Hello, Sorry, but from where did you see you have to set parameters SOGoOpenIdProviderURL, SOGoOpenIdLoginParam and SOGoOpenIdRedirectURI ?
-- Quentin Hivert || Alinto || R&D Lead Developer 19 Quai Perrache 69002 Lyon www.alinto.com <http://www.alinto.com> From: [email protected] <[email protected]> On Behalf Of Anantha Raghava Sent: mercredi 24 décembre 2025 12:35 To: qhivert ([email protected]) <[email protected]> Subject: Re: [SOGo] Setting up OIDC for SOGo Hi, Now the OIDC login succeeds. Tokens are getting exchanged and SOGo is able to get 'email' and 'username' properly in the id_token and able to extract the same. However, just after extracting the email and username from token, it again loops back and the same flow repeats many times finally failing the proper redirection. /* OpenID Provider Configuration endpoint (mandatory) */ SOGoOpenIdProviderURL = <https://idam.indryve.org> "https://idam.indryve.org";; SOGoOpenIdConfigUrl = <https://idam.indryve.org/oauth2/oidcdiscovery/.well-known/openid-configuration> "https://idam.indryve.org/oauth2/oidcdiscovery/.well-known/openid-configuration";; SOGoOpenIdClient = "xxxxxx"; SOGoOpenIdClientSecret = "xxxxxxxx"; /* e.g. "openid profile email" */ SOGoOpenIdScope = "openid profile email"; /* claim that carries the mailbox/uid; defaults to email if unset */ SOGoOpenIdLoginParam = "username"; SOGoOpenIdEmailParam = "email"; SOGoOpenIdRedirectURI = <https://dav.indryve.org/SOGo/so/oidc/callback> "https://dav.indryve.org/SOGo/so/oidc/callback";; Above is the section of sogo.conf. Is the SOGOOpenIdRedirectURI proper? Not able to understand why the login is simply going into loop even after proper OIDC exchange and getting proper username and email claims from tokens? Any guidance here? Thanks n’ Regards, Raghav On 24/12/25 3:46 pm, qhivert ([email protected] <mailto:[email protected]> ) wrote: Here it is: canAuthenticate = NO; /* OIDC handles auth */; Switch that to YES. It is a bit misleading as this param is also used for authorization. So even if you have OIDC for auth, you still need to set this param at YES. Cheers, -- Quentin Hivert || Alinto || R&D Lead Developer 19 Quai Perrache 69002 Lyon www.alinto.com <http://www.alinto.com> From: [email protected] <mailto:[email protected]> <mailto:[email protected]> <[email protected]> On Behalf Of Anantha Raghava Sent: mercredi 24 décembre 2025 11:05 To: qhivert ([email protected] <mailto:[email protected]> ) <mailto:[email protected]> <[email protected]> Subject: Re: [SOGo] Setting up OIDC for SOGo Hi, Thanks for quick response. Here is my sogo.conf { /* WebObjects / core runtime debugging */ WODebuggingEnabled = YES; WOLogLevel = debug; /* Process & logging */ WOWorkersCount = 1; WOPort = "0.0.0.0:20000"; WOLogFile = "-"; /* Timezone (optional but recommended) */ SOGoTimeZone = "Asia/Kolkata"; /* Cache (external memcached in Kubernetes) */ SOGoMemcachedHost = <sogo-memcached.indryve-org.svc.cluster.local:11211> "sogo-memcached.indryve-org.svc.cluster.local:11211"; /* Database (PostgreSQL via single base URL + multiple logical stores) */ SOGoProfileURL = <postgresql://postgres:[email protected]:5432/sogo/sogo_user_profile> "postgresql://postgres:[email protected]:5432/sogo/sogo_user_profile"; OCSFolderInfoURL = <postgresql://postgres:[email protected]:5432/sogo/sogo_folder_info> "postgresql://postgres:[email protected]:5432/sogo/sogo_folder_info"; OCSSessionsFolderURL = <postgresql://postgres:[email protected]:5432/sogo/sogo_sessions_folder> "postgresql://postgres:[email protected]:5432/sogo/sogo_sessions_folder"; OCSStoreURL = <postgresql://postgres:[email protected]:5432/sogo/sogo_store> "postgresql://postgres:[email protected]:5432/sogo/sogo_store"; OCSAclURL = <postgresql://postgres:[email protected]:5432/sogo/sogo_acl> "postgresql://postgres:[email protected]:5432/sogo/sogo_acl"; OCSCacheFolderURL = <postgresql://postgres:[email protected]:5432/sogo/sogo_cache_folder> "postgresql://postgres:[email protected]:5432/sogo/sogo_cache_folder"; OCSAdminURL = <postgresql://postgres:[email protected]:5432/sogo/sogo_admin> "postgresql://postgres:[email protected]:5432/sogo/sogo_admin"; /* --------------------------- AUTH: OpenID Connect (SSO) --------------------------- */ SOGoAuthenticationType = openid; SOGoXSRFValidationEnabled = NO; /* DB URL used to store OpenID sessions (mandatory for OpenID) */ OCSOpenIdURL = <postgresql://postgres:[email protected]:5432/sogo/sogo_openid> "postgresql://postgres:[email protected]:5432/sogo/sogo_openid"; /* OpenID Provider Configuration endpoint (mandatory) */ SOGoOpenIdConfigUrl = <https://idam.indryve.org/oauth2/oidcdiscovery/.well-known/openid-configuration> "https://idam.indryve.org/oauth2/oidcdiscovery/.well-known/openid-configuration";; SOGoOpenIdClient = "xxxxxxxx"; SOGoOpenIdClientSecret = "xxxxxxxxxxxxx"; /* e.g. "openid profile email" */ SOGoOpenIdScope = "openid profile email"; /* claim that carries the mailbox/uid; defaults to email if unset */ SOGoOpenIdEmailParam = "email"; SOGoOpenIdRedirectURI = <https://dav.indryve.org/SOGo/so/oidc/callback> "https://dav.indryve.org/SOGo/so/oidc/callback";; /* optional knobs */ SOGoOpenIdEnableRefreshToken = YES; SOGoOpenIdTokenCheckInterval = 300; SOGoOpenIdLogoutEnabled = YES; SOGoTrustProxy = YES; SOGoSecureCookies = YES; SOGoUseRelativeURLs = NO; SOGoForceExternalLoginWithHTTPS = YES; SOGoForceExternalLoginWithEmail = YES; SOGoDebugRequests = YES; SOGoDebugResponse = YES; SOGoMailDebugEnabled = YES; SOGoDebugOpenId = YES; /* If SOGo is used as webmail with OpenID, IMAP/SMTP need XOAUTH2. :contentReference[oaicite:3]{index=3} If you are Cal/Card only, keep these unset or disabled. */ /* NGImap4AuthMechanism = xoauth2; */ /* SOGoSMTPAuthenticationType = xoauth2; */ /* Indryve: Calendar + Contacts */ SOGoCalendarDAVAccessEnabled = YES; SOGoAddressBookDAVAccessEnabled = YES; SOGoAppointmentSendEMailNotifications = YES; SOGoPageTitle = "SOGo"; SOGoPasswordChangeEnabled = NO; /* LDAP user source: Samba-AD (Address Book only) */ SOGoUserSources = ( { id = "indryve-ad"; type = ldap; canAuthenticate = NO; /* OIDC handles auth */ isAddressBook = YES; /* directory/contacts source */ CNFieldName = "cn"; IDFieldName = "sAMAccountName"; UIDFieldName = "sAMAccountName"; baseDN = "DC=indryve,DC=demo"; bindDN = "CN=sogo_bind,OU=BindUsers,DC=indryve,DC=demo"; bindPassword = "oeKObjR9KmstkNd6"; hostname = <ldaps://ad.indryve.demo:636> "ldaps://ad.indryve.demo:636"; filter = "(objectClass=person)"; MailFieldNames = (mail); displayName = "Indryve Directory"; SSL = YES; } ); } Thanks n’ Regards, Raghav On 24/12/25 2:09 pm, qhivert ([email protected] <mailto:[email protected]> ) wrote: Hello, It means there a mismatch between the info returns by your openid userinfo endpoint and your user source. Can you share your sogo.conf (mind the passwords and secrets in it) ? The param SOGoOpenIdEmailParam = "email"; tells SOGo where to get the user email in the your userinfo endpoint. It must match the uid (or UIDFieldName) of your usersource. Be sure to have canAuthenticate = YES; in your user source You can add those to have more logs: SOGoDebugRequests = YES; SOGoOpenIDDebugEnabled = YES; Cheers,
