Hi,
I successfully configured Roundcube to use keycloak for oauth2.
However, I am having trouble to make it work with dovecot. My configuration is this:
cat dovecot-oauth2.conf.ext tokeninfo_url = https://auth.mydomain.com/realms/myrealm/protocol/openid-connect/userinfo introspection_url = https://auth.mydomain.com/realms/myrealm/protocol/openid-connect/token/intro... introspection_mode = post username_attribute = postfixMailAddress debug = yes scope = openid Roundcube_email
This is what I am getting from the logs:
Nov 20 08:20:30 auth: Error: ldap(francis@mydomain.com,10.10.40.30,<yskzUpAKb9EKCige>): ldap_bind() failed: Constraint violation Nov 20 08:20:30 auth: Debug: http-client: host auth.mydomain.com: Host created Nov 20 08:20:30 auth: Debug: http-client: host auth.mydomain.com: Host session created Nov 20 08:20:30 auth: Debug: http-client: host auth.mydomain.com: IPs have expired; need to refresh DNS lookup Nov 20 08:20:30 auth: Debug: http-client: host auth.mydomain.com: Performing asynchronous DNS lookup Nov 20 08:20:30 auth: Debug: http-client[1]: request [Req1: GET https://auth.mydomain.com/realms/med-lo/protocol/openid-connect/userinfoeyJh...]: Submitted (requests left=1) Nov 20 08:20:30 auth: Debug: http-client: host auth.mydomain.com: DNS lookup successful; got 1 IPs Nov 20 08:20:30 auth: Debug: http-client: peer 10.10.100.10:443 (shared): Peer created Nov 20 08:20:30 auth: Debug: http-client: peer 10.10.100.10:443: Peer pool created Nov 20 08:20:30 auth: Debug: http-client[1]: peer 10.10.100.10:443: Peer created Nov 20 08:20:30 auth: Debug: http-client[1]: queue https://auth.mydomain.com:443: Setting up connection to 10.10.100.10:443 (SSL=auth.mydomain.com) (1 requests pending) Nov 20 08:20:30 auth: Debug: http-client[1]: peer 10.10.100.10:443: Linked queue https://auth.mydomain.com:443 (1 queues linked) Nov 20 08:20:30 auth: Debug: http-client[1]: queue https://auth.mydomain.com:443: Started new connection to 10.10.100.10:443 (SSL=auth.mydomain.com) Nov 20 08:20:30 auth: Debug: http-client[1]: peer 10.10.100.10:443: Creating 1 new connections to handle requests (already 0 usable, connecting to 0, closing 0) Nov 20 08:20:30 auth: Debug: http-client[1]: peer 10.10.100.10:443: Making new connection 1 of 1 (0 connections exist, 0 pending) Nov 20 08:20:30 auth: Debug: http-client: conn 10.10.100.10:443 [1]: Connecting Nov 20 08:20:30 auth: Debug: http-client: conn 10.10.100.10:443 [1]: Waiting for connect (fd=23) to finish for max 0 msecs Nov 20 08:20:30 auth: Debug: http-client: conn 10.10.100.10:443 [1]: HTTPS connection created (1 parallel connections exist) Nov 20 08:20:30 auth: Debug: http-client: conn 10.10.100.10:443 [1]: Client connection failed (fd=23) Nov 20 08:20:30 auth: Debug: http-client[1]: peer 10.10.100.10:443: Connection failed (1 connections exist, 0 pending) Nov 20 08:20:30 auth: Debug: http-client: peer 10.10.100.10:443: Failed to make connection (1 connections exist, 0 pending) Nov 20 08:20:30 auth: Debug: http-client[1]: peer 10.10.100.10:443: Failed to establish any connection within our peer pool: connect(10.10.100.10:443) failed: Connection refused (1 connections exist, 0 pending) Nov 20 08:20:30 auth: Debug: http-client[1]: queue https://auth.mydomain.com:443: Failed to set up connection to 10.10.100.10:443 (SSL=auth.mydomain.com): connect(10.10.100.10:443) failed: Connection refused (1 peers pending, 1 requests pending) Nov 20 08:20:30 auth: Debug: http-client[1]: peer 10.10.100.10:443: Unlinked queue https://auth.mydomain.com:443 (0 queues linked) Nov 20 08:20:30 auth: Debug: http-client[1]: queue https://auth.mydomain.com:443: Failed to set up any connection; failing all queued requests Nov 20 08:20:30 auth: Debug: http-client[1]: request [Req1: GET https://auth.mydomain.com/realms/med-lo/protocol/openid-connect/userinfoeyJh...]: Error: 9003 connect(10.10.100.10:443) failed: Connection refused Nov 20 08:20:30 auth: Debug: http-client[1]: queue https://auth.mydomain.com:443: Dropping request [Req1: GET https://auth.mydomain.com/realms/med-lo/protocol/openid-connect/userinfoeyJh...] Nov 20 08:20:30 auth: Error: oauth2(francis@mydomain.com,10.10.40.30,<yskzUpAKb9EKCige>): oauth2 failed: connect(10.10.100.10:443) failed: Connection refused Nov 20 08:20:30 auth: Debug: http-client[1]: request [Req1: GET https://auth.mydomain.com/realms/med-lo/protocol/openid-connect/userinfoeyJh...]: Destroy (requests left=1) Nov 20 08:20:30 auth: Debug: http-client[1]: request [Req1: GET https://auth.mydomain.com/realms/med-lo/protocol/openid-connect/userinfoeyJh...]: Free (requests left=0) Nov 20 08:20:30 auth: Debug: http-client: conn 10.10.100.10:443 [1]: Connection close Nov 20 08:20:30 auth: Debug: http-client: conn 10.10.100.10:443 [1]: Connection disconnect Nov 20 08:20:30 auth: Debug: http-client: conn 10.10.100.10:443 [1]: Disconnected: connect() failed: Connection refused (fd=23) Nov 20 08:20:30 auth: Debug: http-client: conn 10.10.100.10:443 [1]: Detached peer Nov 20 08:20:30 auth: Debug: http-client: conn 10.10.100.10:443 [1]: Connection destroy Nov 20 08:20:32 imap-login: Info: Disconnected (auth service reported temporary failure): user=francis@mydomain.com, method=XOAUTH2, rip=10.10.40.30, lip=172.18.0.10, TLS, session=<yskzUpAKb9EKCige>
My dovecot version is 2.3.7.2 (3c910f64b).
I find it odd that it is sending the token as a parameter, when I chose “post” as the introspection mode. But I don’t know if that is the problem.
best,
Francis