Your question Hi, I’m trying to set up Pocket-ID as an OIDC provider, but I’ve hit a wall with the final redirection. The Issue: 1 - I initiate the login on Stalwart. 2 - I am correctly redirected to Pocket-ID. 3 - I enter my credentials and authorize the request. 4 - Pocket-ID redirects me ba…

The WebUI does not request the group claim because it does not needed. Also, you cannot rely on the group claim being present as mail clients won’t request it by default. You should manually pre-deploy the account if you want to make sure the group information is included.

Let me look up the OIDC configuration details to help diagnose this. This isn’t covered in the current docs. A community member or staff member will follow up. That said, there are a few configuration details worth double-checking while you wait for a human to reply: Client Secret — Most OIDC p…

@helpbot /.well-known/jwks.json {"keys":[{"alg":"RS256","e":"AQAB","kid":"dp3FP4tmMsg","kty":"RSA","n":"wRe0-fgdgdgdgdgdgd","use":"sig"}]}% /.well-known/openid-configuration {"authorization_endpoint":"https://pocket.domain.com/authorize","authorization_response_iss_parameter_supported":true,"c…

Let me look into the OIDC configuration details for Stalwart to give you accurate guidance. This is very helpful. The source code reveals the root cause clearly. The correct callback URL for the WebUI is /oauth/callback, not /admin/login and not /admin/oauth/callback. The WebUI handles the OIDC au…

@helpbot It’s a very strange behavior :smiley: . I’m trying to reproduce a setup that was 100% working before, but this time it returns a 401 Unauthorized error at https://mail.domain.com/jmap/session . The logs show ‘Missing required scope email’. URL https://pocket.domain.com/api/oidc/token Stat…

I think the authorization request must have scope=“openid profile email” to work correctly Try upgrading to the latest WebUI version. If the problem persists, make sure PocketId is advertising profile and email in the supported_scopes field of the OIDC discovery document.

I have the same problem. I updated to the latest webadmin and use stalwart 0.16.5. pocket-id is set as the Authentication Directory in stalwart The 401 error on /jmap/session after login is: reason = "Missing required scope 'email', present scopes: []", causedBy = "crates/directory/src/core/disp…

Thanks, that worked. Now I can’t get groups to work with pocket-id. Any tips on this?

I think this should work. Pocket-ID Configuration: 1 - Go to Administration > User Groups. Create Group. Add users to the group and click Save. 2 - Navigate to your OIDC Client. Select your group under Allowed User Groups and click Save. Stalwart Configuration: 1 - Navigate to Directory > Group…

Unfortunately it doesn’t. pocket-id only includes the groups scopes when it is requested, and stalwart says “The claim name used to retrieve the user’s group memberships from the token or user info response. Common values are groups or roles depending on your provider’s configuration. If not set, g…

Pocket-ID OIDC, redirect loop/no login after successful auth

Questions

root_root May 15, 2026, 10:50am 8

@stalwart Yes, it works now. The request has scope=“openid profile email”. Thanks.

@ruffy91 Try to set the “Required Scopes” field to empty.

/jmap/session returns 401 for valid OIDC user when stale ACL references deleted account

Topic		Replies	Views
requireClientRegistration with WebUI (Obsolete docs?) Questions	2	21	June 16, 2026
Oauth client with OIDC directory Issues	3	46	June 6, 2026
OIDC-only deployment (v0.16.8): first-boot directoryId churn, /account web-UI login rejected, and app passwords with a store-less Oidc directory Questions	3	57	June 16, 2026
Single Sign-on with Web UI and OIDC directory Questions	2	41	June 6, 2026
Stalwart unable to recover from transient OIDC errors during startup Issues no-ai	1	47	May 11, 2026

Pocket-ID OIDC, redirect loop/no login after successful auth

Related topics