2 posts tagged with "oidc"

We are happy to announce that third-party OpenID Connect (OIDC) authentication support has now been open-sourced under the AGPL-3.0 license in Stalwart Mail Server version 0.11.5. This means that users can now configure Stalwart Mail Server to authenticate against external OIDC providers, such as Keycloak, without requiring an Enterprise subscription.

Stalwart Mail Server has supported OIDC authentication for several months, allowing it to function as either an OIDC provider or an OIDC client authenticating against an external provider. Until now, only the ability to act as an OIDC provider was included in the Open Source edition, while authentication via external OIDC providers was reserved for Enterprise users. By making this functionality freely available, we are reinforcing our commitment to openness and ensuring that more users can take advantage of modern, federated authentication without barriers.

With this change, organizations that rely on external OIDC identity providers can seamlessly integrate Stalwart Mail Server into their existing authentication workflows at no cost. Whether you are using Keycloak, Auth0, or another OIDC-compliant solution, Stalwart Mail Server now offers complete flexibility in how you manage authentication.

Why is Stalwart Not 100% Free?​

At Stalwart Labs, our goal is to provide a robust and feature-rich mail server solution. However, sustaining long-term development for a project of this scale requires significant financial resources. At present, open-source sponsorships alone do not generate sufficient funding to cover these costs entirely.

To ensure that Stalwart Mail Server continues to evolve and improve, we offer a paid Enterprise version. Revenue from Enterprise subscriptions allows our team to dedicate full-time efforts to development, ensuring the continuous enhancement of both the open-source and paid versions. This funding model allows us to introduce new features while maintaining the high standards that make Stalwart Mail Server a leading solution in the industry.

Furthermore, the existence of an Enterprise edition directly benefits the open-source community. By sustaining active development, we can periodically release new features into the open-source version, as we have done with third-party OIDC support. It is worth noting that even the community edition of Stalwart Mail Server already provides more features than any other open-source or commercial mail server available today. We are dedicated to maintaining and expanding this competitive edge.

If you would like to support open-source development and help accelerate the release of additional features as open-source, we invite you to become a sponsor. Your sponsorship plays a vital role in the project's sustainability and future growth. Thank you for your support and understanding.

Join Us at FOSDEM 2025​

To learn more about Stalwart Mail Server and its latest developments, we invite you to watch our talk at FOSDEM 2025. The session will take place tomorrow, Saturday, February 1st, at 12:00 PM Central European Time in Brussels. If you cannot attend in person, you can follow the presentation online at fosdem.org.

We look forward to sharing more about the project and engaging with the community at this exciting event!

Today we announce the release of Stalwart Mail Server v0.10.2, and it’s a big one! This version brings full OpenID Connect (OIDC) support, empowering admins and developers to integrate secure authentication and single sign-on (SSO) with modern identity providers. In addition to OIDC, this release introduces OpenID Connect Dynamic Client Registration, OpenID Connect Discovery, and OAuth 2.0 Token Introspection. Let’s dive into what these features are and why they matter.

What is OpenID Connect?​

OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0 that allows clients to verify the identity of users. With OIDC, instead of just authorizing an app to access a resource, the system can also authenticate the user securely. This means users can log in to multiple applications with a single set of credentials, making OIDC ideal for Single Sign-On (SSO) across services.

Why is this important? Because it saves users from password fatigue, reduces login complexity, and centralizes authentication in a secure manner. Stalwart Mail Server’s new OIDC support allows you to authenticate your users either directly through Stalwart as an OpenID Provider or by integrating with third-party OIDC providers like Authentik, Keycloak, or any compliant identity system.

Alongside full OIDC support, Stalwart Mail Server v0.10.2 also introduces several important new features that expand its capabilities:

OpenID Connect Dynamic Client Registration​

Dynamic Client Registration allows clients (applications) to automatically register with the OIDC provider without requiring manual intervention. This feature makes it easier to integrate multiple applications, as clients can dynamically obtain credentials (like client IDs) directly from Stalwart Mail Server. This adds flexibility and reduces administrative overhead.

OpenID Connect Discovery​

With the OpenID Connect Discovery feature, clients can automatically discover the relevant OIDC endpoints and supported capabilities via the /.well-known/openid-configuration endpoint. This simplifies the configuration of OIDC clients, as they don’t need to be manually configured with URLs for token, authorization, and userinfo endpoints — they just query the discovery endpoint and set themselves up!

OAuth 2.0 Token Introspection​

OAuth 2.0 Token Introspection allows resource servers (like APIs or mail servers) to validate access tokens provided by clients. This ensures that the token being used is still active, hasn’t expired, and has the right permissions attached. This is particularly useful for securing interactions between various services while verifying that tokens are still valid.

OpenID Provider or Third-Party OIDC Support​

Stalwart Mail Server v0.10.2 can now act as an OpenID Provider (issuing ID tokens and managing authentication), which means your organization can use it to handle authentication for all your internal applications and services. Alternatively, Stalwart can also integrate with third-party OIDC providers, so you can delegate authentication to systems like Authentik or Auth0, while still using Stalwart to manage your email infrastructure.

This dual functionality gives you the flexibility to choose how you want to manage authentication while taking full advantage of OIDC's security features.

About OAUTHBEARER...​

Now, let’s talk about mail clients and the OAUTHBEARER SASL mechanism. While Stalwart fully supports OIDC, the majority of mainstream mail clients (looking at you, Outlook, Thunderbird, and Apple Mail) still don’t support OAUTHBEARER for OAuth-based authentication. Sure, we’ve done our part by adding OpenID support to Stalwart — now it's up to the mail clients to follow suit and add proper support for OIDC authentication. Maybe one day, we’ll see these clients finally catch up, and we can all enjoy the seamless authentication experience that OIDC offers.

In the meantime, users of these clients will need to continue using App Passwords to access their email accounts. But hey, maybe this is the gentle nudge the developers of these clients need to jump on the OpenID bandwagon!

Try It Out​

Stalwart Mail Server v0.10.2 is available now, so download it, upgrade your server, and start taking advantage of these new features! Whether you’re setting up Stalwart as your OpenID Provider or integrating with a third-party provider, this release gives you the tools to secure authentication with modern standards like OpenID Connect.

Happy mailing and happy authenticating!