Re: dovecot and oauth2 (with keycloak) not working

Try adding /?token= to tokeninfo_url. Dovecot 2.3.7.2 will simply concatenate tokeninfo_url and token, so you need to provide the URL in that fashion.

Aki

Thanks Aki.

Still no go:

Nov 20 08:59:19 auth: Debug: http-client: host auth.mydomain.com: Host created Nov 20 08:59:19 auth: Debug: http-client: host auth.mydomain.com: Host session created Nov 20 08:59:19 auth: Debug: http-client: host auth.mydomain.com: Need to perform DNS lookup Nov 20 08:59:19 auth: Debug: http-client: host auth.mydomain.com: Performing asynchronous DNS lookup Nov 20 08:59:19 auth: Debug: http-client: host auth.mydomain.com: conn unix:dns-client: dns(auth.mydomain.com): Lookup started Nov 20 08:59:19 auth: Debug: http-client: host auth.mydomain.com: conn unix:dns-client: Connecting Nov 20 08:59:19 auth: Debug: http-client: host auth.mydomain.com: conn unix:dns-client (pid=506,uid=0): Client connected (fd=24) Nov 20 08:59:19 auth: Debug: http-client: host auth.mydomain.com: conn unix:dns-client (pid=506,uid=0): Sending version handshake Nov 20 08:59:19 auth: Debug: http-client[1]: request [Req1: GET https://auth.mydomain.com/realms/myrealm/protocol/openid-connect/userinfo/to......: Submitted (requests left=1) Nov 20 08:59:19 auth: Debug: http-client: host auth.mydomain.com: conn unix:dns-client (pid=506,uid=0): dns(auth.mydomain.com): Lookup successful after 4 msecs Nov 20 08:59:19 auth: Debug: http-client: host auth.mydomain.com: DNS lookup successful; got 1 IPs Nov 20 08:59:19 auth: Debug: http-client: peer 10.10.200.10:443 (shared): Peer created Nov 20 08:59:19 auth: Debug: http-client: peer 10.10.200.10:443: Peer pool created Nov 20 08:59:19 auth: Debug: http-client[1]: peer 10.10.200.10:443: Peer created Nov 20 08:59:19 auth: Debug: http-client[1]: queue https://auth.mydomain.com:443: Setting up connection to 10.10.200.10:443 (SSL=auth.mydomain.com) (1 requests pending) Nov 20 08:59:19 auth: Debug: http-client[1]: peer 10.10.200.10:443: Linked queue https://auth.mydomain.com:443 (1 queues linked) Nov 20 08:59:19 auth: Debug: http-client[1]: queue https://auth.mydomain.com:443: Started new connection to 10.10.200.10:443 (SSL=auth.mydomain.com) Nov 20 08:59:19 auth: Debug: http-client: host auth.mydomain.com: conn unix:dns-client (pid=506,uid=0): Disconnected: Connection closed (fd=24) Nov 20 08:59:19 auth: Debug: http-client: host auth.mydomain.com: conn unix:dns-client (pid=506,uid=0): Disconnect: deinit Nov 20 08:59:19 auth: Debug: http-client[1]: peer 10.10.200.10:443: Creating 1 new connections to handle requests (already 0 usable, connecting to 0, closing 0) Nov 20 08:59:19 auth: Debug: http-client[1]: peer 10.10.200.10:443: Making new connection 1 of 1 (0 connections exist, 0 pending) Nov 20 08:59:19 auth: Debug: http-client: conn 10.10.200.10:443 [1]: Connecting Nov 20 08:59:19 auth: Debug: http-client: conn 10.10.200.10:443 [1]: Waiting for connect (fd=24) to finish for max 0 msecs Nov 20 08:59:19 auth: Debug: http-client: conn 10.10.200.10:443 [1]: HTTPS connection created (1 parallel connections exist) Nov 20 08:59:19 auth: Debug: http-client: conn 10.10.200.10:443 [1]: Client connection failed (fd=24) Nov 20 08:59:19 auth: Debug: http-client[1]: peer 10.10.200.10:443: Connection failed (1 connections exist, 0 pending) Nov 20 08:59:19 auth: Debug: http-client: peer 10.10.200.10:443: Failed to make connection (1 connections exist, 0 pending) Nov 20 08:59:19 auth: Debug: http-client[1]: peer 10.10.200.10:443: Failed to establish any connection within our peer pool: connect(10.10.200.10:443) failed: Connection refused (1 connections exist, 0 pending) Nov 20 08:59:19 auth: Debug: http-client[1]: queue https://auth.mydomain.com:443: Failed to set up connection to 10.10.200.10:443 (SSL=auth.mydomain.com): connect(10.10.200.10:443) failed: Connection refused (1 peers pending, 1 requests pending) Nov 20 08:59:19 auth: Debug: http-client[1]: peer 10.10.200.10:443: Unlinked queue https://auth.mydomain.com:443 (0 queues linked) Nov 20 08:59:19 auth: Debug: http-client[1]: queue https://auth.mydomain.com:443: Failed to set up any connection; failing all queued requests Nov 20 08:59:19 auth: Debug: http-client[1]: request [Req1: GET https://auth.mydomain.com/realms/myrealm/protocol/openid-connect/userinfo/to......: Error: 9003 connect(10.10.200.10:443) failed: Connection refused Nov 20 08:59:19 auth: Debug: http-client[1]: queue https://auth.mydomain.com:443: Dropping request [Req1: GET https://auth.mydomain.com/realms/myrealm/protocol/openid-connect/userinfo/to...] Nov 20 08:59:19 auth: Debug: http-client: host auth.mydomain.com: Host is idle (timeout = 1799998 msecs) Nov 20 08:59:19 auth: Error: oauth2(francis@mydomain.com,10.10.40.30,<4Gv83JAKyOcKCige>): oauth2 failed: Token validation failed: connect(10.10.200.10:443) failed: Connection refused Nov 20 08:59:19 auth: Debug: http-client[1]: request [Req1: GET https://auth.mydomain.com/realms/myrealm/protocol/openid-connect/userinfo/to......: Destroy (requests left=1) Nov 20 08:59:19 auth: Debug: http-client[1]: request [Req1: GET https://auth.mydomain.com/realms/myrealm/protocol/openid-connect/userinfo/to......: Free (requests left=0) Nov 20 08:59:19 auth: Debug: http-client: conn 10.10.200.10:443 [1]: Connection close Nov 20 08:59:19 auth: Debug: http-client: conn 10.10.200.10:443 [1]: Connection disconnect Nov 20 08:59:19 auth: Debug: http-client: conn 10.10.200.10:443 [1]: Disconnected: connect() failed: Connection refused (fd=24) Nov 20 08:59:19 auth: Debug: http-client: conn 10.10.200.10:443 [1]: Detached peer Nov 20 08:59:19 auth: Debug: http-client: conn 10.10.200.10:443 [1]: Connection destroy Nov 20 08:59:21 imap-login: Info: Disconnected: Connection closed (auth service reported temporary failure): user=<francis@mydomain.com>, method=XOAUTH2, rip=10.10.40.30, lip=172.18.0.10, TLS, session=<4Gv83JAKyOcKCige> Nov 20 08:59:35 auth: Debug: http-client[1]: peer 10.10.200.10:443: Peer close Nov 20 08:59:35 auth: Debug: http-client[1]: peer 10.10.200.10:443: Peer disconnect Nov 20 08:59:35 auth: Debug: http-client[1]: peer 10.10.200.10:443: Peer destroy Nov 20 08:59:35 auth: Debug: http-client: peer 10.10.200.10:443: Peer pool destroy Nov 20 08:59:35 auth: Debug: http-client: peer 10.10.200.10:443 (shared): Peer destroy Nov 20 08:59:35 auth: Debug: http-client: host auth.mydomain.com: Host session destroy Nov 20 08:59:35 auth: Debug: http-client[1]: queue https://auth.mydomain.com:443: Destroy Nov 20 08:59:35 auth: Debug: http-client: host auth.mydomain.com: Host destroy