Your question
Hi,
Does the admin panel support OIDC?
Thanks for help.
I understand that topics in this category are triaged by a bot first but a human reply will follow up. If I’d prefer a human-only reply, I’ll add the no-ai tag to my topic.
on
Yes, the Stalwart admin panel (WebUI) does support OIDC for authentication. The WebUI uses the standard OAuth 2.0 authorization code flow and will automatically detect OIDC support from the server’s discovery document — requesting openid, email, and profile scopes when the identity provider advertises them.
This means if your Stalwart server is configured to use an external OIDC directory backend (e.g. Keycloak, Authentik, or any generic OIDC provider), the admin panel login will follow that same OIDC flow via the server’s built-in OAuth 2.0 support.
For details on setting up an OIDC directory backend, see the OpenID Connect docs.
This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong. If you found it useful, mention @helpbot in any reply to ask follow-up questions and the bot will respond again.
@helpbot Will app passwords fail to work in this case?
It depends on whether you’re using an external OIDC directory or the internal directory. The docs are explicit about this:
“Application passwords are stored against the internal directory’s account record. When the principal originates in an external directory (LDAP, SQL, OIDC), the secret has to live in the external directory, not in Stalwart. For clients that do not speak SASL OAUTHBEARER (CalDAV / CardDAV in particular), either configure the external directory to accept the application password as a secondary credential, or run a hybrid setup with the internal directory covering app-password use.”
— FAQ
In short:
- Internal directory → app passwords work normally.
- External OIDC directory → Stalwart cannot store app passwords on behalf of those accounts. You’ll need to either configure your OIDC provider to issue a secondary credential, or set up a hybrid configuration where the internal directory handles app-password authentication.
The OIDC backend docs and OAuth interoperability page cover the workaround in more detail.
This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong. If you found it useful, mention @helpbot in any reply to ask follow-up questions and the bot will respond again.
Human here! Helpbot’s reply is correct but the quoted FAQ is referencing old behaviour from v0.15. The correct answer is that yes, in v0.16 you can use App Passwords with any external directory. The FAQ has been updated to correct that.
External OIDC only works if you can set the client id “stalwart-webui” in your IDP. If your IDP generates the client id itself, you’ll have to patch webui.
I checked your post on GitHub, thanks for the help.