Hi Aki,
Thank you for taking the time to answer my question, I greatly appreciate your effort.
With a little bit of experimentation and reading the documentation I was able to setup local introspection validation and the OAuth2 authentication is now succeeding. Thank you!
For those of you experiencing a similar situation this is the dovecot-oauth2.plain.conf.ext conf file after applying Aki's advice:
grant_url = https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/token client_id = <client id> client_secret = <client secret> username_attribute = email use_grant_password = yes introspection_mode = local scope = api://<client id>/mail-relay local_validation_key_dict = fs:posix:prefix=/etc/dovecot/keys/
I retrieved the local validation keys from Azure AD / Entra ID via this url: https://login.microsoftonline.com/<tenant id>/discovery/keys?appid=<client id>
This yields a json array which needs to be stored in /etc/dovecot/keys which the following folder structure: /etc/dovecot/keys/default/RS256
in the RS256 folder you need to create a file per kid. The Azure AD endpoint provided me with an array containing 2 items. I created a file for item 1 and copied in the individual key item and did the same for the other key item (identified by the kid attribute). Each file is named after its kid attribute.
Kind regards Meint