Hi,

I have a problem with configuring dovecot passdb for Oauth2 with keyclock. A user can access more mailbox, mailboxes are associated with the user.

When a user login with this method:

OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] Dovecot ready. a login mailbox*user password

Dovecot when requiring the grant_url send to Keyclock, for example, this post (I have already enabled raw_log for analysis):

grant_type=password&username=domenico&password=test&client_id=imap-client&client_secret=99e26b26-0f2a-4b64-8f57-c0ca2147d3a0&scope=emailPOST /auth/realms/example/protocol/openid-connect/token/introspect

The call pass to Keyclock only master_user and miss mailbox info. In fact, the JSON response after login return the only username without mailbox:

[...] "scope": "profile email", "email_verified": false, "preferred_username": "dome.nico" [...]

When Dovecot proxy connects to the backend, email attribute and user have the same value, master-user. This behavior is a problem because when backend tries login access, login with the user and not with the mailbox.

This is backend logging:

2020-02-13 19:34:13 auth: Debug: client passdb out: OK 1 user=domenico token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJYVy1fSmNnVkF3aW9GUXh1NUhwdjVlbk5uNU8zaW42Y1VpaGJsM2dWX0V3In0.eyJqdGkiOiJhYTMwZ Dk0Yy0xNjE0LTQzN2QtOTA5Zi01ZTAwNGQ2YjNmZTIiLCJleHAiOjE1ODE2MTE5NTQsIm5iZiI6MCwiaWF0IjoxNTgxNjExNjU0LCJpc3MiOiJodHRwczovL2tleWNsb2FrLXBlYy1pYW0ucGVjLWFwcHMucGFyLXRlYy5pdC9hdXRoL3JlYWxtcy9wZWMiLCJhdWQiOiJhY2NvdW50Iiwi c3ViIjoiZjphNTA1NWUzMi1lYzhkLTRmZjgtOWZjNS00ODM4MmQ1MzRhODc6ZG9tZS5uaWNvIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiaW1hcC1jbGllbnQiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiIyN2M0ZDMzYy01YjdlLTQzMWMtYjZmMi0yYmI4NjIzYzMyMjkiLCJ hY3IiOiIxIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2 ZpbGUiXX19LCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6ImRvbWUubmljbyJ9.LlIx-QeRQPr3lK4Cs1vU0qMvHF3uq3h15BGi1atNCBASkM6oPoYWLV-sYdf8hzpRFyOaTcbxN53SN6LfD0hHvUZ2sKHxh7UJ idmxS4hf1SsZq8wJTASpebcPLtBIX5JBvXmpxa-cVnZDE1JVw5np5-LLNs0j4sgHwgg85mJEoE2VmYJzbGZjUsSTvaAAoCbvTA0MfsNoKyq0E5JrLVdkI-twX7HjAESFqFD4yHe7BS4FG_UjddrSr3uXmXreB44VLZ8B4xBgVRjK9K-sjjkXT8Bkv8WbxUdEEHaarWU_qanI5DlhA0CZXlJ CyDsNcRwQfwVHOESxXE7ehgIDPm-NjA

I have a mechanism for adding other attributes with Dovecot when calling Keyclock? This for insert email or other fields into the token.

Thanks all, Domenico

——— Dovecot Frontend

# 2.3.9.2 (cf2918cac): /config/dovecot/dovecot-proxy/dovecot.conf # OS: Linux 3.10.0-693.17.1.el7.x86_64 x86_64 CentOS Linux release 7.4.1708 (Core)
# Hostname: fe-new.example.it auth_debug = yes auth_debug_passwords = yes auth_master_user_separator = * auth_verbose = yes auth_verbose_passwords = yes base_dir = /data/dovecot/var/run/dovecot-proxy default_vsz_limit = 768 M disable_plaintext_auth = no first_valid_gid = 101 first_valid_uid = 102 imap_id_send = import_environment = TZ MASTERPWD info_log_path = /LOGS/imap/dovecot-proxy.log instance_name = dovecot-proxy listen = fe-new_imap log_path = /LOGS/imap/dovecot-proxy.log log_timestamp = "%Y-%m-%d %H:%M:%S " mail_gid = 101 mail_location = maildir:%h/Maildir mail_max_userip_connections = 50 mail_plugins = quota expire mail_log notify mail_uid = 102 maildir_broken_filename_sizes = yes mbox_write_locks = fcntl namespace inbox { inbox = yes location = mailbox Drafts { special_use = \Drafts } mailbox Junk { special_use = \Junk } mailbox Sent { special_use = \Sent } mailbox "Sent Messages" { special_use = \Sent } mailbox Trash { special_use = \Trash } prefix = INBOX. separator = . subscriptions = yes type = private } passdb { args = /config/dovecot/dovecot-proxy/dovecot-oauth2.conf driver = oauth2 master = yes mechanisms = plain login } plugin { mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename mail_log_fields = uid box msgid size } postmaster_address = posta@foo.it protocols = imap pop3 service anvil { client_limit = 3000 } service auth { client_limit = 4096 unix_listener auth-userdb { mode = 0600 } } service imap-login { inet_listener imap { port = 0 } inet_listener imaps { port = 993 ssl = yes } process_limit = 2500 process_min_avail = 5 } service imap { drop_priv_before_exec = yes process_limit = 2500 process_min_avail = 5 } service lmtp { inet_listener lmtp { port = 24 } } service managesieve-login { inet_listener sieve { port = 4190 } process_min_avail = 0 service_count = 1 vsz_limit = 64 M } service managesieve { drop_priv_before_exec = yes process_limit = 1024 } service pop3-login { inet_listener pop3 { port = 0 } inet_listener pop3s { port = 995 ssl = yes } process_limit = 300 process_min_avail = 5 } service pop3 { drop_priv_before_exec = yes process_limit = 300 process_min_avail = 5 } ssl_cert = </certs/cert-selfsigned.crt ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL:!RC4::!3DES:!IDEA ssl_dh = # hidden, use -P to show it ssl_key = # hidden, use -P to show it protocol lmtp { mail_plugins = quota expire mail_log notify } protocol lda { mail_plugins = quota expire mail_log notify } protocol imap { mail_plugins = quota imap_quota mail_log notify } protocol pop3 { mail_plugins = quota mail_log notify pop3_uidl_format = UID%u-%v }

-> /config/dovecot/dovecot-proxy/dovecot-oauth2.conf

grant_url = https://keycloak-iam.apps.example.com/auth/realms/example/protocol/openid-co... use_grant_password = yes

introspection_mode = post introspection_url = https://keycloak-iam.apps.example.com/auth/realms/example/protocol/openid-co...

username_attribute = username username_format = %Lu

tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt active_attribute = active active_value = true

scope = email send_auth_headers = yes

debug = yes rawlog_dir = /LOGS/imap/oauth2/ client_id = imap-client client_secret = 99e26b26-0f2a-4b64-8f57-c0ca2147d3a0

pass_attrs = host=192.160.10.4 proxy=y proxy_mech=xoauth2 pass=%{oauth2:access_token}