[Feature]: Enable SSO Authentication

[ghoudmon]

Problem / Motivation

I use OIDC with the webmail version.
I would like to continue with mobile version.
So that, I could disable app passwords / basic authentication.

Proposed Solution

The solution can't be exactly the same than with the webmail version. There's no environment variables available.

I suggest to:

• check the well-known (.well-known/openid-configuration or .well-known/oauth-authorization-server), with jmap server url as base.
• enable the SSO button if the configuration is accessible
• use as client_id "bulwarkmail-android", no client_secret
• use as the scope: openid offlience_access
• use as recirect uri: bulwarkmobile://oauth-callback (to adapt)
• use PKCE

It implies that stalwart (or other IDP) pre-register a client with the right client_id and redirect_url.

Alternatives Considered

Another alternatives is to add the options in the login form, maybe in a collapse section:

• Issuer url
• client id
• client secret (optional)

Another alternative could be the dynamic client registration. But, it requires to activate anonymous resigstration or to provide authentitcaion way to authentication the client before its registration: no ideal.

Feature Area

Authentication / Security

Mockups / Examples

No response

Additional Context

No response