Hi,
Am 04.10.2023 um 14:31 schrieb Aki Tuomi aki.tuomi@open-xchange.com:
On 04/10/2023 15:13 EEST Christian Rößner via dovecot dovecot@dovecot.org wrote:
Hi,
Am 04.10.2023 um 12:56 schrieb Arjen de Korte build+dovecot@de-korte.org:
Citeren Christian Rößner via dovecot dovecot@dovecot.org:
Hi,
I use Roundcube with OIDC. Everything works fine in Dovecot 2.3.20, but broke in 2.3.21. Downgrading to 2.3.20 makes it work again, so it is introduced in the newer release.
Error (2.3.21):
Oct 4 11:03:57 mx dovecot[558531]: imap-login: Disconnected: Connection closed (client didn't finish SASL auth, waited 1 secs): user=<christian@roessner.email>, orig_user=<christian@roessner.email>, method=XOAUTH2, rip=192.168.0.4, lip=192.168.0.2, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
Here is an example with 2.3.20:
Success (2.3.20):
Oct 4 11:17:21 mx dovecot[889914]: imap-login: Login: user=<christian@roessner.email>, orig_user=<christian@roessner.email>, method=XOAUTH2, rip=192.168.0.4, lip=192.168.0.2, mpid=891874, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
Searching the archives might give a lead to what's going on (and a possible workaround):
https://dovecot.org/mailman3/archives/list/dovecot@dovecot.org/thread/RR2GXL...
I get a different error from RC:
Oct 04 12:08:48 node1 8868c38d7990[158494]: errors: <48ea0f68> IMAP Error: Login failed for christian@roessner.email against mail.roessner-net.de from 192.168.32.1 (X-Real-IP: 2003:a:a05:a600:858:7851:547f:8aed,X-Forwarded-For: 2003:a:a05:a600:858:7851:547f:8aed). AUTHENTICATE XOAUTH2: A0001 NO [AUTHENTICATIONFAILED] Authentication failed. in /var/www/html/program/lib/Roundcube/rcube_imap.php on line 211 (GET /index.php/login/oauth?code=ory_ac_L5_NrO7EjgIccmV-_Tq1Y1_vls6i9NS8lbO7mHYwVeQ.maAkpsqdG95hkLutiDi4aB2KDPvj_pQ65qD-tuY9zBI&scope=openid+offline_access+profile+email+dovecot&state=J3WpRsBcOrnw)
And changing the introspection_url parameter did not change anything.
Thanks in advance
Christian Rößner
Can you provide auth_debug=yes logs?
Turning n debug showed the problem:
Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): oauth2 active_attribute "active" is not present in the oauth2 server's response
In earlier configuration tests I had an 'active' claim. Dovecot prior 2.3.21 seems to had ignored a missing field, while newer version expect it to be present if configured.
Thanks.
Christian Rößner
Rößner-Network-Solutions Zertifizierter ITSiBe / CISO Karl-Bröger-Str. 10, 36304 Alsfeld Fax: +49 6631 78823409, Mobil: +49 171 9905345 USt-IdNr.: DE225643613, https://roessner.website PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5