oauth2

[Vincent Brillault]

Hi Andrea,
> Do you know if the same applies also to other clients like Apple Mail
> and Outlook 20xx?

Sorry, I have not looked into it so I can't answer this. What I don't
understand really in the way OAUTHBEARER or XOAUTH2 works with IMAP is
how the client is supposed to know where to obtain a token from (or does
it need to be explicitly configured?)...
> PS: Can you share  your /etc/dovecot/dovecot-oauth2.conf.ext

Sure (some values have been replaced by capital letters). I'm doing it
quite differently from you, using local introspection:
```
introspection_mode = local
local_validation_key_dict = fs:posix:prefix=/etc/dovecot/keys/
issuers = https://XXXX/auth/realms/ZZZ
scope = email
username_attribute = AAAA
username_format = %n
# Hack to forcefully validate the aud
active_attribute = aud
active_value = YYYYY
```

And then I have to populate `/etc/dovecot/keys` as per
https://doc.dovecot.org/configuration_manual/authentication/oauth2/#local-validation

To debug the authentication/setup, here is what I did:
- Obtain a token from our local keycloak:
```
curl --location --request POST
'https://XXXX/auth/realms/ZZZ/protocol/openid-connect/token' --header
'Content-Type: application/x-www-form-urlencoded' --data-urlencode
'grant_type=password' --data-urlencode 'client_id=YYYYY'
--data-urlencode 'username=${username}' --data-urlencode
"password=${password}" --data-urlencode "client_secret=${secret_key}" |
jq '"n,a=${username},\u0001host=XXXX\u0001port=993\u0001auth=Bearer
\(.access_token)\u0001\u0001" | @base64' -r
```
- Pass that token to IMAP through `a1 authenticate oauthbearer ....`

I hope this can help,
Cheers,
Vincent

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://dovecot.org/pipermail/dovecot/attachments/20210624/a3dfe5a7/attachment.sig>