Set up dovecot with keycloak

Question

I would like to set up dovecot + roundcube with keycloak OPENID.

To start I tried to configure only dovecot + keycloak and access it with thunderbird.

My config file is: For the docker compose:

version: "3"

services:

  keycloak:
    image: quay.io/keycloak/keycloak:latest
    command: ['start-dev --import-realm --http-relative-path=/auth --log-level=DEBUG']
    environment:
      - KEYCLOAK_USER=admin
      - KEYCLOAK_PASSWORD=admin
      - KEYCLOAK_ADMIN=myadmin
      - KEYCLOAK_ADMIN_PASSWORD=myadmin
      - DB_VENDOR=POSTGRES
      - DB_ADDR=keycloak-db
      - DB_DATABASE=keycloak
      - DB_USER=keycloak
      - DB_PASSWORD=keycloak
    ports:
      - 8080:8080  # pour l'interface utilisateur de Keycloak
      - 9990:9990  # pour l'interface d'administration de WildFly/JBoss
    networks:
      - keycloak-network
    #restart: always
    depends_on:
      - keycloak-db

  keycloak-db:
    image: postgres:latest
    environment:
      - POSTGRES_DB=keycloak
      - POSTGRES_USER=keycloak
      - POSTGRES_PASSWORD=keycloak
    networks:
      - keycloak-network
    restart: always
    volumes:
        - './dbkeycloak:/var/lib/postgresql/data'



  dovecot:
    image: dovecot/dovecot
    container_name: dovecot
    ports:
      - "127.0.0.1:993:993"  # Change the port to 993 for secure IMAPS
    environment:
      - MAIL_DOMAIN=localhost
    volumes:
      - ./dovecot.conf:/etc/dovecot/dovecot.conf  # Mount the custom configuration directory
      - ./dovecot-oauth2.conf.ext:/etc/dovecot/dovecot-oauth2.conf.ext  # Mount the custom configuration directory
    command: ["sh", "-c", "dovecot -F"]


  roundcube:
    image: roundcube/roundcubemail
    container_name: roundcube1
    ports:
      - "80:80"  # Change the port as needed
    environment:
      - ROUNDCUBEMAIL_DEFAULT_HOST=dovecot
      - ROUNDCUBEMAIL_SMTP_SERVER=dovecot
      - ROUNDCUBEMAIL_IMAP_HOST=dovecot  # Specify the IMAP server hostname
      - ROUNDCUBEMAIL_IMAP_PORT=993  # Specify the IMAP server port
      - ROUNDCUBEMAIL_IMAP_SECURE=ssl  # Use 'ssl' for secure IMAP, or 'tls' for STARTTLS
      - ROUNDCUBEMAIL_IMAP_AUTH_TYPE=PLAIN  # Use 'PLAIN' for plain text authentication

    depends_on:
      - dovecot
networks:
  keycloak-network:
    driver: bridge

dovecot-oauth2.conf.ext:

grant_url = http://keycloak:8080/realms/sso/protocol/openid-connect/token
client_id = dovecot
client_secret = bKBUxAyVc8boi53RPfx6nDtwRSmnUbin
tokeninfo_url = http://keycloak:8080/realms/sso/protocol/openid-connect/token
introspection_url = http://keycloak:8080/realms/sso/protocol/openid-connect/token/introspect
introspection_mode = post
use_grant_password = no
debug = yes
username_attribute = username
pass_attrs = pass=%{oauth2:access_token}

dovecot.conf

mail_home=/srv/mail/%Lu
mail_location=sdbox:~/Mail
mail_uid=1000
mail_gid=1000

protocols = imap pop3 submission sieve lmtp

first_valid_uid = 1000
last_valid_uid = 1000
disable_plaintext_auth=no

# Authentication configuration:
auth_verbose = yes
auth_mechanisms = oauthbearer xoauth2 plain login

passdb {
  driver = oauth2
  mechanisms = xoauth2 oauthbearer
  args = /etc/dovecot/dovecot-oauth2.conf.ext
}
userdb {
  driver = static
  args = uid=vmail gid=vmail home=/var/mail/mailbox/%Lu
}
mail_privileged_group = mail

ssl=yes
ssl_cert=<cert.pem
ssl_key=<key.pem

namespace {
  inbox = yes
  separator = /
}

service lmtp {
  inet_listener {
    port = 24
  }
}

listen = *

log_path=/dev/stdout
info_log_path=/dev/stdout
debug_log_path=/dev/stdout
auth_debug=yes
!include_try /etc/dovecot/conf.d/*.conf

My keycloak:

When I try to connect with thunderbird

I got no logs in dovecot.

Is someone can help me to configure it ?