On 25/10/2023 16:02 EEST Alexander Leidinger via dovecot <dovecot@dovecot.org> wrote:
Am 2023-10-25 08:03, schrieb Aki Tuomi:
On 24/10/2023 17:25 EEST Alexander Leidinger via dovecot <dovecot@dovecot.org> wrote:
Am 2023-10-24 15:14, schrieb Aki Tuomi:
On 24/10/2023 15:49 EEST Alexander Leidinger via dovecot <dovecot@dovecot.org> wrote:
Am 2023-10-23 08:43, schrieb Aki Tuomi:
Don't set tokeninfo url if you require POST query. It's not mandatory to set all endpoints.
If I comment out the tokeninfo_url (the rest the same as in the qorking config below in the quote), I get the error message "oauth2 failed: Introspection failed: No username returned" from dovecot.
Also if you are using jwt, you can also opt to do local validation instead.
How should a config look like for this? From https://doc.dovecot.org/configuration_manual/authentication/oauth2/ I'm not sure what to do.
Would it be:
- introspection_mode = local
- local_validation_key_dict = ...
- switching the oidc provider to jwt
- downloading the cert from the oidc server and putting it into the key-dict ?
Yep. As in the example in docs.
Doesn't work. Not even a trace in the debug log. The webmail package (roundcube) didn't finish the sasl auth: ---snip--- imap-login: Disconnected: Connection closed (client didn't finish SASL auth, waited 6 secs): user=<...@...>, method=XOAUTH2,... ---snip---
In the example there is "typ":"JWT" which I don't have: ---snip--- "keys": [ { "kid": "4ED...more...vi7umzYdS4", "kty": "RSA", "alg": "RS256", "use": "sig", "n": "pj0BLB...more...Q", "e": "AQAB", "x5c": [ "MIICoTCCA...much_more...o8M0a6VE=" ], "x5t": "yeW...more...z2mnh4", "x5t#S256": "f37pijf...more...VIF5FHMlYHbBn0" }, ---snip---
The above is from the "jwks_uri" endpoint as per the .well-known/openid-configuration. There is no other URL which lists "kid"s.
I created the /path/to/keys/RS256/4ED...more...vi7umzYdS4 with the content MIICoTCCA...much_more...o8M0a6VE= owned and accessible by the dovecot user.
There is a second key with: ---snip--- "alg": "RSA-OAEP", "use": "enc", ---snip--- As this is not listed as supported, I didn't create an entry in the dict for this.
Bye, Alexander.
Do I still need the openid_configureation_url and introspection_url? client_secret can go in this case I assume.
You should probably leave client_id there. But you do not need the rest. openid_configuration_url is presented to clients as oidc discovery url.
Aki
Bye, Alexander.
Aki
> On 17/10/2023 16:03 EEST Alexander Leidinger via dovecot > <dovecot@dovecot.org> wrote: [...] > The working but not really up to the OIDC spec dovecot config is: > > auth-oauth2.token.conf.ext: > ---snip--- > openid_configuration_url = > https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration > #tokeninfo_url = > https://oauth2.domain.tld/realms/MyRealm/Leidinger/protocol/openid-connect/t... > tokeninfo_url = > https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?tr... > introspection_url = > https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/intro... > introspection_mode = auth > #active_attribute = active > #active_value = true > client_id = myid > client_secret = mysecret > use_grant_password = no > #debug = yes > username_attribute = email > pass_attrs = pass=%{oauth2:access_token} > ---snip--- > > auth-oauth2.plain.conf.ext: > ---snip--- > openid_configuration_url = > https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration > #tokeninfo_url = > https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token > tokeninfo_url = > https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?tr... > introspection_url = > https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/intro... > introspection_mode = auth > #active_attribute = active > #active_value = true > client_id = myid > client_secret = mysecret > use_grant_password = yes > #debug = yes > username_attribute = email > pass_attrs = host=<IP of webmail> proxy=y proxy_mech=xoauth2 > pass=%{oauth2:access_token} > ---snip---
You sure there is nothing with auth_debug=yes? This sounds like the client did not want to even try oauth2. Did you enable XOAUTH2 and OAUTHBEARER mechanisms?
In jwt mode:
==> /var/log/debug.log <== Oct 25 14:07:53 imap dovecot[79798]: auth: Debug: passwd-file(email,IP,<sessionhash>): Finished passdb lookup Oct 25 14:07:53 imap dovecot[79798]: auth: Debug: oauth2(email,IP,<sessionhash>): Performing passdb lookup Oct 25 14:07:53 imap dovecot[79798]: auth: Debug: oauth2(email,IP,<sessionhash>): cache miss Oct 25 14:07:53 imap dovecot[79798]: auth: Debug: oauth2(email,IP,<sessionhash>): Attempting to locally validate token Oct 25 14:07:53 imap dovecot[79798]: auth: Debug: oauth2(email,IP,<sessionhash>): Finished passdb lookup Oct 25 14:07:53 imap dovecot[79798]: auth: Debug: xoauth2(email,IP,<sessionhash>): skipping passdb: mechanism filtered Oct 25 14:07:53 imap dovecot[79798]: auth: Debug: auth(email,IP,<sessionhash>): Auth request finished
==> /var/log/maillog <== Oct 25 14:07:53 imap dovecot[79798]: auth: oauth2(email,IP,<sessionhash>): oauth2 failed: Local validation failed: client_id not found in aud field
Yes, both oauth machanisms are enabled.
This is my first try to use JWT, so far I have successfully used only the client id and secret approach with dovecot, wordpress, docuwiki, roundcube and other software. So I can not rule out I made a mistake in the JWT approach, but keycloak has the "client authenticator" setting "signed JWT" which then tells to generat a private key and cert from the "keys" tab, which I then did. I do not see this key referenced somewhere in https://auth.domain.tld/realms/MyRealm/protocol/openid-connect/certs and the dovecot oauth docs are not very clear to someone who is new to this stuff. I do not think I have to put the private key which I get from keycloak as a jks as a result of the key generation into dovecot (if I have, it is not clear to me what the path would be in dovecot). What it displays on the keys page after generating the key looks like a base64 encoded cert to me (starts with "MII", ands with "="), but I don't know if it corresponds to the public or private part of the cert, and where to put it into dovecot if it is the public part.
What I miss / don't know in dovecot is a way to see/understand what it is doing, e.g.
- fetching the .well-known url
- using X, Y, Z as urls for feature A, B, C
- using file /path/to/keys/A/B/C (found / not found) to do X
- this is the cleartext I try to match with content D, E, F
If I attach the FreeBSD ktrace (like "trace" in Linux) to the existing auth process to at least be able to see which files it tries to open, it seems to be too late to see which files it tries to open, nothing shows up except my static PW file which is a fallback for imap clients which don't use oauth, so it doesn't matter here). I haven't tried to start the entire dovecot stack with ktrace enabled, that would take much more time to wade through than I have for this right now.
Bye, Alexander.
Seems your issue is
oauth2(email,IP,<sessionhash>): oauth2 failed: Local validation failed: client_id not found in aud field
This is a recently added thing, as oauth2 spec requires to check this. If you are using local validation, you can opt to leave client_id empty and this should go away.
alternatively you can use the client_id that will be present in aud field.
Aki