACTION > > 2025-04-08 02:03:25.386 sogod[7:7] PG0x0x5555de81e850 SQL: BEGIN > > TRANSACTION > > 2025-04-08 02:03:25.386 sogod[7:7] PG0x0x5555de81e850 SQL: INSERT > INTO > > sogo_openid (c_access_token_expires_in, c_refresh_token, > > c_session_started, c_old_session, c_refresh_token_expires_in, > c_user_session) > > VALUES (1744070605, '[REFRESH_TOKEN]', 1744067005, '', -1, > > '[ACCESS_TOKEN]') > > 2025-04-08 02:03:25.386 sogod[7:7] PG0x0x5555de81e850 SQL: > COMMIT > > TRANSACTION > > 2025-04-08 02:03:25.506 sogod[7:7] PG0x0x5555de830bd0 SQL: BEGIN > > TRANSACTION > > 2025-04-08 02:03:25.506 sogod[7:7] PG0x0x5555de830bd0 SQL: SELECT > > t1.c_creationdate, t1.c_id, t1.c_lastseen, t1.c_value FROM > > sogo_sessions_folder t1 WHERE t1.c_id='wOGO5YkbvWaXv3xE' > > 2025-04-08 02:03:25.520 sogod[7:7] PG0x0x5555de830bd0 SQL: > ROLLBACK > > TRANSACTION > > 2025-04-08 02:03:25.520 sogod[7:7] PG0x0x5555de81c6a0 SQL: BEGIN > > TRANSACTION > > 2025-04-08 02:03:25.520 sogod[7:7] PG0x0x5555de81c6a0 SQL: INSERT > INTO > > sogo_sessions_folder (c_lastseen, c_creationdate, c_value, c_id) > VALUES > > (1744067005, 1744067005, '[LONG_STRING]', 'wOGO5YkbvWaXv3xE') > > 2025-04-08 02:03:25.537 sogod[7:7] PG0x0x5555de81c6a0 SQL: COMMIT > > TRANSACTION Apr 08 02:03:25 sogod [7]: |SOGo| request took 0.485499 > > seconds to execute Apr 08 02:03:25 sogod [7]: [MYOIDCURL] "GET > > /SOGo/?code=[CODE_RETURNED] HTTP/ 1.1" 302 0/0 0.490 - - 1M - 13 Apr > > 08 > > 02:03:25 sogod [7]: |SOGo| starting method 'GET' on uri '/SOGo' > > Apr 08 02:03:25 sogod [7]: |SOGo| request took 0.000552 seconds to > > execute Apr 08 02:03:25 sogod [7]: [MYOIDCURL] "GET /SOGo HTTP/1.1" > > 302 > > 0/0 0.001 - > > - > > 0 - 13 > > > > Can someone spot what am I missing to let me login? > > The browser shows a properly set 0xHIGHFLYxSOGO and openid-location > > cookies. > > I am making it for sure to this line: > > > https://github.com/Alinto/sogo/blob/4be3ba227c8f5c30bce2150d183705d > > f6ff693c8 > > /SoObjects/SOGo/SOGoOpenIdSession.m#L678 > > > > Thank you > > Levi
