sharpetronics/mailcow-dockerized
1
0
Fork 0
mirror of https://github.com/mailcow/mailcow-dockerized.git synced 2025-10-03 00:02:53 -04:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: sharpetronics:28700cf9ffaae449b673d6bdfa1b117b2b8bda0d
Branches Tags
sharpetronics:master
sharpetronics:staging
sharpetronics:update/postscreen_access.cidr
sharpetronics:renovate/php-pecl-mail-mailparse-3.x
sharpetronics:weblate-translated
sharpetronics:renovate/tianon-gosu-1.x
sharpetronics:fix/rename-phpsessid
sharpetronics:fix/samesite-cookie
sharpetronics:fix/6740
sharpetronics:fix/6739
sharpetronics:fix/6720
sharpetronics:feat/sogo-url-encryption
sharpetronics:renovate/ghcr.io-mailcow-sogo-1.x
sharpetronics:feat/passwordless-autodiscover
sharpetronics:renovate/composer-composer-2.x
sharpetronics:nightly
sharpetronics:fix/6423
sharpetronics:fix/6135
sharpetronics:6644_clamd-tmp-folder-naming-change
sharpetronics:renovate/krakjoe-apcu-5.x
sharpetronics:feat/dovecot-2.4
sharpetronics:feat/mailcow-adm
sharpetronics:feat/remove-ip6nat
sharpetronics:legacy
sharpetronics:feat/python-bootstrapper
sharpetronics:renovate/alpine-3.x
sharpetronics:dragoangel-patch-1
sharpetronics:feat/valkey
sharpetronics:fix/clean-sasl-log
sharpetronics:feat/forced-pw-update-modal
sharpetronics:feat/mTLS-auth
sharpetronics:feat/ui-improvements
sharpetronics:2025-09b
sharpetronics:2025-09a
sharpetronics:2025-09
sharpetronics:2025-07
sharpetronics:2025-05
sharpetronics:2025-03b
sharpetronics:2025-03a
sharpetronics:2025-03
sharpetronics:2025-02
sharpetronics:2025-01a
sharpetronics:2025-01
sharpetronics:2024-11b
sharpetronics:2024-11a
sharpetronics:2024-11
sharpetronics:2024-08a
sharpetronics:2024-08
sharpetronics:2024-07
sharpetronics:2024-06c
sharpetronics:2024-06b
sharpetronics:2024-06a
sharpetronics:2024-06
sharpetronics:2024-04
sharpetronics:2024-02
sharpetronics:2024-01e
sharpetronics:2024-01d
sharpetronics:2024-01c
sharpetronics:2024-01b
sharpetronics:2024-01a
sharpetronics:2024-01
sharpetronics:2023-12a
sharpetronics:2023-12
sharpetronics:2023-11a
sharpetronics:2023-11
sharpetronics:2023-10a
sharpetronics:2023-10
sharpetronics:2023-09
sharpetronics:2023-08
sharpetronics:2023-07a
sharpetronics:2023-07
sharpetronics:2023-05a
sharpetronics:2023-05
sharpetronics:2023-04b
sharpetronics:2023-04a
sharpetronics:2023-04
sharpetronics:2023-03
sharpetronics:2023-02a
sharpetronics:2023-02
sharpetronics:2023-01a
sharpetronics:2023-01
sharpetronics:2022-12b
sharpetronics:2022-12a
sharpetronics:2022-12
sharpetronics:2022-11b
sharpetronics:2022-11a
sharpetronics:2022-11
sharpetronics:2022-10a
sharpetronics:2022-10
sharpetronics:2022-09a
sharpetronics:2022-09
sharpetronics:2022-08b
sharpetronics:2022-08a
sharpetronics:2022-08
sharpetronics:2022-07a
sharpetronics:2022-07
sharpetronics:2022-06b
sharpetronics:2022-06a
sharpetronics:2022-06
sharpetronics:2022-05d
sharpetronics:2022-05c
sharpetronics:2022-05b
sharpetronics:2022-05a
sharpetronics:2022-05
sharpetronics:2022-04
sharpetronics:2022-03a
sharpetronics:2022-03
sharpetronics:2022-01a
sharpetronics:2022-01
...
compare: sharpetronics:3c24abc2e434e56cfd4757e9d5caf9988d466338
Branches Tags
sharpetronics:staging
sharpetronics:update/postscreen_access.cidr
sharpetronics:renovate/php-pecl-mail-mailparse-3.x
sharpetronics:weblate-translated
sharpetronics:renovate/tianon-gosu-1.x
sharpetronics:fix/rename-phpsessid
sharpetronics:fix/samesite-cookie
sharpetronics:fix/6740
sharpetronics:fix/6739
sharpetronics:fix/6720
sharpetronics:feat/sogo-url-encryption
sharpetronics:renovate/ghcr.io-mailcow-sogo-1.x
sharpetronics:feat/passwordless-autodiscover
sharpetronics:renovate/composer-composer-2.x
sharpetronics:nightly
sharpetronics:master
sharpetronics:fix/6423
sharpetronics:fix/6135
sharpetronics:6644_clamd-tmp-folder-naming-change
sharpetronics:renovate/krakjoe-apcu-5.x
sharpetronics:feat/dovecot-2.4
sharpetronics:feat/mailcow-adm
sharpetronics:feat/remove-ip6nat
sharpetronics:legacy
sharpetronics:feat/python-bootstrapper
sharpetronics:renovate/alpine-3.x
sharpetronics:dragoangel-patch-1
sharpetronics:feat/valkey
sharpetronics:fix/clean-sasl-log
sharpetronics:feat/forced-pw-update-modal
sharpetronics:feat/mTLS-auth
sharpetronics:feat/ui-improvements
sharpetronics:2025-09b
sharpetronics:2025-09a
sharpetronics:2025-09
sharpetronics:2025-07
sharpetronics:2025-05
sharpetronics:2025-03b
sharpetronics:2025-03a
sharpetronics:2025-03
sharpetronics:2025-02
sharpetronics:2025-01a
sharpetronics:2025-01
sharpetronics:2024-11b
sharpetronics:2024-11a
sharpetronics:2024-11
sharpetronics:2024-08a
sharpetronics:2024-08
sharpetronics:2024-07
sharpetronics:2024-06c
sharpetronics:2024-06b
sharpetronics:2024-06a
sharpetronics:2024-06
sharpetronics:2024-04
sharpetronics:2024-02
sharpetronics:2024-01e
sharpetronics:2024-01d
sharpetronics:2024-01c
sharpetronics:2024-01b
sharpetronics:2024-01a
sharpetronics:2024-01
sharpetronics:2023-12a
sharpetronics:2023-12
sharpetronics:2023-11a
sharpetronics:2023-11
sharpetronics:2023-10a
sharpetronics:2023-10
sharpetronics:2023-09
sharpetronics:2023-08
sharpetronics:2023-07a
sharpetronics:2023-07
sharpetronics:2023-05a
sharpetronics:2023-05
sharpetronics:2023-04b
sharpetronics:2023-04a
sharpetronics:2023-04
sharpetronics:2023-03
sharpetronics:2023-02a
sharpetronics:2023-02
sharpetronics:2023-01a
sharpetronics:2023-01
sharpetronics:2022-12b
sharpetronics:2022-12a
sharpetronics:2022-12
sharpetronics:2022-11b
sharpetronics:2022-11a
sharpetronics:2022-11
sharpetronics:2022-10a
sharpetronics:2022-10
sharpetronics:2022-09a
sharpetronics:2022-09
sharpetronics:2022-08b
sharpetronics:2022-08a
sharpetronics:2022-08
sharpetronics:2022-07a
sharpetronics:2022-07
sharpetronics:2022-06b
sharpetronics:2022-06a
sharpetronics:2022-06
sharpetronics:2022-05d
sharpetronics:2022-05c
sharpetronics:2022-05b
sharpetronics:2022-05a
sharpetronics:2022-05
sharpetronics:2022-04
sharpetronics:2022-03a
sharpetronics:2022-03
sharpetronics:2022-01a
sharpetronics:2022-01

