Skip to content

feat: generic OIDC/XOAUTH2 support for individual mail accounts#13317

Open
LeahAuroraV wants to merge 2 commits into
nextcloud:mainfrom
LeahAuroraV:feat/oidc-individual
Open

feat: generic OIDC/XOAUTH2 support for individual mail accounts#13317
LeahAuroraV wants to merge 2 commits into
nextcloud:mainfrom
LeahAuroraV:feat/oidc-individual

Conversation

@LeahAuroraV

@LeahAuroraV LeahAuroraV commented Jul 18, 2026

Copy link
Copy Markdown

Individual OIDC / XOAUTH2 support

Follow-up to #13311. In the review Christoph suggested "getting individual OIDC support in first and closing #12491", and then building the provisioning on top of that. So here's generic oidc for nextcloud mail.

It's basically the same idea as the Google/Microsoft integrations that already exist, just generalised to any OIDC provider. An admin registers one or more providers in the groupware admin settings (client id + secret, a discovery url or the endpoints directly, imap/smtp servers). When a user adds a mail account whose email domain matches one of those, mail pre-fills the servers and opens the consent popup, the code gets exchanged server-side and the account authenticates over XOAUTH2 with no stored password. tokens get refreshed via the stored refresh token for background/cron sync, same as google/ms.

Testing

Developed against authentik with dovecot + postfix set up to accept XOAUTH2. Verified the whole thing locally: add account -> popup -> consent -> imap sync + smtp send, then force-expire the token and confirm background refresh still works.
There's a documentation file that described how to get a test envionment up and running in doc/oidc-xoauth2.md.

Changes

  • New mail_oidc_providers table + OidcProvider entity/mapper (email domain, separate imap/smtp host/port/ssl, client id/secret, discovery url or manual endpoints, scopes)
  • OidcIntegration service: discovery fetch + cache (or manual endpoints), auth-code exchange, token refresh, provider CRUD (secret encrypted at rest)
  • OidcIntegrationController + routes: admin CRUD, the authorize redirect (resolves discovery server-side and 302s to the idp) and the oauth callback, reusing OauthStateService
  • OauthTokenRefreshListener: refresh the oidc token before imap connect, next to the google/ms branches
  • Admin UI to manage providers + AccountForm email-domain detection -> pre-fill + sso popup
  • Docs + Unit Tests

closes #12491

🤖 AI (if applicable)

  • The content of this PR was partly or fully generated using AI

Let an administrator register OpenID Connect providers so users whose email
domain matches can authenticate their IMAP/SMTP connection over XOAUTH2 via an
interactive authorization-code flow, instead of storing a password. This
generalises the existing Google and Microsoft integrations to any OIDC
provider (Keycloak, Authentik, Stalwart, ...).

- New `mail_oidc_providers` table with `OidcProvider` entity and mapper
  (matched to accounts by the user's email domain; separate IMAP/SMTP
  host/port/SSL, client id/secret, discovery URL or manual endpoints, scopes).
- `OidcIntegration` service: discovery fetch and cache (or admin-defined
  endpoints), authorization-code exchange, cron-safe token refresh, and
  provider CRUD with the client secret encrypted at rest.
- `OidcIntegrationController` and routes: admin CRUD, the authorize redirect
  that resolves discovery server-side, and the OAuth callback, reusing
  `OauthStateService`.
- `OauthTokenRefreshListener`: refresh the OIDC token before IMAP connect,
  mirroring the Google/Microsoft branches.
- Admin UI (`OidcAdminSettings` / `OidcProviderForm`) to manage 0..n providers
  and `AccountForm` email-domain detection that pre-fills the mail servers and
  opens the SSO consent popup.
- Documentation and unit tests.

Two deliberate divergences from the reviewer's earlier sketch, to be flagged on
the PR: multiple providers (0..n) rather than a single global config, and
matching by email domain rather than IMAP hostname.

Closes nextcloud#12491

Assisted-by: Claude:claude-opus-4-8
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: Leah <leahvenema@hotmail.com>
@welcome

welcome Bot commented Jul 18, 2026

Copy link
Copy Markdown

Thanks for opening your first pull request in this repository! ✌️

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

OAuth2 support for mail app

1 participant