OIDC with Pocket ID, several problems

[neffs]

Issue Description

I'm trying to use Pocket ID as OIDC Provider for Stalwart, but can't get it to work. Unfortunately recovery mode seems broken now, so I currently cant go back...

Expected Behavior

• userinfo is not requested for recovery admin.
• make client_id configurable
• request state, e.g. &scope=profile+email+openid
• document callback url

Actual Behavior

When setting directoryId to an external OIDC the old internal Bearer token is still in use. Stalwart tries to request userinfo from Pocket ID, which fails with HTTP 500.

userinfo is also requested after logging in with recovery admin, triggering the browser to display user/password window. No login possible.

After clearing the browser session/cookies I am correctly forwarded to Pocket ID, but get a "record not found" error. Probably because Pocket ID generates client ids itself but stalwart uses "stalwart-webui".

After changing the client_id parameter in the url and adding &scope=profile+email+openid, I am redirected back to stalwart, with the following error from stalwart:
"Token exchange failed: 404"

Pocket ID:
Apr 21 21:16:31 WRN Client not found app=pocket-id version=2.6.0 client=stalwart-webui
Apr 21 21:16:31 WRN Request with errors: Error #1: client not found

Reproduction Steps

1. add oidc client to Pocket ID
2. configure undocumented callback url https://xxxxx/admin/oauth/callback
3. enable pkce, public client
4. configure oidc on stalwart, provide client_id from Pocket id in requireAudience, add group to scopes

Relevant Log Output

No response

Stalwart Version

v0.16.x

Installation Method

Docker

Database Backend

RocksDB

Blob Storage

RocksDB

Search Engine

Internal

Directory Backend

OIDC

Additional Context

No response

I acknowledge that:

• I have reviewed the documentation and FAQ and confirm that my issue is NOT addressed there.
• I have searched the Stalwart repository (both open and closed Discussions and Issues) and confirm this is not a duplicate.
• I have set the logging level to trace and included relevant log output if applicable.
• I agree to follow the project's Code of Conduct.

[mdecimus]

A note on the OIDC directory setup on the server side. There are two ways to configure an external OIDC directory:

1. As the default directory under the Authentication object. All incoming bearer tokens are routed here.
2. Per domain by linking the directory to a Domain object. Until now this only worked for SASL protocols (IMAP, POP3, SMTP, ManageSieve) because they carry the username alongside the token. HTTP bearer headers do not, so the request used to fall back to the default directory. If the default was not the OIDC one, the JWT was treated as an internal Stalwart access token and failed to decode.

v0.16.1 (releasing in the next few days) adds domain extraction from standard JWT claims (email, preferred_username, upn), so per-domain OIDC directories are reachable from HTTP bearer as well. The "Failed to decode token" error message now also includes a hint pointing at this configuration.

[mdecimus]

Just released:

Stalwart Server v0.16.1

Added

• OIDC: Extract username from JWT token.
• system('node_hostname') and system('node_role') expression variables to retrieve the local node hostname and cluster role respectively.

Fixed

• JMAP:
  • Invalid receivedAt headers after importing (Invalid receivedAt returned by Email/get after Email/import #2939).
  • Sorting order issues when emails lack receivedAt headers.
• IMAP: Fix BINARY fetch responses (Roundcube displays garbled text for windows-1251 emails with Stalwart #2940).
• WebDAV: Fix ACL validation for target folders.
• ACME: Allow requesting apex domain certificates.
• Hostname issues:
  • Accept RFC 6761 reserved TLDs during bootstrap.
  • Allow hostnames without TLDs in remote server settings.
• Reverse proxy issues.
• OSS builds.
• DNS Updater:
  • RFC2136: TSIG secret not base64 decoded.
  • Google DNS: Chunk TXT records when they exceed 255 characters.
  • Cloudflare:
    • Fix CAA record updates.
    • Check zone subdomains when finding zones

Stalwart WebUI v1.0.1

Added

• OIDC:
  • Logout users from IdP when logging out of the app.
  • Include openid scope in OIDC authentication requests.

Fixed

• Mobile display issues.
• Editing a secret clears its masked value.
• Array label properties crashes app.

Stalwart CLI v1.0.1

Fixed

• Allow JSON schema to be uncompressed.

[neffs]

Unfortunately v0.16.1 didn't solve my issues. The directory was always configured as default.

The first issues are completely in stalwart webui, there should be a way for the webui to get configured scopes and client id from the backend. Maybe /api/discover/xxxx can be extended.

I worked around that by creating my own webui.zip
Now I am correctly forwarded to my OAuth Provider and back to stalwart, but something is still wrong with the process.
2026-04-28T12:13:32Z ERROR Authentication error (auth.error) listenerId = "https", localPort = 443, remoteIp = xxxxxx, remotePort = 49939, reason = "Failed to decode token. If you are using an external OIDC provider, make sure it is configured as the default directory under the Authentication object.", causedBy = "crates/common/src/auth/oauth/token.rs:125", details = "xxxxxx", remoteIp = xxxxx...
The directory is configured as default via webui, but stalwart still tries to validate with internal directory.

If I stop the IDM container and restart stalwart, I get the following log messages:

2026-04-28T12:18:52Z ERROR Configuration build error (registry.build-error) source = "Directory", id = 302912829873192970, reason = "Network error: Discovery fetch failed: error sending request for url (https://xxxxxx/.well-known/openid-configuration)"
2026-04-28T12:18:52Z ERROR Configuration build error (registry.build-error) source = "Authentication", id = 20080258862541, reason = "Default directory with ID inbjtutiaaak not found"

→ default directory is set
This was also the best way I could find to be able to log in again.

P.S. the new domain extraction feature won't work with pocket id (and also kanidm) because the access token does not include the mentioned claims.

[mdecimus]

Stalwart v0.16.2 will fallback to the userinfo endpoint then the JWT token does not include email claims.

[neffs]

I still have to create my own webui.zip with scopes and client_id, but it works now. Thank you!

[whoami-0x44]

Did you set up Pocket ID for the admin panel?

[neffs]

Yes.
checkout the webui repo, create a file .env.local with your client id from pocket id, e.g.:

VITE_OAUTH_CLIENT_ID=6720f26f-xxxx-xxxx-xxxx-xxxxxxxxxxxx
VITE_OAUTH_SCOPES='openid profile email groups' # probably unnecessary current version

run ./build.sh, upload generated zip somewhere and add as application in stalwart (i used /admin1 and /account1 as paths)