CalDAV/CardDAV with Radicale and Authelia OIDC - App Password Authentication Not Working

[koenraijer]

Environment

• OpenCloud Version: opencloudeu/opencloud:latest
• Deployment: Docker Compose with external reverse proxy (Traefik)
• OIDC Provider: Authelia v4.39.14
• CalDAV Server: Radicale (via radicale/radicale.yml)
• Issue: CalDAV clients cannot authenticate using OpenCloud app passwords

Problem Summary

I have OpenCloud successfully configured with Authelia as an external OIDC provider. Web UI authentication works perfectly, users are auto-provisioned, and I can create app passwords in Settings → Security. However, when CalDAV clients attempt to authenticate using these app passwords, Radicale logs show all requests are received as anonymous:

Access to '/caldav/' denied for anonymous user

Current Configuration

Environment Variables (.env)

# OIDC Configuration
OC_EXCLUDE_RUN_SERVICES=idp
OCIS_OIDC_ISSUER=https://auth.koenraijer.com
PROXY_OIDC_ISSUER=https://auth.koenraijer.com
WEB_OIDC_CLIENT_ID=web
PROXY_OIDC_CLIENT_ID=web

# Token & User Mapping
PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none
PROXY_OIDC_REWRITE_WELLKNOWN=true
PROXY_USER_OIDC_CLAIM=preferred_username
PROXY_USER_CS3_CLAIM=username

# Auto-provisioning & Roles
PROXY_AUTOPROVISION_ACCOUNTS=true
GRAPH_ASSIGN_DEFAULT_USER_ROLE=true
GRAPH_USERNAME_MATCH=none
PROXY_ROLE_ASSIGNMENT_DRIVER=oidc
PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM=groups

# Radicale proxy config
PROXY_CSP_CONFIG_FILE_LOCATION=/etc/opencloud/csp.yaml

proxy.yaml

role_assignment:
  driver: oidc
  oidc_role_mapper:
    role_claim: groups
    role_mapping:
      - role_name: admin
        claim_value: admins
      - role_name: user
        claim_value: users

additional_policies:
  - name: default
    routes:
      - endpoint: /caldav/
        backend: http://radicale:5232
        remote_user_header: X-Remote-User
        unprotected: false
        additional_headers:
          - X-Script-Name: /caldav
      - endpoint: /.well-known/caldav
        backend: http://radicale:5232
        remote_user_header: X-Remote-User
        unprotected: false
        additional_headers:
          - X-Script-Name: /caldav
      # ... similar config for carddav

Authelia Client Configuration

clients:
  - client_id: 'web'
    client_name: 'OpenCloud Web'
    public: true
    authorization_policy: 'two_factor'
    require_pkce: true
    pkce_challenge_method: 'S256'
    scopes:
      - 'openid'
      - 'profile'
      - 'email'
      - 'groups'
      - 'offline_access'
    # ... standard configuration

Radicale logs show:

[INFO] PROPFIND request for '/caldav/' received from 172.18.0.16
[INFO] Access to '/caldav/' denied for anonymous user
[INFO] PROPFIND response status for '/caldav/' in 0.000 seconds: 403 Forbidden

How should proxy.yaml routes be configured to authenticate app passwords and set the X-Remote-User header for Radicale?

The current configuration tells OpenCloud:

• Where to forward requests (backend: http://radicale:5232)
• What header to use (remote_user_header: X-Remote-User)
• Whether to require authentication (unprotected: false)

But it doesn’t seem to:

• Validate the Basic Auth credentials against OpenCloud’s IDM
• Extract the username from the authenticated session
• Set the X-Remote-User header before forwarding to Radicale

Additional Context

I’ve reviewed multiple discussions (#587, #854, #1830) about Authelia/OIDC integration, but none specifically address CalDAV/CardDAV working with app passwords. Most examples show web UI authentication working, but don’t demonstrate CalDAV clients successfully connecting.

Is there:

1. A missing configuration parameter in proxy.yaml for Basic Auth validation?
2. An additional service or middleware needed to handle app password authentication for DAV routes?
3. A different approach required for CalDAV/CardDAV authentication when using external OIDC?

Any guidance would be greatly appreciated!

[micbar]

How do you configure the caldav client?
Did you check https://docs.opencloud.eu/docs/user/admin/app-tokens ?

[micbar]

Bottom line: That should work, your server config looks good.
You need to use the correct username from the user preferences as user and the app token as password for the WebDAV Client basic auth.

[koenraijer]

I am using my username combined with the app token and its giving me that error...

[micbar]

How is proxy.yaml mounted inside the opencloud container?