I am trying to find an SSO solution for Keycloak and “OX AppSuite”. When starting “OX AppSuite” via the UCS portal, now I have the following problem:
A new browser window is started. The URL in the address bar changes permanently; the mail browser is not started.

The test system has the following prerequisites in a local network:
Univentionserver UCS 5.0-8.
Installiert sind die Apps:
Keycloak 25.0.1-ucs2
OX App Suite 7.10.6-ucs11
OX Connector 2.2.7
Mailserver 12.0
Fetchmail 6.3.26
Domain of the UCS-Server: https://ucs-2700.opa.intranet/
OX App Suite: https://ucs-2700.opa.intranet/appsuite/

The following ClientID was configured with Keycloak: my-openxchange.
See the configuration in my-openxchange.json

The OpenID Endpoint Configuration: https://ucs-sso-ng.opa.intranet/real...-configuration
Code:
{
  "issuer": "https://ucs-sso-ng.opa.intranet/realms/ucs",
  "authorization_endpoint": "https://ucs-sso-ng.opa.intranet/realms/ucs/protocol/openid-connect/auth",
  "token_endpoint": "https://ucs-sso-ng.opa.intranet/realms/ucs/protocol/openid-connect/token",
  "introspection_endpoint": "https://ucs-sso-ng.opa.intranet/realms/ucs/protocol/openid-connect/token/introspect",
  "userinfo_endpoint": "https://ucs-sso-ng.opa.intranet/realms/ucs/protocol/openid-connect/userinfo",
  "end_session_endpoint": "https://ucs-sso-ng.opa.intranet/realms/ucs/protocol/openid-connect/logout",
  "frontchannel_logout_session_supported": true,
  "frontchannel_logout_supported": true,
  "jwks_uri": "https://ucs-sso-ng.opa.intranet/realms/ucs/protocol/openid-connect/certs",
  "check_session_iframe": "https://ucs-sso-ng.opa.intranet/realms/ucs/protocol/openid-connect/login-status-iframe.html",
  "grant_types_supported": [
    "authorization_code",
    "implicit",
    "refresh_token",
    "password",
    "client_credentials",
    "urn:openid:params:grant-type:ciba",
    "urn:ietf:params:oauth:grant-type:device_code"
  ],
....​
Below are my customized or newly created configuration files:
/etc/dovecot/conf.d/91-acl_user.conf:
Code:
plugin {
 acl_user = %u
}​
/opt/open-xchange/etc/as-config.yml:
Code:
default:
    host: all
    oidcLogin: true
    oidcPath: /oidc​
/opt/open-xchange/etc/oidc.properties
Code:
com.openexchange.oidc.enabled=true
com.openexchange.oidc.startDefaultBackend=true
com.openexchange.oidc.hosts=https://ucs-2700.opa.intranet/appsuite/
com.openexchange.oidc.ssoLogout=true
com.openexchange.oidc.clientId=my-openxchange
com.openexchange.oidc.clientSecret=ty5a5aILHAXthSNDC2P3h9Ga59Kc6zhZ
com.openexchange.oidc.rpRedirectURIAuth=https://ucs-2700.opa.intranet/appsuite/
com.openexchange.oidc.rpRedirectURIPostSSOLogout=https://ucs-2700.opa.intranet/appsuite/
com.openexchange.oidc.opIssuer=https://ucs-sso-ng.opa.intranet/realms/ucs
com.openexchange.oidc.opAuthorizationEndpoint=https://ucs-sso-ng.opa.intranet/realms/ucs/protocol/openid-connect/auth
com.openexchange.oidc.opTokenEndpoint=https://ucs-sso-ng.opa.intranet/realms/ucs/protocol/openid-connect/token
com.openexchange.oidc.opJwkSetEndpoint=https://ucs-sso-ng.opa.intranet/realms/ucs/protocol/openid-connect/certs
com.openexchange.oidc.opLogoutEndpoint=https://ucs-sso-ng.opa.intranet/realms/ucs/protocol/openid-connect/logout
com.openexchange.oidc.uiWebPath=https://ucs-2700.opa.intranet/appsuite/
com.openexchange.oidc.failureRedirect=https://ucs-2700.opa.intranet/appsuite/
com.openexchange.oidc.enablePasswordGrant=true
com.openexchange.oidc.passwordGrantUserNamePart=local-part
com.openexchange.oidc.contextLookupClaim=email
com.openexchange.oidc.userLookupClaim=email
com.openexchange.oidc.scope=openid
com.openexchange.oidc.responseType=code
com.openexchange.oidc.contextLookupNamePart=domain
com.openexchange.oidc.userLookupNamePart=local-part
com.openexchange.oidc.oauthRefreshTime=6000​
/opt/open-xchange/etc/logback.xml
Code:
...
  <logger name="com.openexchange.login.internal.LoginPerformer" level="ALL"/>
  <logger name="com.openexchange.sessiond.impl.SessionHandler" level="ALL"/>
...​
And here some more Variables,

