Reminder Re: Dovecot Gmail OAuth2.0 Setting Question

Mon Feb 1 13:09:50 EET 2021

Dear Mr. Tuomi

I created a gmail service account.
and I have implemented the process of getting an access token using a gmail
service account.

https://developers.google.com/identity/protocols/oauth2/service-account

I think I then need to set the grant_url to a URL that returns an access
token and send that access token to the introspection_url, is that correct?

Best regards,
---------------------------------------------------------------------------------------------------------------------------------
〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー
株式会社 ジャストシステム  技術企画室 情報システムグループ  福田泰葵
e-mail: taiki.fukuda at justsystems.com
内線: 5158
TEL: 03-5324-7900
mobile: 080-6198-7328
---------------------------------------------------------------------------------------------------------------------------------

2021年1月29日(金) 17:58 Odhiambo Washington <odhiambo at gmail.com>:

> You broke this thread. In the original thread, I remember seeing Aki gave
> you the configuration which he believed might work.
> The next thing I thought was for you to go to
> https://developers.google.com/identity/sign-in/web/devconsole-project and
> get an access token.
>
> PS: I have never configured this kind of thing so I was only following the
> thread to try and understand what it entails.
>
>
> On Fri, 29 Jan 2021 at 04:00, 福田泰葵 <taiki.fukuda at justsystems.com> wrote:
>
>> Google is responding to me as Unauthorized.
>> So I need to send my credentials such as access token in the request
>> parameter for authentication in google’s Get User API request.
>> But I don’t know how to configure dovecot to achieve that.
>> Could you please help me with this?
>>
>> Best regards,
>>
>> ---------------------------------------------------------------------------------------------------------------------------------
>> 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー
>> 株式会社 ジャストシステム  技術企画室 情報システムグループ  福田泰葵
>> e-mail: taiki.fukuda at justsystems.com
>> 内線: 5158
>> TEL: 03-5324-7900
>> mobile: 080-6198-7328
>>
>> ---------------------------------------------------------------------------------------------------------------------------------
>>
>>
>> 2021年1月29日(金) 3:30 Odhiambo Washington <odhiambo at gmail.com>:
>>
>>> Your clue is in the log:
>>>
>>> 1611654464.207331 "message": "Request is missing required authentication
>>> credential. Expected OAuth 2 access token, login cookie or other valid
>>> authentication credential. See
>>> https://developers.google.com/identity/sign-in/web/devconsole-project.",
>>> 1611654464.207331 "status": "UNAUTHENTICATED" 1611654464.207331 }
>>>
>>>
>>>
>>> On Thu, 28 Jan 2021 at 09:25, 福田泰葵 <taiki.fukuda at justsystems.com> wrote:
>>>
>>>> Dear Mr. Tuomi
>>>>
>>>> Do you have any idea how to solve this problem?
>>>>
>>>> Best regards,
>>>>
>>>> ---------------------------------------------------------------------------------------------------------------------------------
>>>> 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー
>>>> 株式会社 ジャストシステム  技術企画室 情報システムグループ  福田泰葵
>>>> e-mail: taiki.fukuda at justsystems.com
>>>> 内線: 5158
>>>> TEL: 03-5324-7900
>>>> mobile: 080-6198-7328
>>>>
>>>> ---------------------------------------------------------------------------------------------------------------------------------
>>>>
>>>>
>>>> 2021年1月26日(火) 18:51 福田泰葵 <taiki.fukuda at justsystems.com>:
>>>>
>>>>> Dear Mr. Tuomi
>>>>>
