No description
  • PHP 86.8%
  • JavaScript 13.2%
Find a file
Josh Quinlan 2485515242
v0.5.0: repair stale pgpmime capability so Mailvelope decrypts at-rest mail
Roundcube caches whether the browser supports PGP/MIME (Mailvelope) in the
session and only re-detects when it is undefined; a 0 cached before Mailvelope
loaded sticks across reloads, so encrypted mail shows the static placeholder
forever. Ship mailvelope_caps.js (mail task) that forces the capability on
whenever window.mailvelope is present and re-renders an already-open message.
2026-06-25 04:54:46 +01:00
.gitignore Initial release: extract roundcube-albient-sso from albient.mailstack 2026-06-24 22:34:23 +01:00
albient_sso.php v0.5.0: repair stale pgpmime capability so Mailvelope decrypts at-rest mail 2026-06-25 04:54:46 +01:00
CHANGELOG.md v0.3.0: stash OIDC access token for the account-settings plugin 2026-06-25 01:07:32 +01:00
composer.json v0.3.0: stash OIDC access token for the account-settings plugin 2026-06-25 01:07:32 +01:00
LICENSE Initial release: extract roundcube-albient-sso from albient.mailstack 2026-06-24 22:34:23 +01:00
mailvelope_caps.js v0.5.0: repair stale pgpmime capability so Mailvelope decrypts at-rest mail 2026-06-25 04:54:46 +01:00
README.md Initial release: extract roundcube-albient-sso from albient.mailstack 2026-06-24 22:34:23 +01:00

roundcube-albient-sso

OIDC web login for Roundcube backed by Stalwart's master-user authentication.

Roundcube can't present a Zitadel access token to Stalwart (Stalwart's single LDAP directory can't introspect external tokens), so this plugin uses OIDC only to establish the user's identity, then opens the mailbox with Stalwart's master user — it logs in as <email>%<master_user> with the master secret.

Flow

  1. The login form gains a "Sign in with Albient SSO" button.
  2. The button redirects to the IdP's authorize endpoint (auth-code flow, state CSRF guard).
  3. On callback, the plugin exchanges the code for a token, calls userinfo for the email, then opens the mailbox via Stalwart master auth.
  4. On first login the user's identity is set to the real address, not the master login string.

Installation

Drop the plugin into plugins/albient_sso/ and enable it in config.inc.php:

$config['plugins'][] = 'albient_sso';

Configuration

Key Purpose
albient_sso_authorize_uri / albient_sso_token_uri / albient_sso_userinfo_uri OIDC endpoints
albient_sso_client_id / albient_sso_client_secret OIDC client credentials
albient_sso_redirect_uri Must match the registered redirect URI
albient_sso_master_user / albient_sso_master_secret Stalwart authentication.master user + secret
albient_sso_imap_host Optional; defaults to imap_host
albient_sso_button_label Login button text
albient_sso_auto_redirect true skips the local form and goes straight to the IdP

Deployment

In the Albient stack this plugin is deployed by the albient.mailstack.roundcube Ansible role, which checks out a pinned tag of this repository into the Roundcube plugins/ directory. It is not coupled to that role and works in any Roundcube 1.6+ install.

License

Copyright © Albient. All rights reserved. See LICENSE.