2 Commits
28700cf9ff ... 3c24abc2e4

Author SHA1 Message Date
Hgamo
3c24abc2e4
Merge e42175ae6c699efee134915b9e79982deba32d93 into c51a769aecd3e7dff38662d97c72572bf1a5fd74 2025-09-29 23:05:07 +02:00
Hgamo
e42175ae6c
Implement OIDC logout support and configuration options Fixes #5774 2025-09-20 14:06:55 +02:00
6 changed files with 130 additions and 9 deletions
Show Stats Expand all files Collapse all files

20
data/conf/sogo/custom-sogo.js
View File

@ -7,13 +7,19 @@ document.addEventListener('DOMContentLoaded', function () {
}); });
// logout function // logout function
function mc_logout() { function mc_logout() {
fetch("/", { // Create and submit a logout form to trigger the logout process
method: "POST", var form = document.createElement('form');
headers: { form.method = 'POST';
"Content-Type": "application/x-www-form-urlencoded" form.action = '/';
},
body: "logout=1" var logoutInput = document.createElement('input');
}).then(() => window.location.href = '/'); logoutInput.type = 'hidden';
logoutInput.name = 'logout';
logoutInput.value = '1';
form.appendChild(logoutInput);
document.body.appendChild(form);
form.submit();
} }
// Custom SOGo JS // Custom SOGo JS

