On 19/01/2021 07:17 福田泰葵 taiki.fukuda@justsystems.com wrote:
Dear Sir or Madam Unable to build OAuth2.0 authentication to Gmail using dovecot as proxy. I have a question about how to use dovecot as a proxy to perform OAuth 2.0 authentication to Gmail using a mail client.
Mail client is required, in this case, to provide valid oauth2 bearer token. I don't think google supports other ways.
- Is the following all I need to do to authenticate to Gmail using dovecot as a proxy?
- passdb passdb { driver = oauth2 mechanisms = oauthbearer xoauth2 args = /etc/dovecot/dovecot-oauth2.token.conf.ext }
passdb { driver = oauth2 mechanisms = plain login args = /etc/dovecot/dovecot-oauth2.plain.conf.ext }
The plain config is a way to do 'password grant' authentication. This is when username and password is used to acquire a bearer token.
- create dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext
- create gmail service account api
- grant_url in dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext is URL for obtaining a Google access token for a web server that I have built myself?
- I use a Gmail service account, so I don’t need a client ID and secret ID, right?
- Do I set introspection_url to the URL of my own web server with the access token used for authentication to Google as the response?
No. The introspection URL needs to point to a location where dovecot can figure out more information about the user with token. If I recall correctly, the token endpoint
For gmail, you need to use https://www.googleapis.com/oauth2/v2/userinfo
- The documentation says “pass_attrs = host=127.0.0.1”, but if you are authenticating to Gmail, I should use “pass_attrs = proxy=y host=%{if;%s;eq;imap;imap.gmail.com (http://imap.gmail.com);%{if;%s;eq;pop3;smtp .gmail.com (http://gmail.com);pop.gmail.com (http://pop.gmail.com)}} port=%{if;%s;eq;imap;993;%{if;%s;eq;pop3;587;465}} proxy_mech=xoauth2 pass=%{oauth2:access_token} user=%{oauth2:email oauth2:email}”?
I would use something more readable, like passwd-file driver with username_format=%s
The access token is also imported as %{token} in passdb.
- What is the difference between dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext ? Do I need to configure both? I used https://doc.dovecot.org/configuration_manual/authentication/oauth2/#proxy as a reference. I would appreciate your reply. Yours faithfully,
e-mail: taiki.fukuda@justsystems.com TEL: 03-5324-7900 mobile: 080-6198-7328
So this might work
/etc/dovecot/oauth2-token.conf.ext
introspection_url = https://www.googleapis.com/oauth2/v2/userinfo introspection_mode = auth username_attribute = email pass_attrs = proxy=y proxy_mech=xoauth2
/etc/dovecot/dovecot.conf
auth_mechanisms = xoauth2 oauthbearer
passdb { driver = oauth2 args = /etc/dovecot/oauth2-token.conf.ext result_success = continue-ok }
passdb { driver = passwd-file args = username_format=%s /etc/dovecot/endpoints skip = unauthenticated }
/etc/dovecot/endpoints
imap::::::: host=imap.gmail.com pop3::::::: host=pop3.gmail.com submission::::::: host=smtp.gmail.com
Aki