Oauth client with OIDC directory

Issue Description

With enabled OIDC directory and using a Oauth2 client with the device code flow the login screen presented requires email+password+device code.

Expected Behavior

Because of the OIDC directory I’d expect no password field

Actual Behavior

Password is required for to connected the Oauth client

Stalwart Version

v0.16.x

Installation Method

Binary (Linux)

Database Backend

RocksDB

Blob Storage

RocksDB

Search Engine

Internal

Directory Backend

OIDC

I have reviewed the documentation and FAQ and confirm that my issue is NOT addressed there.

on

I have searched this support forum (open and closed topics) and confirm this is not a duplicate.

on

I understand that topics in this category are triaged by a bot first but a human reply will follow up. If I’d prefer a human-only reply, I’ll add the no-ai tag to my topic.

on

Let me research how Stalwart handles the OAuth2 device code flow with an OIDC directory backend.

I do not understand what the issue is. If you are using an external OIDC you need to use the device auth flow of your IdP, not Stalwart’s.

My bad. I draw the wrong conclusion about what token the endpoints want.

The autodiscovery of the client just went of “www-authenticate: Bearer realm=“Stalwart Server”” of the returned endpoint headers and tried to do Oauth/OIDC against the servers well-known oidc document which is obviously Stawart IDP. It did not use the PACC draft to figure out how to authenticate so it probably guessed Oauth based on the “Bearer” in the www-authenticate.