53
data/web/inc/functions.inc.php
View File

@ -2317,6 +2317,10 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
if (!array_key_exists('login_provisioning', $settings)) { if (!array_key_exists('login_provisioning', $settings)) {
$settings['login_provisioning'] = 1; $settings['login_provisioning'] = 1;
} }
// set end_session_url default if not exists
if (!array_key_exists('end_session_url', $settings)) {
$settings['end_session_url'] = '';
}
// return default client_scopes for generic-oidc if none is set // return default client_scopes for generic-oidc if none is set
if ($settings["authsource"] == "generic-oidc" && empty($settings["client_scopes"])){ if ($settings["authsource"] == "generic-oidc" && empty($settings["client_scopes"])){
$settings["client_scopes"] = "openid profile email mailcow_template"; $settings["client_scopes"] = "openid profile email mailcow_template";
@ -2391,6 +2395,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
$_data['import_users'] = isset($_data['import_users']) ? intval($_data['import_users']) : 0; $_data['import_users'] = isset($_data['import_users']) ? intval($_data['import_users']) : 0;
$_data['sync_interval'] = (!empty($_data['sync_interval'])) ? intval($_data['sync_interval']) : 15; $_data['sync_interval'] = (!empty($_data['sync_interval'])) ? intval($_data['sync_interval']) : 15;
$_data['sync_interval'] = $_data['sync_interval'] < 1 ? 1 : $_data['sync_interval']; $_data['sync_interval'] = $_data['sync_interval'] < 1 ? 1 : $_data['sync_interval'];
$_data['end_session_url'] = (isset($_data['end_session_url']) && trim($_data['end_session_url']) !== '') ? trim($_data['end_session_url']) : null;
$required_settings = array('authsource', 'server_url', 'realm', 'client_id', 'client_secret', 'redirect_url', 'version', 'mailpassword_flow', 'periodic_sync', 'import_users', 'sync_interval', 'ignore_ssl_error', 'login_provisioning'); $required_settings = array('authsource', 'server_url', 'realm', 'client_id', 'client_secret', 'redirect_url', 'version', 'mailpassword_flow', 'periodic_sync', 'import_users', 'sync_interval', 'ignore_ssl_error', 'login_provisioning');
break; break;
case "generic-oidc": case "generic-oidc":
@ -2398,6 +2403,7 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
$_data['token_url'] = (!empty($_data['token_url'])) ? $_data['token_url'] : null; $_data['token_url'] = (!empty($_data['token_url'])) ? $_data['token_url'] : null;
$_data['userinfo_url'] = (!empty($_data['userinfo_url'])) ? $_data['userinfo_url'] : null; $_data['userinfo_url'] = (!empty($_data['userinfo_url'])) ? $_data['userinfo_url'] : null;
$_data['client_scopes'] = (!empty($_data['client_scopes'])) ? $_data['client_scopes'] : "openid profile email mailcow_template"; $_data['client_scopes'] = (!empty($_data['client_scopes'])) ? $_data['client_scopes'] : "openid profile email mailcow_template";
$_data['end_session_url'] = (isset($_data['end_session_url']) && trim($_data['end_session_url']) !== '') ? trim($_data['end_session_url']) : null;
$required_settings = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url', 'client_scopes', 'ignore_ssl_error', 'login_provisioning'); $required_settings = array('authsource', 'authorize_url', 'token_url', 'client_id', 'client_secret', 'redirect_url', 'userinfo_url', 'client_scopes', 'ignore_ssl_error', 'login_provisioning');
break; break;
case "ldap": case "ldap":
@ -2456,6 +2462,12 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
$stmt->execute(); $stmt->execute();
} }
// add end_session_url
$_data['end_session_url'] = (isset($_data['end_session_url']) && trim($_data['end_session_url']) !== '') ? trim($_data['end_session_url']) : "";
$stmt = $pdo->prepare("INSERT INTO identity_provider (`key`, `value`) VALUES ('end_session_url', :value) ON DUPLICATE KEY UPDATE `value` = VALUES(`value`);");
$stmt->bindParam(':value', $_data['end_session_url']);
$stmt->execute();
// add mappers // add mappers
if (isset($_data['mappers']) && isset($_data['templates'])){ if (isset($_data['mappers']) && isset($_data['templates'])){
$_data['mappers'] = (!is_array($_data['mappers'])) ? array($_data['mappers']) : $_data['mappers']; $_data['mappers'] = (!is_array($_data['mappers'])) ? array($_data['mappers']) : $_data['mappers'];
@ -2774,6 +2786,11 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
set_user_loggedin_session($info['email']); set_user_loggedin_session($info['email']);
$_SESSION['iam_token'] = $plain_token; $_SESSION['iam_token'] = $plain_token;
$_SESSION['iam_refresh_token'] = $plain_refreshtoken; $_SESSION['iam_refresh_token'] = $plain_refreshtoken;
$_SESSION['iam_auth_source'] = $iam_settings['authsource'];
// Store ID token if available for logout
if (isset($token->getValues()['id_token'])) {
$_SESSION['iam_id_token'] = $token->getValues()['id_token'];
}
$_SESSION['return'][] = array( $_SESSION['return'][] = array(
'type' => 'success', 'type' => 'success',
'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']), 'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
@ -2850,6 +2867,11 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
set_user_loggedin_session($info['email']); set_user_loggedin_session($info['email']);
$_SESSION['iam_token'] = $plain_token; $_SESSION['iam_token'] = $plain_token;
$_SESSION['iam_refresh_token'] = $plain_refreshtoken; $_SESSION['iam_refresh_token'] = $plain_refreshtoken;
$_SESSION['iam_auth_source'] = $iam_settings['authsource'];
// Store ID token if available for logout
if (isset($token->getValues()['id_token'])) {
$_SESSION['iam_id_token'] = $token->getValues()['id_token'];
}
$_SESSION['return'][] = array( $_SESSION['return'][] = array(
'type' => 'success', 'type' => 'success',
'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']), 'log' => array(__FUNCTION__, $_SESSION['mailcow_cc_username'], $_SESSION['mailcow_cc_role']),
@ -2963,6 +2985,37 @@ function identity_provider($_action = null, $_data = null, $_extra = null) {
)); ));
return $res['access_token']; return $res['access_token'];
break; break;
case "get-logout-url":
// Generate logout URL for OIDC providers
if ($iam_settings['authsource'] != 'keycloak' && $iam_settings['authsource'] != 'generic-oidc') {
return false;
}
// Build the logout URL according to oidc spec
// If end_session_url is empty, OIDC logout is disabled
if (empty($iam_settings['end_session_url'])) {
return false;
}
$post_logout_redirect_uri = (!empty($_data['post_logout_redirect_uri'])) ? $_data['post_logout_redirect_uri'] : null;
$params = [];
if ($post_logout_redirect_uri) {
$params['post_logout_redirect_uri'] = $post_logout_redirect_uri;
}
// Add id_token_hint if available in session
if (isset($_SESSION['iam_id_token'])) {
$params['id_token_hint'] = $_SESSION['iam_id_token'];
}
$logout_url = $iam_settings['end_session_url'];
if (!empty($params)) {
$logout_url .= '?' . http_build_query($params);
}
return $logout_url;
break;
} }
} }
function reset_password($action, $data = null) { function reset_password($action, $data = null) {

