If anyone is wondering how to connect the WebApp to their keycloak instance: I couldn't find any documentation yet but looking through the changes to mapi-headers-php, I was able to get it working by doing the following:
- In Keycloak, create a public OIDC client.
- Export your client config from keycloak
- Get your realm RSA public key
- Place the exported config from keycloak at /etc/gromox/keycloak.json
It should look like this:
{
"realm": "xxx", // realm name
"auth-server-url": "https://xxx.xxx.xxx/", // this is concatenated with the realm name to form the OIDC endpoint
"ssl-required": "external", // not read by the gromox code, but doesn't hurt
"resource": "xxx", // client id
"public-client": true,
"confidential-port": 0,
"realm-public-key": "-----BEGIN PUBLIC KEY-----\nKEYHERE\n-----END PUBLIC KEY-----"
}
- Create the file /etc/gromox/bearer_pubkey
This is for authmgr so I can verify the JWT signature, use the realm key in PEM format
Once that's done, the WebApp will automatically start redirecting to your Keycloak instance.
One thing to be careful of, Grommunio is reading the "email" claim but is wanting the logon username. For my user for example, my logon name (userPrincipalName) differs from my primary email address, so you may need to implement a mapper in Keycloak, userPrincipalName -> email, just for the grommunio client.
Maybe this is helpful to someone 🙂 Thank you to the Grommunio team for an awesome feature!
You can also do it with client authentication, just make sure the secret is in the keycloak.json file.