Hi Andrea,
Do you know if the same applies also to other clients like Apple Mail and Outlook 20xx?
Sorry, I have not looked into it so I can't answer this. What I don't understand really in the way OAUTHBEARER or XOAUTH2 works with IMAP is how the client is supposed to know where to obtain a token from (or does it need to be explicitly configured?)...
PS: Can you share your /etc/dovecot/dovecot-oauth2.conf.ext
Sure (some values have been replaced by capital letters). I'm doing it quite differently from you, using local introspection:
introspection_mode = local
local_validation_key_dict = fs:posix:prefix=/etc/dovecot/keys/
issuers = https://XXXX/auth/realms/ZZZ
scope = email
username_attribute = AAAA
username_format = %n
# Hack to forcefully validate the aud
active_attribute = aud
active_value = YYYYY
And then I have to populate /etc/dovecot/keys as per
https://doc.dovecot.org/configuration_manual/authentication/oauth2/#local-va...
To debug the authentication/setup, here is what I did:
- Obtain a token from our local keycloak:
curl --location --request POST
'https://XXXX/auth/realms/ZZZ/protocol/openid-connect/token' --header
'Content-Type: application/x-www-form-urlencoded' --data-urlencode
'grant_type=password' --data-urlencode 'client_id=YYYYY'
--data-urlencode 'username=${username}' --data-urlencode
"password=${password}" --data-urlencode "client_secret=${secret_key}" |
jq '"n,a=${username},\u0001host=XXXX\u0001port=993\u0001auth=Bearer
\(.access_token)\u0001\u0001" | @base64' -r
- Pass that token to IMAP through
a1 authenticate oauthbearer ....
I hope this can help, Cheers, Vincent