36
data/web/inc/sessions.inc.php
View File

@ -112,12 +112,44 @@ if (isset($_POST["logout"])) {
} }
else { else {
$role = $_SESSION["mailcow_cc_role"]; $role = $_SESSION["mailcow_cc_role"];
// Check if user was authenticated via OIDC and OIDC logout is enabled
$oidc_logout_url = null;
if (isset($_SESSION['iam_auth_source']) && ($_SESSION['iam_auth_source'] == 'keycloak' || $_SESSION['iam_auth_source'] == 'generic-oidc')) {
require_once $_SERVER['DOCUMENT_ROOT'] . '/inc/functions.inc.php';
// Determine the schema
$schema = 'http';
if ((isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == "https") ||
isset($_SERVER['HTTPS'])) {
$schema = 'https';
}
// Determine post-logout redirect URI based on role
$post_logout_redirect_uri = $schema . '://' . $_SERVER['HTTP_HOST'];
if ($role == "admin") {
$post_logout_redirect_uri .= '/admin';
} elseif ($role == "domainadmin") {
$post_logout_redirect_uri .= '/domainadmin';
} else {
$post_logout_redirect_uri .= '/';
}
$iam_provider = identity_provider('init');
$iam_settings = identity_provider('get');
$oidc_logout_url = identity_provider('get-logout-url', array('post_logout_redirect_uri' => $post_logout_redirect_uri));
}
session_regenerate_id(true); session_regenerate_id(true);
session_unset(); session_unset();
session_destroy(); session_destroy();
session_write_close(); session_write_close();
if ($role == "admin") {
header("Location: /admin"); // Redirect to OIDC logout URL if available, otherwise use standard logout
if ($oidc_logout_url) {
header("Location: " . $oidc_logout_url);
} elseif($role == "admin") {
header("Location: /admin");
} }
elseif ($role == "domainadmin") { elseif ($role == "domainadmin") {
header("Location: /domainadmin"); header("Location: /domainadmin");