created according to the specifications of
https://oxpedia.org/wiki/index.php?t...O_with_OX_App_ Suite
Code:
ox/cfg/mailfilter.properties/com.openexchange.mail.filter.masterPassword="@&@/etc/dovecot-master.secret@&@"
ox/cfg/mail.properties/com.openexchange.mail.masterPassword="@&@/etc/dovecot-master.secret@&@"
ox/cfg/mailfilter.properties/com.openexchange.mail.filter.loginType='global'
ox/cfg/mailfilter.properties/com.openexchange.mail.filter.passwordSource='global'
ox/cfg/mail.properties/com.openexchange.mail.mailServerSource='global'
ox/cfg/mail.properties/com.openexchange.mail.passwordSource='global'
ox/cfg/sessiond.properties/com.openexchange.sessiond.autologin='false'​


And the master password is in /etc/dovecot/master-users as well as in /etc/dovecot-master.secret

Below are the individual tokens (from Keycloak) for the user “Administrator”
Code:
Generated access token
{
  "exp": 1730390269,
  "iat": 1730389969,
  "jti": "602a3632-3163-4d15-97c1-952f4c0007ef",
  "iss": "https://ucs-sso-ng.opa.intranet/realms/ucs",
  "aud": "account",
  "sub": "dcc21ae2-2e71-45b9-9a13-4fa974829738",
  "typ": "Bearer",
  "azp": "my-openxchange",
  "session_state": "38d68b66-e7d3-4318-88ee-827186df382b",
  "acr": "1",
  "allowed-origins": [
    "https://ucs-2700.opa.intranet/appsuite/"
  ],
  "realm_access": {
    "roles": [
      "default-roles-ucs",
      "offline_access",
      "uma_authorization"
    ]
  },
  "resource_access": {
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "openid email",
  "sid": "38d68b66-e7d3-4318-88ee-827186df382b",
  "uid": "Administrator",
  "email_verified": false,
  "email": "admin@opa.intranet",
  "derMemberOf": "cn=Domain Admins,cn=groups,dc=opa,dc=intranet"
}​
Code:
Generated ID token
{
  "exp": 1730390269,
  "iat": 1730389969,
  "auth_time": 0,
  "jti": "14988f12-c5ee-4151-918a-5aa6cffd8bd3",
  "iss": "https://ucs-sso-ng.opa.intranet/realms/ucs",
  "aud": "my-openxchange",
  "sub": "dcc21ae2-2e71-45b9-9a13-4fa974829738",
  "typ": "ID",
  "azp": "my-openxchange",
  "session_state": "8df9d9b4-9c03-4d96-b921-d0d3a7f3ca3c",
  "acr": "1",
  "sid": "8df9d9b4-9c03-4d96-b921-d0d3a7f3ca3c",
  "uid": "Administrator",
  "email_verified": false,
  "email": "admin@opa.intranet",
  "derMemberOf": "cn=Domain Admins,cn=groups,dc=opa,dc=intranet"
}​
Code:
Generated user info
{
  "sub": "dcc21ae2-2e71-45b9-9a13-4fa974829738",
  "uid": "Administrator",
  "email_verified": false,
  "email": "admin@opa.intranet",
  "derMemberOf": "cn=Domain Admins,cn=groups,dc=opa,dc=intranet"
}​
With the help of a browser development tool I can determine the following (recurring) URLs; here an example:

Code:
[B]manifest:[/B]
https://ucs-2700.opa.intranet/appsuite/api/apps/manifests?action=config&version=7.10.6-20.20221018.014235
Status Code: 200 OK

Payload:
action: config
version: 7.10.6-20.20221018.014235

[B]login:[/B]
https://ucs-2700.opa.intranet/appsuite/api/login?action=autologin&client=open-xchange-appsuite&rampup=true&rampUpFor=open-xchange-appsuite&version=7.10.6-20
Status Code: 200 OK

Payload:
action: autologin
client: open-xchange-appsuite
rampup: true
rampUpFor: open-xchange-appsuite
version: 7.10.6-20

[B]init:[/B]
https://ucs-2700.opa.intranet/appsuite/api/oidc/init?flow=login&redirect=true&client=open-xchange-appsuite&version=7.10.6-20
Status Code: 302 Found

Payload:
flow: login
redirect: true
client: open-xchange-appsuite
version: 7.10.6-20

[B]auth:[/B]
https://ucs-sso-ng.opa.intranet/realms/ucs/protocol/openid-connect/auth?response_type=code&client_id=my-openxchange&redirect_uri=https%3A%2F%2Fucs-2700.opa.intranet%2Fappsuite%2F&scope=openid&state=lR72kuQQpFY-2U-q0xS8XcbTF0E8NsdFBKEi1eEc9m8&nonce=0CzKgpOjd6C2fBCcIQY2B7ph7DK6Kbq3Lp5G7dMZkNM
Status Code: 302 Found