>>>>> Thank you for the instruction.
>>>>> I was able to output rawlogs.
>>>>> The following is the result.
>>>>>
>>>>> 20210126-184744.22221.1.in：
>>>>>
>>>>> 1611654464.207331 HTTP/1.1 401 Unauthorized
>>>>> 1611654464.207331 Cache-Control: no-cache, no-store, max-age=0, must-revalidate
>>>>> 1611654464.207331 Pragma: no-cache
>>>>> 1611654464.207331 Expires: Mon, 01 Jan 1990 00:00:00 GMT
>>>>> 1611654464.207331 Date: Tue, 26 Jan 2021 09:47:44 GMT
>>>>> 1611654464.207331 Vary: X-Origin
>>>>> 1611654464.207331 Vary: Referer
>>>>> 1611654464.207331 Content-Type: application/json; charset=UTF-8
>>>>> 1611654464.207331 Server: ESF
>>>>> 1611654464.207331 X-XSS-Protection: 0
>>>>> 1611654464.207331 X-Frame-Options: SAMEORIGIN
>>>>> 1611654464.207331 X-Content-Type-Options: nosniff
>>>>> 1611654464.207331 Alt-Svc: h3-29=":443"; ma=2592000,h3-T051=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
>>>>> 1611654464.207331 Accept-Ranges: none
>>>>> 1611654464.207331 Vary: Origin,Accept-Encoding
>>>>> 1611654464.207331 Transfer-Encoding: chunked
>>>>> 1611654464.207331
>>>>> 1611654464.207331 130
>>>>> 1611654464.207331 {
>>>>> 1611654464.207331   "error": {
>>>>> 1611654464.207331     "code": 401,
>>>>> 1611654464.207331     "message": "Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.",
>>>>> 1611654464.207331     "status": "UNAUTHENTICATED"
>>>>> 1611654464.207331   }
>>>>> 1611654464.207331 }
>>>>> 1611654464.207331
>>>>> 1611654464.207737 0
>>>>> 1611654464.207737
>>>>>
>>>>> 20210126-184744.22221.1.out：
>>>>>
>>>>> 1611654464.165704 GET /oauth2/v2/userinfo HTTP/1.1
>>>>> 1611654464.165704 Host: www.googleapis.com
>>>>> 1611654464.165704 Date: Tue, 26 Jan 2021 09:47:44 GMT
>>>>> 1611654464.165704 User-Agent: dovecot-oauth2-passdb/2.3.13
>>>>> 1611654464.165704 Connection: Keep-Alive
>>>>> 1611654464.165727 Authorization: Bearer ??????
>>>>> 1611654464.165730
>>>>>
>>>>> Best regards,
>>>>> ------------------------------
>>>>>
>>>>> 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー
>>>>> 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵
>>>>> e-mail: taiki.fukuda at justsystems.com
>>>>> 内線: 5158
>>>>> TEL: 03-5324-7900
>>>>> mobile: 080-6198-7328
>>>>> ------------------------------
>>>>>
>>>>> 2021年1月26日(火) 18:35 Aki Tuomi aki.tuomi at open-xchange.com
>>>>> <http://mailto:aki.tuomi@open-xchange.com>:
>>>>>
>>>>> No, the directory must exist. I'm sorry I wasn't clear enough when I
>>>>>> replied last time, but dovecot will not create the directory. You need to
>>>>>> create it and make it writable.
>>>>>>
>>>>>> Aki
>>>>>>
>>>>>> > On 26/01/2021 11:09 福田泰葵 <taiki.fukuda at justsystems.com> wrote:
>>>>>> >
>>>>>> >
>>>>>> > Dear Mr. Tuomi
>>>>>> >
>>>>>> > Sorry, I have added the setting PrivateTmp=no to
>>>>>> /etc/systemd/system/dovecot.service.d/override.conf
>>>>>> > However, /tmp/oauth2 was not created.
>>>>>> >
>>>>>> > Best regards,
>>>>>> >
>>>>>> >
>>>>>> ---------------------------------------------------------------------------------------------------------------------------------
>>>>>> > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー
>>>>>> > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵
>>>>>> > e-mail: taiki.fukuda at justsystems.com
>>>>>> > 内線: 5158
>>>>>> > TEL: 03-5324-7900
>>>>>> > mobile: 080-6198-7328
>>>>>> >
>>>>>> ---------------------------------------------------------------------------------------------------------------------------------
>>>>>> >
>>>>>> >
>>>>>> >
