I am trying to find an SSO solution for Keycloak and “OX AppSuite”. When starting “OX AppSuite” via the UCS portal, now I have the following problem:
A new browser window is started. The URL in the address bar changes permanently; the mail browser is not started.
The test system has the following prerequisites in a local network:
Univentionserver UCS 5.0-8.
Installiert sind die Apps:
Keycloak 25.0.1-ucs2
OX App Suite 7.10.6-ucs11
OX Connector 2.2.7
Mailserver 12.0
Fetchmail 6.3.26
Domain of the UCS-Server: https://ucs-2700.opa.intranet/
OX App Suite: https://ucs-2700.opa.intranet/appsuite/
The following ClientID was configured with Keycloak: my-openxchange.
See the configuration in my-openxchange.json
The OpenID Endpoint Configuration: https://ucs-sso-ng.opa.intranet/real...-configuration
Below are my customized or newly created configuration files:
/etc/dovecot/conf.d/91-acl_user.conf:
/opt/open-xchange/etc/as-config.yml:
/opt/open-xchange/etc/oidc.properties
/opt/open-xchange/etc/logback.xml
And here some more Variables,
created according to the specifications of
https://oxpedia.org/wiki/index.php?t...O_with_OX_App_ Suite
And the master password is in /etc/dovecot/master-users as well as in /etc/dovecot-master.secret
Below are the individual tokens (from Keycloak) for the user “Administrator”
With the help of a browser development tool I can determine the following (recurring) URLs; here an example:
/var/log/open-xchange/open-xchange.log:
I've been dealing with this problem for several weeks and I can't find a solution.
I have no more ideas!
Can anyone help me?
Many thanks in advance.
A new browser window is started. The URL in the address bar changes permanently; the mail browser is not started.
The test system has the following prerequisites in a local network:
Univentionserver UCS 5.0-8.
Installiert sind die Apps:
Keycloak 25.0.1-ucs2
OX App Suite 7.10.6-ucs11
OX Connector 2.2.7
Mailserver 12.0
Fetchmail 6.3.26
Domain of the UCS-Server: https://ucs-2700.opa.intranet/
OX App Suite: https://ucs-2700.opa.intranet/appsuite/
The following ClientID was configured with Keycloak: my-openxchange.
See the configuration in my-openxchange.json
The OpenID Endpoint Configuration: https://ucs-sso-ng.opa.intranet/real...-configuration
Code:
{ "issuer": "https://ucs-sso-ng.opa.intranet/realms/ucs", "authorization_endpoint": "https://ucs-sso-ng.opa.intranet/realms/ucs/protocol/openid-connect/auth", "token_endpoint": "https://ucs-sso-ng.opa.intranet/realms/ucs/protocol/openid-connect/token", "introspection_endpoint": "https://ucs-sso-ng.opa.intranet/realms/ucs/protocol/openid-connect/token/introspect", "userinfo_endpoint": "https://ucs-sso-ng.opa.intranet/realms/ucs/protocol/openid-connect/userinfo", "end_session_endpoint": "https://ucs-sso-ng.opa.intranet/realms/ucs/protocol/openid-connect/logout", "frontchannel_logout_session_supported": true, "frontchannel_logout_supported": true, "jwks_uri": "https://ucs-sso-ng.opa.intranet/realms/ucs/protocol/openid-connect/certs", "check_session_iframe": "https://ucs-sso-ng.opa.intranet/realms/ucs/protocol/openid-connect/login-status-iframe.html", "grant_types_supported": [ "authorization_code", "implicit", "refresh_token", "password", "client_credentials", "urn:openid:params:grant-type:ciba", "urn:ietf:params:oauth:grant-type:device_code" ], ....
/etc/dovecot/conf.d/91-acl_user.conf:
Code:
plugin { acl_user = %u }
Code:
default: host: all oidcLogin: true oidcPath: /oidc
Code:
com.openexchange.oidc.enabled=true com.openexchange.oidc.startDefaultBackend=true com.openexchange.oidc.hosts=https://ucs-2700.opa.intranet/appsuite/ com.openexchange.oidc.ssoLogout=true com.openexchange.oidc.clientId=my-openxchange com.openexchange.oidc.clientSecret=ty5a5aILHAXthSNDC2P3h9Ga59Kc6zhZ com.openexchange.oidc.rpRedirectURIAuth=https://ucs-2700.opa.intranet/appsuite/ com.openexchange.oidc.rpRedirectURIPostSSOLogout=https://ucs-2700.opa.intranet/appsuite/ com.openexchange.oidc.opIssuer=https://ucs-sso-ng.opa.intranet/realms/ucs com.openexchange.oidc.opAuthorizationEndpoint=https://ucs-sso-ng.opa.intranet/realms/ucs/protocol/openid-connect/auth com.openexchange.oidc.opTokenEndpoint=https://ucs-sso-ng.opa.intranet/realms/ucs/protocol/openid-connect/token com.openexchange.oidc.opJwkSetEndpoint=https://ucs-sso-ng.opa.intranet/realms/ucs/protocol/openid-connect/certs com.openexchange.oidc.opLogoutEndpoint=https://ucs-sso-ng.opa.intranet/realms/ucs/protocol/openid-connect/logout com.openexchange.oidc.uiWebPath=https://ucs-2700.opa.intranet/appsuite/ com.openexchange.oidc.failureRedirect=https://ucs-2700.opa.intranet/appsuite/ com.openexchange.oidc.enablePasswordGrant=true com.openexchange.oidc.passwordGrantUserNamePart=local-part com.openexchange.oidc.contextLookupClaim=email com.openexchange.oidc.userLookupClaim=email com.openexchange.oidc.scope=openid com.openexchange.oidc.responseType=code com.openexchange.oidc.contextLookupNamePart=domain com.openexchange.oidc.userLookupNamePart=local-part com.openexchange.oidc.oauthRefreshTime=6000
Code:
... <logger name="com.openexchange.login.internal.LoginPerformer" level="ALL"/> <logger name="com.openexchange.sessiond.impl.SessionHandler" level="ALL"/> ...
