As outlined here: https://doc.dovecot.org/configuration_manual/authentication/oauth2/ Can Postman https://identity.foo.mylocal:9443/oauth2/token OK. Using this command to generate the base64 token: echo -en 'n,a=test@foo.com,\001host=localhost\001port=143\001auth=Bearer S3cure!Password\001\001' | base64 -w0; echo I telnet to localhost 143, and run 01 AUTHENTICATE OAUTHBEARER {TOKEN}. Get 'User id is not available for user: FOO.MYLOCAL/test@carbon.super' (HTTP 500). It could be because Dovecot is just sending a username instead of the full email address? I can generate the same 500 error by just sending the username in Postman. ***dovecot-oauth.conf.ext*** introspection_mode = post introspection_url = https://adminusername:adminpassword@identity.foo.mylocal :9443/oauth2/introspect username_attribute = username tls_allow_invalid_cert = yes active_attribute = active active_value = true use_grant_password = yes # Have tried this, no change. #username_format = %n client_id = {CLIENTID} client_secret = {CLIENTSECRET} grant_url = https://identity.foo.mylocal:9443/oauth2/token tokeninfo_url = https://identity.foo.mylocal:9443/oauth2/tokeninfo?oauth= pass_attrs = pass=%{oauth2:access_token} ***dovecot.conf*** auth_mechanisms = $auth_mechanisms oauthbearer xoauth2 passdb { driver = oauth2 mechanisms = xoauth2 oauthbearer args = /etc/dovecot/dovecot-oauth2.conf.ext }