On 26/10/21 17:48, Aki Tuomi wrote:
On 26/10/2021 16:04 la.jolie@paquerette la.jolie@paquerette.org wrote:
Hello,
I upgraded my servers from Debian Buster (v10) to Bullseye (v11). Before the upgrade, I had Roundcube / Dovecot working with LemonLdap (via OAuth).
After the upgrade, i can't connect to Roundcube anymore.
- roundcube (v1.5-rc) stayed the same
- Dovecot upgraded from v1:2.3.4.1-5+deb10u6 to v1:2.3.13+dfsg1-2
I already discussed on the LemonLdap mailing list and the analysis was: "Seems like your app is not sending client_id and client_secret correctly then It can do that either as POST parameters or in the Authorization header"
I downgraded Dovecot to Buster version (v1:2.3.4.1-5+deb10u6) and Roundcube / Dovecot are working again.
What could have change between these 2 versions to have that error?
My dovecot Oauth config:
debug = yes
## url for verifying token validity. Token is appended to the URL tokeninfo_url = https://auth.mydomain.name/oauth2/userinfo?access_token=
## introspection endpoint, used to gather extra fields and other information. introspection_url = https://auth.mydomain.name/oauth2/introspect
## How introspection is made, valid values are ## auth = GET request with Bearer authentication ## get = GET request with token appended to URL ## post = POST request with token=bearer_token as content introspection_mode = post
## TLS settings tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
## username attribute in response (default: email) username_attribute = email I cannot see client_id or client_secret here. They are added automatically as POST fields when present in the config file.
Aki Hello Aki,
Indeed, it seems to be compulsory to have client_id & client_secret in the dovecot-oauth file with bullseye version of dovecot.
NB: For those who were in the same situation, don't forget to protect your dovecot-oauth file as it has now a secret. -rw-r----- 1 dovecot dovecot 1152 oct 27 14:09 /etc/dovecot/dovecot-oauth2.conf.ext
Big thanks for your help.
Best, Kenny