Payload:
response_type: code
client_id: my-openxchange
redirect_uri: https://ucs-2700.opa.intranet/appsuite/
scope: openid
state: lR72kuQQpFY-2U-q0xS8XcbTF0E8NsdFBKEi1eEc9m8
nonce: 0CzKgpOjd6C2fBCcIQY2B7ph7DK6Kbq3Lp5G7dMZkNM

[B]appsuite:[/B]
https://ucs-2700.opa.intranet/appsuite/?state=lR72kuQQpFY-2U-q0xS8XcbTF0E8NsdFBKEi1eEc9m8&session_state=f42b7d97-99e9-4d6c-890b-093b79ec3dfb&iss=https%3A%2F%2Fucs-sso-ng.opa.intranet%2Frealms%2Fucs&code=e9109663-4c33-4a90-aae2-5b0f5727a6a8.f42b7d97-99e9-4d6c-890b-093b79ec3dfb.0942cbb1-a610-40d7-8f6d-220b113d168c
Status Code: 200 OK


Payload:
state: lR72kuQQpFY-2U-q0xS8XcbTF0E8NsdFBKEi1eEc9m8
session_state: f42b7d97-99e9-4d6c-890b-093b79ec3dfb
iss: https://ucs-sso-ng.opa.intranet/realms/ucs
code: e9109663-4c33-4a90-aae2-5b0f5727a6a8.f42b7d97-99e9-4d6c-890b-093b79ec3dfb.0942cbb1-a610-40d7-8f6d-220b113d168c

....
Than another manifest-URL starts again!​
/var/log/open-xchange/open-xchange.log:
Code:
...
2024-10-31T16:49:49,890+0100 DEBUG [OXWorker-0000007] org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:263)
after execute filter. filter=TransportFilter@3fc1b2c context=FilterChainContext [connection=TCPNIOConnection{localSocketAddress={/127.0.0.1:8009}, peerSocketAddress={/127.0.0.1:34692}}, closeable=TCPNIOConnection{localSocketAddress={/127.0.0.1:8009}, peerSocketAddress={/127.0.0.1:34692}}, operation=EVENT, message=null, address=/127.0.0.1:34692] nextAction=org.glassfish.grizzly.filterchain.InvokeAction@3510ff7e
 com.openexchange.grizzly.method=GET
 com.openexchange.grizzly.queryString=flow=login&redirect=true&client=open-xchange-appsuite&version=7.10.6-20
 com.openexchange.grizzly.remoteAddress=192.168.0.206
 com.openexchange.grizzly.remotePort=34692
 com.openexchange.grizzly.requestURI=/ajax/oidc/init
 com.openexchange.grizzly.serverName=ucs-2700.opa.intranet
 com.openexchange.grizzly.servletPath=/ajax/oidc/init
 com.openexchange.grizzly.session=1944230380127667449.APP1
 com.openexchange.grizzly.threadName=OXWorker-0000007
 com.openexchange.grizzly.userAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
 com.openexchange.localhost.ipAddress=192.168.0.202
 com.openexchange.localhost.version=7.10.6-Rev22
 com.openexchange.request.trackingId=1768283863-884142011
2024-10-31T16:49:49,890+0100 DEBUG [OXWorker-0000007] org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:263)
after execute filter. filter=OXHttpServerFilter@2ec13c23 context=FilterChainContext [connection=TCPNIOConnection{localSocketAddress={/127.0.0.1:8009}, peerSocketAddress={/127.0.0.1:34692}}, closeable=TCPNIOConnection{localSocketAddress={/127.0.0.1:8009}, peerSocketAddress={/127.0.0.1:34692}}, operation=READ, message=org.glassfish.grizzly.http.server.OXResponse@62f3cd29, address=/127.0.0.1:34692] nextAction=org.glassfish.grizzly.filterchain.StopAction@7236e49
 com.openexchange.grizzly.method=GET
 com.openexchange.grizzly.queryString=flow=login&redirect=true&client=open-xchange-appsuite&version=7.10.6-20
 com.openexchange.grizzly.remoteAddress=192.168.0.206
 com.openexchange.grizzly.remotePort=34692
 com.openexchange.grizzly.requestURI=/ajax/oidc/init
 com.openexchange.grizzly.serverName=ucs-2700.opa.intranet
 com.openexchange.grizzly.servletPath=/ajax/oidc/init
 com.openexchange.grizzly.session=1944230380127667449.APP1
 com.openexchange.grizzly.threadName=OXWorker-0000007
 com.openexchange.grizzly.userAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.36
 com.openexchange.localhost.ipAddress=192.168.0.202
 com.openexchange.localhost.version=7.10.6-Rev22
 com.openexchange.request.trackingId=1768283863-884142011
...​
I've been dealing with this problem for several weeks and I can't find a solution.
I have no more ideas!

Can anyone help me?
Many thanks in advance.