>>>>>> > 2021年1月26日(火) 18:01 Aki Tuomi <aki.tuomi at open-xchange.com>:
>>>>>> > > That is because you are using systemd, where the unit file, by
>>>>>> default, has PrivateTmp=yes.
>>>>>> > >
>>>>>> > >  You can look under /tmp for dovecot private tmp directory and
>>>>>> create the directory there, or you can temporarily disable this security
>>>>>> measure.
>>>>>> > >
>>>>>> > >  systemctl edit dovecot
>>>>>> > >
>>>>>> > >  [Service]
>>>>>> > >  PrivateTmp=no
>>>>>> > >
>>>>>> > >  systemctl daemon-reload
>>>>>> > >  systemctl restart dovecot
>>>>>> > >
>>>>>> > >  Aki
>>>>>> > >
>>>>>> > >  > On 26/01/2021 10:57 福田泰葵 <taiki.fukuda at justsystems.com> wrote:
>>>>>> > >  >
>>>>>> > >  >
>>>>>> > >  > Dear Mr. Tuomi
>>>>>> > >  >
>>>>>> > >  > I have added the setting rawlog_dir = /tmp/oauth2 to
>>>>>> /etc/dovecot/dovecot-oauth2.conf.ext
>>>>>> > >  > However, /tmp/oauth2 was not created.
>>>>>> > >  >
>>>>>> > >  > Best regards,
>>>>>> > >  >
>>>>>> > >  >
>>>>>> > >  >
>>>>>> ---------------------------------------------------------------------------------------------------------------------------------
>>>>>> > >  > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー
>>>>>> > >  > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵
>>>>>> > >  > e-mail: taiki.fukuda at justsystems.com
>>>>>> > >  > 内線: 5158
>>>>>> > >  > TEL: 03-5324-7900
>>>>>> > >  > mobile: 080-6198-7328
>>>>>> > >  >
>>>>>> ---------------------------------------------------------------------------------------------------------------------------------
>>>>>> > >  >
>>>>>> > >  >
>>>>>> > >  >
>>>>>> > >  > 2021年1月26日(火) 15:45 Aki Tuomi <aki.tuomi at open-xchange.com>:
>>>>>> > >  > > Yes, however I still cannot see rawlogs.
>>>>>> > >  > >
>>>>>> > >  > > Aki
>>>>>> > >  > >
>>>>>> > >  > > > On 25/01/2021 10:25 福田泰葵 <taiki.fukuda at justsystems.com>
>>>>>> wrote:
>>>>>> > >  > > >
>>>>>> > >  > > >
>>>>>> > >  > > > Yes. In my last email, I sent you the log of the result of
>>>>>> running with oauth debug logging enabled.
>>>>>> > >  > > > /etc/dovecot/conf.d/10-logging.conf：
>>>>>> > >  > > > ##
>>>>>> > >  > > > ## Logging verbosity and debugging.
>>>>>> > >  > > > ##
>>>>>> > >  > > >
>>>>>> > >  > > > # Log filter is a space-separated list conditions. If any
>>>>>> of the conditions
>>>>>> > >  > > > # match, the log filter matches (i.e. they're ORed
>>>>>> together). Parenthesis
>>>>>> > >  > > > # are supported if multiple conditions need to be matched
>>>>>> together.
>>>>>> > >  > > > # Supported conditions are:
>>>>>> > >  > > > # event:<name wildcard> - Match event name. '*' and '?'
>>>>>> wildcards supported.
>>>>>> > >  > > > # source:<filename>[:<line number>] - Match source code
>>>>>> filename [and line]
>>>>>> > >  > > > # field:<key>=<value wildcard> - Match field key to a
>>>>>> value. Can be specified
>>>>>> > >  > > > # multiple times to match multiple keys.
>>>>>> > >  > > > # cat[egory]:<value> - Match a category. Can be specified
>>>>>> multiple times to
>>>>>> > >  > > > # match multiple categories.
>>>>>> > >  > > > # For example: event:http_request_* (cat:error cat:storage)
>>>>>> > >  > > >
>>>>>> > >  > > > # Filter to specify what debug logging to enable. This
>>>>>> will eventually replace
>>>>>> > >  > > > # mail_debug and auth_debug settings.
>>>>>> > >  > > > log_debug=category=oauth2
>>>>>> > >  > > >
>>>>>> > >  > > > ------------------------------
>>>>>> > >  > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー
>>>>>> > >  > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵
>>>>>> > >  > > > e-mail: taiki.fukuda at justsystems.com
>>>>>> > >  > > > 内線: 5158
>>>>>> > >  > > > TEL: 03-5324-7900
>>>>>> > >  > > > mobile: 080-6198-7328
>>>>>> > >  > > > ------------------------------
>>>>>> > >  > > >
>>>>>> > >  > > >
>>>>>> > >  > > > 2021年1月25日(月) 17:24 福田泰葵 <taiki.fukuda at justsystems.com>:
>>>>>> > >  > > > > Yes. In my last email, I sent you the log of the result
>>>>>> of running with oauth debug logging enabled.
>>>>>> > >  > > > >
>>>>>> > >  > > > > /etc/dovecot/conf.d/10-logging.conf：
>>>>>> > >  > > > >
>>>>>> > >  > > > > ```
>>>>>> > >  > > > > ```
>>>>>> > >  > > > >
>>>>>> > >  > > > >
>>>>>> > >  > > > >
>>>>>> > >  > > > >
>>>>>> ---------------------------------------------------------------------------------------------------------------------------------
>>>>>> > >  > > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー
>>>>>> > >  > > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵
>>>>>> > >  > > > > e-mail: taiki.fukuda at justsystems.com
>>>>>> > >  > > > > 内線: 5158
>>>>>> > >  > > > > TEL: 03-5324-7900
>>>>>> > >  > > > > mobile: 080-6198-7328
>>>>>> > >  > > > >
>>>>>> ---------------------------------------------------------------------------------------------------------------------------------
>>>>>> > >  > > > >
>>>>>> > >  > > > >
>>>>>> > >  > > > >
>>>>>> > >  > > > > 2021年1月25日(月) 17:16 Aki Tuomi <
>>>>>> aki.tuomi at open-xchange.com>:
>>>>>> > >  > > > > >
>>>>>> > >  > > > > > > On 25/01/2021 10:12 福田泰葵 <
>>>>>> taiki.fukuda at justsystems.com> wrote:
>>>>>> > >  > > > > > >
>>>>>> > >  > > > > > >
>>>>>> > >  > > > > > > Dear Mr. Tuomi
>>>>>> > >  > > > > > > Google is responding to me as Unauthorized.
>>>>>> > >  > > > > > > So I need to send my credentials such as access
>>>>>> token in the request parameter for authentication in google’s Get User API
>>>>>> request.
>>>>>> > >  > > > > > > But I don’t know how to configure dovecot to achieve
>>>>>> that.
>>>>>> > >  > > > > > > Could you please help me with this?
>>>>>> > >  > > > > > > Best regards,
>>>>>> > >  > > > > > >
>>>>>> > >  > > > > > > ------------------------------
>>>>>> > >  > > > > > > 〒163-6017 東京都新宿区西新宿6-8-1 住友不動産新宿オークタワー
>>>>>> > >  > > > > > > 株式会社 ジャストシステム 技術企画室 情報システムグループ 福田泰葵
>>>>>> > >  > > > > > > e-mail: taiki.fukuda at justsystems.com
>>>>>> > >  > > > > > > 内線: 5158
>>>>>> > >  > > > > > > TEL: 03-5324-7900
>>>>>> > >  > > > > > >
>>>>>> > >  > > > > > > mobile: 080-6198-7328
>>>>>> > >  > > > > >
>>>>>> > >  > > > > >
>>>>>> > >  > > > > > Did you try the debugging things I mentioned? Your
>>>>>> logs do not indicate that you did.
>>>>>> > >  > > > > >
>>>>>> > >  > > > > > So,
>>>>>> > >  > > > > >
>>>>>> > >  > > > > > - Try turning on rawlogs for the oauth2 requests and
>>>>>> see what google is sending you?
>>>>>> > >  > > > > > - You can also try log_debug=category=oauth2 (2.3.13)
>>>>>> to get more debug logs from oauth2.
>>>>>> > >  > > > > >
>>>>>> > >  > > > > > Aki
>>>>>> > >  > > > > >
>>>>>> > >  > >
>>>>>> > >
>>>>>>
>>>>>
>>>
>>> --
>>> Best regards,
>>> Odhiambo WASHINGTON,
>>> Nairobi,KE
>>> +254 7 3200 0004/+254 7 2274 3223
>>> "Oh, the cruft.", grep ^[^#] :-)
>>>
>>
>
> --
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254 7 3200 0004/+254 7 2274 3223
> "Oh, the cruft.", grep ^[^#] :-)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dovecot.org/pipermail/dovecot/attachments/20210201/13d95a1d/attachment-0001.html>