2
data/web/lang/lang.de-de.json
View File

@ -243,6 +243,8 @@
"iam_test_connection": "Verbindung Testen", "iam_test_connection": "Verbindung Testen",
"iam_token_url": "Token Endpunkt", "iam_token_url": "Token Endpunkt",
"iam_userinfo_url": "User info Endpunkt", "iam_userinfo_url": "User info Endpunkt",
"iam_end_session_url": "End-Session-Endpunkt",
"iam_end_session_url_info": "URL für RP-Initiated Logout nach OpenID Connect Spezifikation. Leer lassen, um OIDC-Logout zu deaktivieren.",
"iam_username_field": "Username Feld", "iam_username_field": "Username Feld",
"iam_binddn": "Bind DN", "iam_binddn": "Bind DN",
"iam_use_ssl": "Benutze SSL", "iam_use_ssl": "Benutze SSL",

2
data/web/lang/lang.en-gb.json
View File

@ -250,6 +250,8 @@
"iam_test_connection": "Test Connection", "iam_test_connection": "Test Connection",
"iam_token_url": "Token endpoint", "iam_token_url": "Token endpoint",
"iam_userinfo_url": "User info endpoint", "iam_userinfo_url": "User info endpoint",
"iam_end_session_url": "End session endpoint",
"iam_end_session_url_info": "URL for RP-Initiated Logout according to OpenID Connect specification. Leave empty to disable OIDC logout.",
"iam_username_field": "Username Field", "iam_username_field": "Username Field",
"iam_binddn": "Bind DN", "iam_binddn": "Bind DN",
"iam_use_ssl": "Use SSL", "iam_use_ssl": "Use SSL",

26
data/web/templates/admin/tab-config-identity-provider.twig
View File

@ -257,6 +257,19 @@
<input class="form-control" type="number" min="1" name="sync_interval" style="width: 80px;" {% if iam_settings.sync_interval %}value="{{ iam_settings.sync_interval }}"{% else %}value="15"{% endif %}> <input class="form-control" type="number" min="1" name="sync_interval" style="width: 80px;" {% if iam_settings.sync_interval %}value="{{ iam_settings.sync_interval }}"{% else %}value="15"{% endif %}>
</div> </div>
</div> </div>
<div class="row mb-2">
<div class="col-md-3 d-flex align-items-center justify-content-md-end">
<label class="control-label" for="iam_keycloak_end_session_url">{{ lang.admin.iam_end_session_url }}:</label>
</div>
<div class="col-12 col-md-9 col-lg-4">
<input type="text" class="form-control" id="iam_keycloak_end_session_url" name="end_session_url" value="{{ iam_settings.end_session_url }}" placeholder="https://keycloak.example.com/realms/mailcow/protocol/openid-connect/logout">
<p class="text-muted">
<small>
{{ lang.admin.iam_end_session_url_info }}
</small>
</p>
</div>
</div>
<div class="row mt-4 mb-2"> <div class="row mt-4 mb-2">
<div class="offset-md-3 col-12 col-md-9 d-flex flex-wrap"> <div class="offset-md-3 col-12 col-md-9 d-flex flex-wrap">
<div class="btn-group mb-2"> <div class="btn-group mb-2">
@ -460,6 +473,19 @@
</div> </div>
</div> </div>
</div> </div>
<div class="row mb-4">
<div class="col-md-3 d-flex align-items-center justify-content-md-end">
<label class="control-label" for="iam_generic_end_session_url">{{ lang.admin.iam_end_session_url }}:</label>
</div>
<div class="col-12 col-md-9 col-lg-4">
<input type="text" class="form-control" id="iam_generic_end_session_url" name="end_session_url" value="{{ iam_settings.end_session_url }}" placeholder="https://auth.example.com/connect/endsession">
<p class="text-muted">
<small>
{{ lang.admin.iam_end_session_url_info }}
</small>
</p>
</div>
</div>
<div class="row mt-4 mb-2"> <div class="row mt-4 mb-2">
<div class="offset-md-3 col-12 col-md-9 d-flex flex-wrap"> <div class="offset-md-3 col-12 col-md-9 d-flex flex-wrap">
<div class="btn-group mb-2"> <div class="btn-group mb-2">