Integrate with Roundcube
Support level: Community
What is Roundcube?
Roundcube is a browser-based multilingual IMAP client with an application-like user interface. It provides the full functionality you expect from an email client, including MIME support, address book, folder manipulation, message searching and spell checking.
Preparation
The following placeholders are used in this guide:
roundcube.companyis the FQDN of the Roundcube installation.authentik.companyis the FQDN of the authentik installation.
Roundcube is often used alongside Postfix and Dovecot. Postfix sends/receives email (SMTP), Dovecot stores/retrieves mail (IMAP/POP3), and Roundcube acts as a webmail client.
Whichever mail server is used in conjunction with Roundcube must support XOAUTH2 for both SMTPD and IMAP/POP. A Postfix SMTP server can use Dovecot for authentication, which allows XOAUTH2 support in Postfix without requiring separate configuration.
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
authentik configuration
In authentik versions earlier than 2026.5, all Redirect URIs are automatically treated as Authorization type. If you are using one of these older authentik versions, add only the Authorization URL to your Redirect URIs and do not configure a Post Logout URI.
To support the integration of Roundcube with authentik, you need to create a scope mapping and an application/provider pair in authentik.
Create a property mapping
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to Customization > Property Mappings and click New Property Mapping.
- Select Scope Mapping and configure the following settings:
- Name: Set an appropriate name.
- Scope name:
dovecotprofile - Description: Set an appropriate description, if desired.
- Expression:
return {"name": request.user.name,"given_name": request.user.name,"family_name": "","preferred_username": request.user.username,"nickname": request.user.username,"active": True,}
- Click Create.
Create an application and provider in authentik
- Log in to authentik as an administrator and open the authentik Admin interface.
- Navigate to Applications > Applications and click New Application to open the application wizard.
- Application: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- Choose a Provider type: select OAuth2/OpenID Connect as the provider type.
- Configure the Provider: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the Client ID and Client Secret values because they will be required later.
- Add a Redirect URI of type
StrictAuthorizationashttps://roundcube.company/index.php/login/oauth. - Select any available signing key.
- Under Advanced protocol settings > Scopes, add the following scopes to Selected Scopes:
- The
dovecotprofilescope mapping that you previously created. authentik default OAuth Mapping: OpenID 'offline_access'
- The
- Configure Bindings (optional): you can create a binding (policy, group, or user) to manage the listing and access to applications on a user's Application Dashboard page.
- Click Submit to save the new application and provider.
Roundcube configuration
Configure Roundcube OAuth2
Set the following variables in your Roundcube configuration file:
$config['oauth_provider'] = 'generic';
$config['oauth_provider_name'] = 'authentik';
$config['oauth_client_id'] = '<Client ID from authentik>';
$config['oauth_client_secret'] = '<Client Secret from authentik>';
$config['oauth_auth_uri'] = 'https://authentik.company/application/o/authorize/';
$config['oauth_token_uri'] = 'https://authentik.company/application/o/token/';
$config['oauth_identity_uri'] = 'https://authentik.company/application/o/userinfo/';
$config['oauth_scope'] = 'email openid dovecotprofile offline_access';
$config['oauth_identity_fields'] = ['email'];
Add the following variable to your Roundcube configuration file to enable OAuth2 debugging:
$config['oauth_debug'] = true;
Configure Dovecot XOAUTH2
Add the XOAUTH2 and OAUTHBEARER authentication mechanisms and configure the OAuth2 database in your Dovecot configuration:
auth_mechanisms {
oauthbearer = yes
xoauth2 = yes
}
oauth2 {
tokeninfo_url = https://authentik.company/application/o/userinfo/?access_token=
introspection_url = https://<Client ID from authentik>:<Client Secret from authentik>@authentik.company/application/o/introspect/
introspection_mode = post
force_introspection = yes
active_attribute = active
active_value = true
username_attribute = email
ssl_client_ca_file = /etc/ssl/certs/ca-certificates.crt
}
Add the following variables to your Dovecot configuration to enable debugging:
auth_debug = yes
auth_verbose = yes
With this setup, Dovecot can also be used with other email clients that support XOAUTH2 authentication. However, most commonly available clients, such as FairEmail for Android and Thunderbird, only provide built-in support for providers like Gmail and Outlook, with no option to configure custom mail servers.
Configuration verification
To confirm that authentik is properly configured with Roundcube, log out of Roundcube and open Roundcube. Select Login via authentik. A mailbox should open and you should be able to send and receive mail.