oauth2 not working. Missing docu about oauth config, missing python package requests

[SnoopAir]

The Radicale documentation does mention the ability to use OAuth2 for authentication, but it does not provide detailed information on the configuration options.

The documentation claims, that one type of authentication is "oauth". The config file mentions it as well:

# Value: none | htpasswd | remote_user | http_x_remote_user | dovecot | ldap | oauth2 | pam | denyall #type = denyall

But unfortunately there is not more information about how to configure it. Simply setting it to oauth and providing the oauth2_token_endpoint is not enough to work - as far as I can tell.

First thing is, that the latest image 3.5.1.0 is missing the python module "requests" necessary for oauth; at least judging from the log error.

After installing the missing python module, simply adding something like oauth2_client_id and oauth2_client_secret does not do the job. It's not expected as config:

radicale | [2025-03-24 13:31:04 +0000] [7] [CRITICAL] Invalid configuration: Invalid option 'oauth2_client_id' in section 'auth' in config file '/config/config'

I'm trying to use authentik to protect access to radicale. Anybody having any similar experience? Or even better: Found a solution to do so?

[pbiering]

Code was overtaken https://gitlab.mim-libre.fr/alphabet/radicale_oauth/-/blob/dev/oauth2/radicale_auth_oauth2/__init__.py

According to radicale/auth/oauth2.py the client_id is currently hardcoded to "radicale", to make this configurable related option needs to be added.

I cannot test this particular authentication module, potentially check here for more #1359

"requests" added as dependency by e0a24b1

[SnoopAir]

@pbiering : The added "requests" module looks good.

About auth overall I have to say I'm just trying to apply the little knowledge I obtained when setting up other services with traefik and authentik. Which every time I have a new one I realized I don't know was much as I would like to/should.

So if anybody with more experience in how to protect radicale behind authentik could give a hand that would be great.
Unfortunately the documentation about the authentication methods is a little spares.
Obviously "none" and denyall" are not an option ;)
Using htpasswd or pam seems also not the right thing.

What I'm looking for is a way to provide the username and password (maybe username alone would be even good enough as long as authentik has authenticated the user beforehand) to the request. So maybe "none" in fact is a viable option - if I could find out how to provide the username alongside the request to the server.

[pbiering]

another user is using "Authentic" via LDAP which needed an extension, see e.g. here

• added configuration to enable radicale LDAP with Authentik #1740
• Update ldap.py #1742

Potentially try this and others would be potentially glad if Wiki would be extended if needed:

• https://github.com/Kozea/Radicale/wiki/LDAP-authentication

[BastelBaus]

Hi @SnoopAir,

I am using Authentik and radicale via tomsquest docker container.
Following the Authentik LDAP guides carefully, applying the fixes from links above locally and adding a static timestamp to the users*, it seams to work for me. Extensive testing by letting my family use it still pending ;-)

Let me know if I can support you on this.

BR, BastelBaus

P.S.: @pbiering, the radicale ldap docu worked nice for me. Thanks for processing the PR so fast and being patient with me ;-)

*) might not be needed after the radicale fixes, I will check later