created according to the specifications of
https://oxpedia.org/wiki/index.php?t...O_with_OX_App_ Suite
Code:
ox/cfg/mailfilter.properties/com.openexchange.mail.filter.masterPassword="@&@/etc/dovecot-master.secret@&@" ox/cfg/mail.properties/com.openexchange.mail.masterPassword="@&@/etc/dovecot-master.secret@&@" ox/cfg/mailfilter.properties/com.openexchange.mail.filter.loginType='global' ox/cfg/mailfilter.properties/com.openexchange.mail.filter.passwordSource='global' ox/cfg/mail.properties/com.openexchange.mail.mailServerSource='global' ox/cfg/mail.properties/com.openexchange.mail.passwordSource='global' ox/cfg/sessiond.properties/com.openexchange.sessiond.autologin='false'
And the master password is in /etc/dovecot/master-users as well as in /etc/dovecot-master.secret
Below are the individual tokens (from Keycloak) for the user “Administrator”
Code:
Generated access token { "exp": 1730390269, "iat": 1730389969, "jti": "602a3632-3163-4d15-97c1-952f4c0007ef", "iss": "https://ucs-sso-ng.opa.intranet/realms/ucs", "aud": "account", "sub": "dcc21ae2-2e71-45b9-9a13-4fa974829738", "typ": "Bearer", "azp": "my-openxchange", "session_state": "38d68b66-e7d3-4318-88ee-827186df382b", "acr": "1", "allowed-origins": [ "https://ucs-2700.opa.intranet/appsuite/" ], "realm_access": { "roles": [ "default-roles-ucs", "offline_access", "uma_authorization" ] }, "resource_access": { "account": { "roles": [ "manage-account", "manage-account-links", "view-profile" ] } }, "scope": "openid email", "sid": "38d68b66-e7d3-4318-88ee-827186df382b", "uid": "Administrator", "email_verified": false, "email": "admin@opa.intranet", "derMemberOf": "cn=Domain Admins,cn=groups,dc=opa,dc=intranet" }
Code:
Generated ID token { "exp": 1730390269, "iat": 1730389969, "auth_time": 0, "jti": "14988f12-c5ee-4151-918a-5aa6cffd8bd3", "iss": "https://ucs-sso-ng.opa.intranet/realms/ucs", "aud": "my-openxchange", "sub": "dcc21ae2-2e71-45b9-9a13-4fa974829738", "typ": "ID", "azp": "my-openxchange", "session_state": "8df9d9b4-9c03-4d96-b921-d0d3a7f3ca3c", "acr": "1", "sid": "8df9d9b4-9c03-4d96-b921-d0d3a7f3ca3c", "uid": "Administrator", "email_verified": false, "email": "admin@opa.intranet", "derMemberOf": "cn=Domain Admins,cn=groups,dc=opa,dc=intranet" }
Code:
Generated user info { "sub": "dcc21ae2-2e71-45b9-9a13-4fa974829738", "uid": "Administrator", "email_verified": false, "email": "admin@opa.intranet", "derMemberOf": "cn=Domain Admins,cn=groups,dc=opa,dc=intranet" }
Code:
[B]manifest:[/B] https://ucs-2700.opa.intranet/appsuite/api/apps/manifests?action=config&version=7.10.6-20.20221018.014235 Status Code: 200 OK Payload: action: config version: 7.10.6-20.20221018.014235 [B]login:[/B] https://ucs-2700.opa.intranet/appsuite/api/login?action=autologin&client=open-xchange-appsuite&rampup=true&rampUpFor=open-xchange-appsuite&version=7.10.6-20 Status Code: 200 OK Payload: action: autologin client: open-xchange-appsuite rampup: true rampUpFor: open-xchange-appsuite version: 7.10.6-20 [B]init:[/B] https://ucs-2700.opa.intranet/appsuite/api/oidc/init?flow=login&redirect=true&client=open-xchange-appsuite&version=7.10.6-20 Status Code: 302 Found Payload: flow: login redirect: true client: open-xchange-appsuite version: 7.10.6-20 [B]auth:[/B] https://ucs-sso-ng.opa.intranet/realms/ucs/protocol/openid-connect/auth?response_type=code&client_id=my-openxchange&redirect_uri=https%3A%2F%2Fucs-2700.opa.intranet%2Fappsuite%2F&scope=openid&state=lR72kuQQpFY-2U-q0xS8XcbTF0E8NsdFBKEi1eEc9m8&nonce=0CzKgpOjd6C2fBCcIQY2B7ph7DK6Kbq3Lp5G7dMZkNM Status Code: 302 Found Payload: response_type: code client_id: my-openxchange redirect_uri: https://ucs-2700.opa.intranet/appsuite/ scope: openid state: lR72kuQQpFY-2U-q0xS8XcbTF0E8NsdFBKEi1eEc9m8 nonce: 0CzKgpOjd6C2fBCcIQY2B7ph7DK6Kbq3Lp5G7dMZkNM [B]appsuite:[/B] https://ucs-2700.opa.intranet/appsuite/?state=lR72kuQQpFY-2U-q0xS8XcbTF0E8NsdFBKEi1eEc9m8&session_state=f42b7d97-99e9-4d6c-890b-093b79ec3dfb&iss=https%3A%2F%2Fucs-sso-ng.opa.intranet%2Frealms%2Fucs&code=e9109663-4c33-4a90-aae2-5b0f5727a6a8.f42b7d97-99e9-4d6c-890b-093b79ec3dfb.0942cbb1-a610-40d7-8f6d-220b113d168c Status Code: 200 OK Payload: state: lR72kuQQpFY-2U-q0xS8XcbTF0E8NsdFBKEi1eEc9m8 session_state: f42b7d97-99e9-4d6c-890b-093b79ec3dfb iss: https://ucs-sso-ng.opa.intranet/realms/ucs code: e9109663-4c33-4a90-aae2-5b0f5727a6a8.f42b7d97-99e9-4d6c-890b-093b79ec3dfb.0942cbb1-a610-40d7-8f6d-220b113d168c .... Than another manifest-URL starts again!
Code:
... 2024-10-31T16:49:49,890+0100 DEBUG [OXWorker-0000007] org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:263) after execute filter. filter=TransportFilter@3fc1b2c context=FilterChainContext [connection=TCPNIOConnection{localSocketAddress={/127.0.0.1:8009}, peerSocketAddress={/127.0.0.1:34692}}, closeable=TCPNIOConnection{localSocketAddress={/127.0.0.1:8009}, peerSocketAddress={/127.0.0.1:34692}}, operation=EVENT, message=null, address=/127.0.0.1:34692] nextAction=org.glassfish.grizzly.filterchain.InvokeAction@3510ff7e com.openexchange.grizzly.method=GET com.openexchange.grizzly.queryString=flow=login&redirect=true&client=open-xchange-appsuite&version=7.10.6-20 com.openexchange.grizzly.remoteAddress=192.168.0.206 com.openexchange.grizzly.remotePort=34692 com.openexchange.grizzly.requestURI=/ajax/oidc/init com.openexchange.grizzly.serverName=ucs-2700.opa.intranet com.openexchange.grizzly.servletPath=/ajax/oidc/init com.openexchange.grizzly.session=1944230380127667449.APP1 com.openexchange.grizzly.threadName=OXWorker-0000007 com.openexchange.grizzly.userAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 com.openexchange.localhost.ipAddress=192.168.0.202 com.openexchange.localhost.version=7.10.6-Rev22 com.openexchange.request.trackingId=1768283863-884142011 2024-10-31T16:49:49,890+0100 DEBUG [OXWorker-0000007] org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:263) after execute filter. filter=OXHttpServerFilter@2ec13c23 context=FilterChainContext [connection=TCPNIOConnection{localSocketAddress={/127.0.0.1:8009}, peerSocketAddress={/127.0.0.1:34692}}, closeable=TCPNIOConnection{localSocketAddress={/127.0.0.1:8009}, peerSocketAddress={/127.0.0.1:34692}}, operation=READ, message=org.glassfish.grizzly.http.server.OXResponse@62f3cd29, address=/127.0.0.1:34692] nextAction=org.glassfish.grizzly.filterchain.StopAction@7236e49 com.openexchange.grizzly.method=GET com.openexchange.grizzly.queryString=flow=login&redirect=true&client=open-xchange-appsuite&version=7.10.6-20 com.openexchange.grizzly.remoteAddress=192.168.0.206 com.openexchange.grizzly.remotePort=34692 com.openexchange.grizzly.requestURI=/ajax/oidc/init com.openexchange.grizzly.serverName=ucs-2700.opa.intranet com.openexchange.grizzly.servletPath=/ajax/oidc/init com.openexchange.grizzly.session=1944230380127667449.APP1 com.openexchange.grizzly.threadName=OXWorker-0000007 com.openexchange.grizzly.userAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36 com.openexchange.localhost.ipAddress=192.168.0.202 com.openexchange.localhost.version=7.10.6-Rev22 com.openexchange.request.trackingId=1768283863-884142011 ...
I have no more ideas!
Can anyone help me?
Many thanks in advance.