Hi,
I have a problem with configuring dovecot passdb for Oauth2 with keyclock. A user can access more mailbox, mailboxes are associated with the user.
When a user login with this method:
OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] Dovecot ready. a login mailbox*user password
Dovecot when requiring the grant_url send to Keyclock, for example, this post (I have already enabled raw_log for analysis):
grant_type=password&username=domenico&password=test&client_id=imap-client&client_secret=99e26b26-0f2a-4b64-8f57-c0ca2147d3a0&scope=emailPOST /auth/realms/example/protocol/openid-connect/token/introspect
The call pass to Keyclock only master_user and miss mailbox info. In fact, the JSON response after login return the only username without mailbox:
[...] "scope": "profile email", "email_verified": false, "preferred_username": "dome.nico" [...]
When Dovecot proxy connects to the backend, email attribute and user have the same value, master-user. This behavior is a problem because when backend tries login access, login with the user and not with the mailbox.
This is backend logging:
2020-02-13 19:34:13 auth: Debug: client passdb out: OK 1 user=domenico token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJYVy1fSmNnVkF3aW9GUXh1NUhwdjVlbk5uNU8zaW42Y1VpaGJsM2dWX0V3In0.eyJqdGkiOiJhYTMwZ Dk0Yy0xNjE0LTQzN2QtOTA5Zi01ZTAwNGQ2YjNmZTIiLCJleHAiOjE1ODE2MTE5NTQsIm5iZiI6MCwiaWF0IjoxNTgxNjExNjU0LCJpc3MiOiJodHRwczovL2tleWNsb2FrLXBlYy1pYW0ucGVjLWFwcHMucGFyLXRlYy5pdC9hdXRoL3JlYWxtcy9wZWMiLCJhdWQiOiJhY2NvdW50Iiwi c3ViIjoiZjphNTA1NWUzMi1lYzhkLTRmZjgtOWZjNS00ODM4MmQ1MzRhODc6ZG9tZS5uaWNvIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiaW1hcC1jbGllbnQiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiIyN2M0ZDMzYy01YjdlLTQzMWMtYjZmMi0yYmI4NjIzYzMyMjkiLCJ hY3IiOiIxIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2 ZpbGUiXX19LCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6ImRvbWUubmljbyJ9.LlIx-QeRQPr3lK4Cs1vU0qMvHF3uq3h15BGi1atNCBASkM6oPoYWLV-sYdf8hzpRFyOaTcbxN53SN6LfD0hHvUZ2sKHxh7UJ idmxS4hf1SsZq8wJTASpebcPLtBIX5JBvXmpxa-cVnZDE1JVw5np5-LLNs0j4sgHwgg85mJEoE2VmYJzbGZjUsSTvaAAoCbvTA0MfsNoKyq0E5JrLVdkI-twX7HjAESFqFD4yHe7BS4FG_UjddrSr3uXmXreB44VLZ8B4xBgVRjK9K-sjjkXT8Bkv8WbxUdEEHaarWU_qanI5DlhA0CZXlJ CyDsNcRwQfwVHOESxXE7ehgIDPm-NjA
I have a mechanism for adding other attributes with Dovecot when calling Keyclock? This for insert email or other fields into the token.
Thanks all, Domenico
——— Dovecot Frontend
# 2.3.9.2 (cf2918cac): /config/dovecot/dovecot-proxy/dovecot.conf
# OS: Linux 3.10.0-693.17.1.el7.x86_64 x86_64 CentOS Linux release 7.4.1708 (Core)
# Hostname: fe-new.example.it
auth_debug = yes
auth_debug_passwords = yes
auth_master_user_separator = *
auth_verbose = yes
auth_verbose_passwords = yes
base_dir = /data/dovecot/var/run/dovecot-proxy
default_vsz_limit = 768 M
disable_plaintext_auth = no
first_valid_gid = 101
first_valid_uid = 102
imap_id_send =
import_environment = TZ MASTERPWD
info_log_path = /LOGS/imap/dovecot-proxy.log
instance_name = dovecot-proxy
listen = fe-new_imap
log_path = /LOGS/imap/dovecot-proxy.log
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_gid = 101
mail_location = maildir:%h/Maildir
mail_max_userip_connections = 50
mail_plugins = quota expire mail_log notify
mail_uid = 102
maildir_broken_filename_sizes = yes
mbox_write_locks = fcntl
namespace inbox {
inbox = yes
location =
mailbox Drafts {
special_use = \Drafts
}
mailbox Junk {
special_use = \Junk
}
mailbox Sent {
special_use = \Sent
}
mailbox "Sent Messages" {
special_use = \Sent
}
mailbox Trash {
special_use = \Trash
}
prefix = INBOX.
separator = .
subscriptions = yes
type = private
}
passdb {
args = /config/dovecot/dovecot-proxy/dovecot-oauth2.conf
driver = oauth2
master = yes
mechanisms = plain login
}
plugin {
mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
mail_log_fields = uid box msgid size
}
postmaster_address = posta@foo.it
protocols = imap pop3
service anvil {
client_limit = 3000
}
service auth {
client_limit = 4096
unix_listener auth-userdb {
mode = 0600
}
}
service imap-login {
inet_listener imap {
port = 0
}
inet_listener imaps {
port = 993
ssl = yes
}
process_limit = 2500
process_min_avail = 5
}
service imap {
drop_priv_before_exec = yes
process_limit = 2500
process_min_avail = 5
}
service lmtp {
inet_listener lmtp {
port = 24
}
}
service managesieve-login {
inet_listener sieve {
port = 4190
}
process_min_avail = 0
service_count = 1
vsz_limit = 64 M
}
service managesieve {
drop_priv_before_exec = yes
process_limit = 1024
}
service pop3-login {
inet_listener pop3 {
port = 0
}
inet_listener pop3s {
port = 995
ssl = yes
}
process_limit = 300
process_min_avail = 5
}
service pop3 {
drop_priv_before_exec = yes
process_limit = 300
process_min_avail = 5
}
ssl_cert = </certs/cert-selfsigned.crt
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL:!RC4::!3DES:!IDEA
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
protocol lmtp {
mail_plugins = quota expire mail_log notify
}
protocol lda {
mail_plugins = quota expire mail_log notify
}
protocol imap {
mail_plugins = quota imap_quota mail_log notify
}
protocol pop3 {
mail_plugins = quota mail_log notify
pop3_uidl_format = UID%u-%v
}
-> /config/dovecot/dovecot-proxy/dovecot-oauth2.conf
grant_url = https://keycloak-iam.apps.example.com/auth/realms/example/protocol/openid-co... use_grant_password = yes
introspection_mode = post introspection_url = https://keycloak-iam.apps.example.com/auth/realms/example/protocol/openid-co...
username_attribute = username username_format = %Lu
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt active_attribute = active active_value = true
scope = email send_auth_headers = yes
debug = yes rawlog_dir = /LOGS/imap/oauth2/ client_id = imap-client client_secret = 99e26b26-0f2a-4b64-8f57-c0ca2147d3a0
pass_attrs = host=192.160.10.4 proxy=y proxy_mech=xoauth2 pass=%{oauth2:access_token}