On 26/03/2025 04:44 EET Brad Koehn via dovecot <dovecot@dovecot.org> wrote:
This is running on OS: Linux 6.1.0-28-amd64 x86_64 Debian 11.11 on amd64 hardware with an ext4 filesystem.
My uneducated guess is authentik sent a token that was bigger than Dovecot expected; the OAuth2 spec doesn’t define a maximum size. As an example, Authentik client secrets are 128 characters long by default, which looks like it would overflow the
payloadbuffer defined inoauth2_client_secret_start. (I edited my Authentik client secret to make it small enough to fit and it didn’t fix the problem).
The actual fix is to tell SOGo to not do
1 AUTHENTICATE XOAUTH2 <token>
but instead
C: 1 AUTHENTICATE XOAUTH2 S: + C: <token here>
If the token is long enough, client must use interactive sasl.
Aki