dovecot oauth

la.jolie@paquerette la.jolie at
Tue Oct 26 16:04:03 EEST 2021


I upgraded my servers from Debian Buster (v10) to Bullseye (v11).
Before the upgrade, I had Roundcube / Dovecot working with LemonLdap
(via OAuth).

After the upgrade, i can't connect to Roundcube anymore.

- roundcube (v1.5-rc) stayed the same
- Dovecot upgraded from v1: to v1:2.3.13+dfsg1-2

I already discussed on the LemonLdap mailing list and the analysis was:
"Seems like your app is not sending client_id and client_secret
correctly then
It can do that either as POST parameters or in the Authorization header"

I downgraded Dovecot to Buster version (v1: and
Roundcube / Dovecot are working again.

What could have change between these 2 versions to have that error?

My dovecot Oauth config:
debug =  yes

## url for verifying token validity. Token is appended to the URL
tokeninfo_url =

## introspection endpoint, used to gather extra fields and other
introspection_url =

## How introspection is made, valid values are
##   auth = GET request with Bearer authentication
##   get  = GET request with token appended to URL
##   post = POST request with token=bearer_token as content
introspection_mode = post

## TLS settings
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt

## username attribute in response (default: email)
username_attribute = email

The error I found in the logs:
==> nginx/portal.log <== - - [25/Oct/2021:16:31:59 +0200] "POST /oauth2/introspect
HTTP/1.1" 401 355 "-" "dovecot-oauth2-passdb/2.3.13" -

==> error <==
Oct 25 16:31:59 XXX LLNG[413575]: [error] No authentication provided to
get token, or authentication type not supported

==> mail.log <==
Oct 25 16:31:59 XXX dovecot[1390]: auth: Debug: http-client: conn [12]: Got 401 response for request [Req72: POST]: Unauthorized (took 705 ms
+ 0 ms in queue)
Oct 25 16:31:59 XXX dovecot[1390]: auth: Error:
oauth2(yyyyy at,,<bTQoOS7PRLV/AAAB>): oauth2 failed:
Object doesn't begin with '{'


More information about the dovecot mailing list