When using OIDC webui always appends prompt=login&login_hint=user@example. com. This triggers my OIDC IDP (kanidm) to force a login as a nonexistent account user @ example. com.
My IDP user used for login is just “user” (or internally [email protected]. com), but never the email address. This forces the IDP to an endless loop.
(I had to include some spaces in URLs, to be able to create this post, too many links)
I commented out login_hint and prompt in the webui, which solves my issue.
I think it would be even better if stalwart implemented OIDC not as a directory (globally or per domain) but as a completely separate authentication source per user, with a configurable mapping to a username oder id. I could then e.g. import my users from LDAP and still use OIDC to login.
Stalwart Version
v0.16.x
Installation Method
Docker
Database Backend
RocksDB
Blob Storage
RocksDB
Search Engine
Internal
Directory Backend
OIDC
I have reviewed the documentation and FAQ and confirm that my issue is NOT addressed there.
on
I have searched this support forum (open and closed topics) and confirm this is not a duplicate.
on
I understand that topics in this category are triaged by a bot first but a human reply will follow up. If I’d prefer a human-only reply, I’ll add the no-ai tag to my topic.
This is a confirmed bug / behaviour issue in the WebUI. Here’s what’s happening based on the source code:
Root cause: In webui/src/services/auth/oauth.ts (line 162), the WebUI unconditionally appends login_hint: username to every OIDC authorization request. Because Stalwart uses the full email address ([email protected]) as the account name internally, this value is forwarded as-is to the upstream IDP — even if the IDP’s username format is different (e.g., Kanidm uses short names like user, not email addresses).
The prompt=login part forces the IDP to always show a fresh login prompt and combines with [email protected] to cause Kanidm to try to pre-select a non-existent account, resulting in the redirect loop you observed.
Your workaround (commenting out login_hint and prompt in the WebUI source) is currently the only practical fix until an upstream change is made. There is no configuration knob to suppress these parameters without modifying the source.
login_hint to be omitted (or made optional/configurable) when the backend directory is an external OIDC provider, since the hint format may not match the IDP’s user identifier scheme.
prompt=login to be configurable or defaulting to absent.
The Kanidm issue you referenced (kanidm#4321) is good supporting context to include.
Your idea of a per-user OIDC authentication source with configurable username mapping is a reasonable feature request — it’s not currently supported; Stalwart’s OIDC support is directory-wide.
This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong. If you found it useful, mention @helpbot in any reply to ask follow-up questions and the bot will respond again.
Stalwart expects account names to be email addresses and this can’t be changed. You need to either modify the login_hint manually or configure your OIDC to map email addresses to your internal account names.