Roundcube JWT SSO always returns “Invalid JWT signature” (Laravel integration)

robert_2026

Hi,

I am trying to integrate Laravel → Roundcube SSO using JWT in Mailcow, but I’m stuck with “Invalid JWT signature” errors.

I’d appreciate any guidance.

My Setup

Mailcow with Roundcube (Docker)
Roundcube version: 1.6.12
Backend App: Laravel (PHP 8.2)
JWT Library: firebase/php-jwt

SSO Method: ?_action=sso&jwt=TOKEN

What I Have Done So Far

Enabled JWT SSO in Roundcube

In /var/www/html/config/custom.inc.php:

$config['jwt_sso_key'] = 'MY_SECRET_KEY';
$config['jwt_sso_algorithm'] = 'HS256';
$config['jwt_sso_username_claim'] = 'sub';
$config['jwt_sso_auto_login'] = true;
$config['jwt_sso_debug'] = true;
$config['jwt_sso_issuer'] = 'https://mydomain.com';
$config['jwt_sso_audience'] = 'roundcube';

Verified inside container:

docker exec -it roundcube php -r "
include '/var/www/html/config/custom.inc.php';
var_dump(\$config['jwt_sso_key']);
"

Key is loaded correctly.

2️⃣ Laravel Environment

In .env:

JWT_SSO_KEY=MY_SECRET_KEY

Checked with:

env('JWT_SSO_KEY');

Laravel reads the same key.

JWT Generation in Laravel

Test file (jwt_test.php):

<?php

require __DIR__.'/vendor/autoload.php';

use Firebase\JWT\JWT;

$key = env('JWT_SSO_KEY');

$payload = [
    'iss' => 'https://mydomain.com',
    'aud' => 'roundcube',
    'sub' => 'user@mydomain.com',
    'iat' => time(),
    'nbf' => time() - 10,
    'exp' => time() + 300,
];

echo JWT::encode($payload, $key, 'HS256');

This generates a valid JWT.

** SSO Login URL**

I open in browser:

https://webmail.mydomain.com/?_action=sso&jwt=GENERATED_TOKEN

❌ Current Problem

jwt-sso: SSO ERROR: Invalid JWT signature

Sometimes also:

jwt-sso: SSO ERROR: Error while decoding from Base64Url

✅ What I Have Verified

Same secret key in Laravel and Roundcube
Algorithm: HS256
Token is not expired
Correct iss, aud, sub
URL-encoded correctly
Fresh token every time
Restarted Roundcube container after config change
But still getting Invalid JWT signature.

My Questions

Does Mailcow expect the jwt_sso_key to be raw/base64/hex decoded instead of plain string?

Is there any special key format required?

Is aud mandatory in Mailcow JWT SSO?

Are there any known issues with Laravel + firebase/php-jwt?

Is there any way to debug the signature validation deeper?

ETNyx

Seems to be AI written, was not smart enough too help you?

I’m not an expert, but you have Lavarel as a Identity provider this way, even if you are able to validate JWT token how does Roundcube read your mails when it does not have IMAP credentials for MC?

I think you should use MC as identity provider, there is “OAuth2 Apps” that should work, if you log in there you should have session for RC and MC.

Edit: or same external identity provider for MC, to get it all stich