Ok, i guess the problem is that it's somehow thinking it got everything already from the tokeninfo endpoint. Can you try enabling forced introspection?
Aki
On 05/10/2023 10:13 EEST Christian Rößner lists@mlserv.org wrote:
Am 05.10.2023 um 09:08 schrieb Christian Rößner lists@mlserv.org:
Hi,
Am 05.10.2023 um 08:22 schrieb Aki Tuomi via dovecot dovecot@dovecot.org:
You seem to be using userinfo and not introspect endpoint in your configuration. Does userinfo return active too?
tokeninfo_url = https://oauth.authserv.me:4444/userinfo?access_token= introspection_url = https://oauth.authserv.me:4445/admin/oauth2/introspect
Here is an example of the userinfo results (I have a test client for this):
{ "OAuth2Token": { "access_token": "ory_at_***HIDDEN***", "token_type": "bearer", "refresh_token": "ory_rt_***HIDDEN***", "expiry": "2023-10-05T10:09:52.394731+02:00" }, "IDTokenClaims": { "at_hash": "6UQR9dqFoaH1a-ztuZsmfg", "aud": [ "718f4a52-e1a8-431d-9146-15809cfe3240" ], "auth_time": 1696489790, "dovecot_mailbox_path": "sdbox:~/sdbox:VOLATILEDIR=/srv/vmail/volatile/%2.256Nu/%Lu:LISTINDEX=/srv/vmail/listindex/%2.256Nu/%Lu/dovecot.list.index", "dovecot_user": "de10000@srvint.net", "email": "christian@roessner.email", "exp": 1696493393, "family_name": "Rößner", "given_name": "Christian", "groups": [ "admin", "user", "superadmin", "familie", "kanzlei" ], "iat": 1696489793, "iss": "https://oauth.authserv.me:4444", "jti": "***", "name": "Christian Rößner", "nickname": "croessner", "nonce": "***", "preferred_username": "croessner", "rat": 1696489779, "sid": "***", "sub": "977c6572-d017-103b-836b-b5fc6e126160" } }I do not see something like an active flag.
Christian
Aki
On 04/10/2023 20:05 EEST Christian Rößner via dovecot dovecot@dovecot.org wrote:
Hi,
well I fear there is still something wrong.
Am 04.10.2023 um 15:05 schrieb Aki Tuomi via dovecot dovecot@dovecot.org:
On 04/10/2023 16:02 EEST Christian Rößner lists@mlserv.org wrote:
Hi,
> Am 04.10.2023 um 14:31 schrieb Aki Tuomi aki.tuomi@open-xchange.com: > >> >> On 04/10/2023 15:13 EEST Christian Rößner via dovecot dovecot@dovecot.org wrote: >> >> >> Hi, >> >>> Am 04.10.2023 um 12:56 schrieb Arjen de Korte build+dovecot@de-korte.org: >>> >>> Citeren Christian Rößner via dovecot dovecot@dovecot.org: >>> >>>> Hi, >>>> >>>> I use Roundcube with OIDC. Everything works fine in Dovecot 2.3.20, but broke in 2.3.21. Downgrading to 2.3.20 makes it work again, so it is introduced in the newer release. >>>> >>>> Error (2.3.21): >>>>
>>>> Oct 4 11:03:57 mx dovecot[558531]: imap-login: Disconnected: Connection closed (client didn't finish SASL auth, waited 1 secs): user=<christian@roessner.email>, orig_user=<christian@roessner.email>, method=XOAUTH2, rip=192.168.0.4, lip=192.168.0.2, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) >>>>>>>> >>>> Here is an example with 2.3.20: >>>> >>>> Success (2.3.20): >>>>>>>> Oct 4 11:17:21 mx dovecot[889914]: imap-login: Login: user=<christian@roessner.email>, orig_user=<christian@roessner.email>, method=XOAUTH2, rip=192.168.0.4, lip=192.168.0.2, mpid=891874, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) >>>>>>> >>> Searching the archives might give a lead to what's going on (and a possible workaround): >>> >>> https://dovecot.org/mailman3/archives/list/dovecot@dovecot.org/thread/RR2GXL... >> >> I get a different error from RC: >> >>>> Oct 04 12:08:48 node1 8868c38d7990[158494]: errors: <48ea0f68> IMAP Error: Login failed for christian@roessner.email against mail.roessner-net.de from 192.168.32.1 (X-Real-IP: 2003:a:a05:a600:858:7851:547f:8aed,X-Forwarded-For: 2003:a:a05:a600:858:7851:547f:8aed). AUTHENTICATE XOAUTH2: A0001 NO [AUTHENTICATIONFAILED] Authentication failed. in /var/www/html/program/lib/Roundcube/rcube_imap.php on line 211 (GET /index.php/login/oauth?code=ory_ac_L5_NrO7EjgIccmV-_Tq1Y1_vls6i9NS8lbO7mHYwVeQ.maAkpsqdG95hkLutiDi4aB2KDPvj_pQ65qD-tuY9zBI&scope=openid+offline_access+profile+email+dovecot&state=J3WpRsBcOrnw) >>>> >> And changing the introspection_url parameter did not change anything. >> >> Thanks in advance >> >> Christian Rößner >> -- > > Can you provide auth_debug=yes logs?Turning n debug showed the problem:
Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): oauth2 active_attribute "active" is not present in the oauth2 server's responseIn earlier configuration tests I had an 'active' claim. Dovecot prior 2.3.21 seems to had ignored a missing field, while newer version expect it to be present if configured.
Thanks.
Christian Rößner
Yes, this was a bug that was fixed, that the active attribute is now actually checked.
I thought I had mistakenly removed the active field, but I did not:
curl -X POST -d 'scope=email&token=****HIDDEN***' https://oauth.authserv.me:4445/admin/oauth2/introspect {"active":true,"scope":"openid profile email groups dovecot offline offline_access","client_id":"718f4a52-e1a8-431d-9146-15809cfe3240","sub":"977c6572-d017-103b-836b-b5fc6e126160","exp":1696442299,"iat":1696438699,"nbf":1696438699,"aud":[],"iss":"https://oauth.authserv.me:4444","token_type":"Bearer","token_use":"access_token"}As you can see, the 'active' field exists, but Dovecot expects it to be a claim, which it is not.
From auth_debug:
Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Making token validation lookup to https://oauth.authserv.me:4444/userinfo?access_token= Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Token validation succeeded Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field auth_time Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field dovecot_mailbox_path Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field dovecot_user Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field email Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field family_name Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field given_name Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field iat Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field iss Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field name Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field nickname Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field preferred_username Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field rat Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field sub Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): oauth2 active_attribute "active" is not present in the oauth2 server's response Oct 4 14:50:31 mx dovecot[1302421]: auth: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): oauth2 failed: Token is not valid: Missing active_attribute from tokenIs this a bug or does the active field shown above nothing have to do with the active field in the dovecot configuration?
I would expect the field shown above.
Thanks in advance
Christian Rößner
Rößner-Network-Solutions Zertifizierter ITSiBe / CISO Karl-Bröger-Str. 10, 36304 Alsfeld Fax: +49 6631 78823409, Mobil: +49 171 9905345 USt-IdNr.: DE225643613, https://roessner.website PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Christian Rößner
Rößner-Network-Solutions Zertifizierter ITSiBe / CISO Karl-Bröger-Str. 10, 36304 Alsfeld Fax: +49 6631 78823409, Mobil: +49 171 9905345 USt-IdNr.: DE225643613, https://roessner.website PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5
Christian Rößner
Rößner-Network-Solutions Zertifizierter ITSiBe / CISO Karl-Bröger-Str. 10, 36304 Alsfeld Fax: +49 6631 78823409, Mobil: +49 171 9905345 USt-IdNr.: DE225643613, https://roessner.website PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5