On 24/10/2023 17:25 EEST Alexander Leidinger via dovecot <dovecot@dovecot.org> wrote:
Am 2023-10-24 15:14, schrieb Aki Tuomi:
On 24/10/2023 15:49 EEST Alexander Leidinger via dovecot <dovecot@dovecot.org> wrote:
Am 2023-10-23 08:43, schrieb Aki Tuomi:
Don't set tokeninfo url if you require POST query. It's not mandatory to set all endpoints.
If I comment out the tokeninfo_url (the rest the same as in the qorking config below in the quote), I get the error message "oauth2 failed: Introspection failed: No username returned" from dovecot.
Also if you are using jwt, you can also opt to do local validation instead.
How should a config look like for this? From https://doc.dovecot.org/configuration_manual/authentication/oauth2/ I'm not sure what to do.
Would it be:
- introspection_mode = local
- local_validation_key_dict = ...
- switching the oidc provider to jwt
- downloading the cert from the oidc server and putting it into the key-dict ?
Yep. As in the example in docs.
Doesn't work. Not even a trace in the debug log. The webmail package (roundcube) didn't finish the sasl auth: ---snip--- imap-login: Disconnected: Connection closed (client didn't finish SASL auth, waited 6 secs): user=<...@...>, method=XOAUTH2,... ---snip---
In the example there is "typ":"JWT" which I don't have: ---snip--- "keys": [ { "kid": "4ED...more...vi7umzYdS4", "kty": "RSA", "alg": "RS256", "use": "sig", "n": "pj0BLB...more...Q", "e": "AQAB", "x5c": [ "MIICoTCCA...much_more...o8M0a6VE=" ], "x5t": "yeW...more...z2mnh4", "x5t#S256": "f37pijf...more...VIF5FHMlYHbBn0" }, ---snip---
The above is from the "jwks_uri" endpoint as per the .well-known/openid-configuration. There is no other URL which lists "kid"s.
I created the /path/to/keys/RS256/4ED...more...vi7umzYdS4 with the content MIICoTCCA...much_more...o8M0a6VE= owned and accessible by the dovecot user.
There is a second key with: ---snip--- "alg": "RSA-OAEP", "use": "enc", ---snip--- As this is not listed as supported, I didn't create an entry in the dict for this.
Bye, Alexander.
Do I still need the openid_configureation_url and introspection_url? client_secret can go in this case I assume.
You should probably leave client_id there. But you do not need the rest. openid_configuration_url is presented to clients as oidc discovery url.
Aki
Bye, Alexander.
Aki
On 17/10/2023 16:03 EEST Alexander Leidinger via dovecot <dovecot@dovecot.org> wrote: [...] The working but not really up to the OIDC spec dovecot config is:
auth-oauth2.token.conf.ext: ---snip--- openid_configuration_url = https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration #tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/Leidinger/protocol/openid-connect/t... tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?tr... introspection_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/intro... introspection_mode = auth #active_attribute = active #active_value = true client_id = myid client_secret = mysecret use_grant_password = no #debug = yes username_attribute = email pass_attrs = pass=%{oauth2:access_token} ---snip---
auth-oauth2.plain.conf.ext: ---snip--- openid_configuration_url = https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration #tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?tr... introspection_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/intro... introspection_mode = auth #active_attribute = active #active_value = true client_id = myid client_secret = mysecret use_grant_password = yes #debug = yes username_attribute = email pass_attrs = host=<IP of webmail> proxy=y proxy_mech=xoauth2 pass=%{oauth2:access_token} ---snip---
You sure there is nothing with auth_debug=yes? This sounds like the client did not want to even try oauth2. Did you enable XOAUTH2 and OAUTHBEARER mechanisms?
Aki