dovecot oauth

la.jolie@paquerette la.jolie at paquerette.org
Tue Oct 26 16:04:03 EEST 2021 

Hello,

I upgraded my servers from Debian Buster (v10) to Bullseye (v11).
Before the upgrade, I had Roundcube / Dovecot working with LemonLdap
(via OAuth).

After the upgrade, i can't connect to Roundcube anymore.

- roundcube (v1.5-rc) stayed the same
- Dovecot upgraded from v1:2.3.4.1-5+deb10u6 to v1:2.3.13+dfsg1-2

I already discussed on the LemonLdap mailing list and the analysis was:
"Seems like your app is not sending client_id and client_secret
correctly then
It can do that either as POST parameters or in the Authorization header"

I downgraded Dovecot to Buster version (v1:2.3.4.1-5+deb10u6) and
Roundcube / Dovecot are working again.

What could have change between these 2 versions to have that error?

My dovecot Oauth config:
----
debug =  yes

## url for verifying token validity. Token is appended to the URL
tokeninfo_url = https://auth.mydomain.name/oauth2/userinfo?access_token=

## introspection endpoint, used to gather extra fields and other
information.
introspection_url = https://auth.mydomain.name/oauth2/introspect

## How introspection is made, valid values are
##   auth = GET request with Bearer authentication
##   get  = GET request with token appended to URL
##   post = POST request with token=bearer_token as content
introspection_mode = post

## TLS settings
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt

## username attribute in response (default: email)
username_attribute = email
----

The error I found in the logs:
----
==> nginx/portal.log <==
11.22.33.44 - - [25/Oct/2021:16:31:59 +0200] "POST /oauth2/introspect
HTTP/1.1" 401 355 "-" "dovecot-oauth2-passdb/2.3.13" -

==> error <==
Oct 25 16:31:59 XXX LLNG[413575]: [error] No authentication provided to
get token, or authentication type not supported

==> mail.log <==
Oct 25 16:31:59 XXX dovecot[1390]: auth: Debug: http-client: conn
11.22.33.44:443 [12]: Got 401 response for request [Req72: POST
https://auth.mydomain.name/oauth2/introspect]: Unauthorized (took 705 ms
+ 0 ms in queue)
Oct 25 16:31:59 XXX dovecot[1390]: auth: Error:
oauth2(yyyyy at mydomain.name,127.0.0.1,<bTQoOS7PRLV/AAAB>): oauth2 failed:
Object doesn't begin with '{'
----

Thanks,
Kenny

More information about the dovecot mailing list