well-known/oauth-authorization-server does not provide correct OAuth endpoints

[kewisch]

https://mail.thundermail.com/.well-known/oauth-authorization-server and by extension https://thundermail.com/.well-known/oauth-authorization-server does not provide correct OAuth login information.

It should point to our Keycloak instance, instead of mail.thundermail.com

{
   "authorization_endpoint" : "https://mail.thundermail.com:443/authorize/code",
   "device_authorization_endpoint" : "https://mail.thundermail.com:443/auth/device",
   "grant_types_supported" : [
      "authorization_code",
      "implicit",
      "urn:ietf:params:oauth:grant-type:device_code"
   ],
   "introspection_endpoint" : "https://mail.thundermail.com:443/auth/introspect",
   "issuer" : "https://mail.thundermail.com:443",
   "registration_endpoint" : "https://mail.thundermail.com:443/auth/register",
   "response_types_supported" : [
      "code",
      "id_token",
      "code token",
      "id_token token"
   ],
   "scopes_supported" : [
      "openid",
      "offline_access",
      "urn:ietf:params:jmap:core",
      "urn:ietf:params:jmap:mail",
      "urn:ietf:params:jmap:submission",
      "urn:ietf:params:jmap:vacationresponse"
   ],
   "token_endpoint" : "https://mail.thundermail.com:443/auth/token"
}

[kewisch]

Also not showing the right info:

https://mail.thundermail.com/.well-known/openid-configuration

[MelissaAutumn]

For the record here's the correct url:
https://auth.tb.pro/realms/tbpro/.well-known/openid-configuration

Some context: Stalwart/Thundermail technically has its own OAuth impl, but we're using Stalwart with Keycloak. So we skip it's internal OAuth impl and basically tell Stalwart to take a token we give it, and introspect it against Keycloak.

[kewisch]

Do we need to mirror the JMAP scopes into keycloak's config? Does requesting specific JMAP (or other) scopes propagate from keycloak to Stalwart?

[MelissaAutumn]

Stalwart v0.15 does not care about scopes as far as I can tell. I will need to check v0.16, but I'm going to assume it also does not care about scopes.

That might have to be work we do ourselves and contribute back to Stalwart or request. I'll update when I finish the v0.16 work though.

The stalwart client doesn't request a sign in, it only validates the jwt against keycloak. Tb desktop, android, etc... have seperate clients that obtain the token via authentication and then pass it around to stalwart for it to verify identity and gate access.