Hello,
I upgraded my servers from Debian Buster (v10) to Bullseye (v11). Before the upgrade, I had Roundcube / Dovecot working with LemonLdap (via OAuth).
After the upgrade, i can't connect to Roundcube anymore.
- roundcube (v1.5-rc) stayed the same
- Dovecot upgraded from v1:2.3.4.1-5+deb10u6 to v1:2.3.13+dfsg1-2
I already discussed on the LemonLdap mailing list and the analysis was: "Seems like your app is not sending client_id and client_secret correctly then It can do that either as POST parameters or in the Authorization header"
I downgraded Dovecot to Buster version (v1:2.3.4.1-5+deb10u6) and Roundcube / Dovecot are working again.
What could have change between these 2 versions to have that error?
My dovecot Oauth config:
debug = yes
## url for verifying token validity. Token is appended to the URL tokeninfo_url = https://auth.mydomain.name/oauth2/userinfo?access_token=
## introspection endpoint, used to gather extra fields and other information. introspection_url = https://auth.mydomain.name/oauth2/introspect
## How introspection is made, valid values are ## auth = GET request with Bearer authentication ## get = GET request with token appended to URL ## post = POST request with token=bearer_token as content introspection_mode = post
## TLS settings tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
## username attribute in response (default: email) username_attribute = email
The error I found in the logs:
==> nginx/portal.log <== 11.22.33.44 - - [25/Oct/2021:16:31:59 +0200] "POST /oauth2/introspect HTTP/1.1" 401 355 "-" "dovecot-oauth2-passdb/2.3.13" -
==> error <== Oct 25 16:31:59 XXX LLNG[413575]: [error] No authentication provided to get token, or authentication type not supported
==> mail.log <== Oct 25 16:31:59 XXX dovecot[1390]: auth: Debug: http-client: conn 11.22.33.44:443 [12]: Got 401 response for request [Req72: POST https://auth.mydomain.name/oauth2/introspect]: Unauthorized (took 705 ms
- 0 ms in queue) Oct 25 16:31:59 XXX dovecot[1390]: auth: Error: oauth2(yyyyy@mydomain.name,127.0.0.1,<bTQoOS7PRLV/AAAB>): oauth2 failed: Object doesn't begin with '{'
Thanks, Kenny
On 26/10/2021 16:04 la.jolie@paquerette <la.jolie@paquerette.org> wrote:
Hello,
I upgraded my servers from Debian Buster (v10) to Bullseye (v11). Before the upgrade, I had Roundcube / Dovecot working with LemonLdap (via OAuth).
After the upgrade, i can't connect to Roundcube anymore.
- roundcube (v1.5-rc) stayed the same
- Dovecot upgraded from v1:2.3.4.1-5+deb10u6 to v1:2.3.13+dfsg1-2
I already discussed on the LemonLdap mailing list and the analysis was: "Seems like your app is not sending client_id and client_secret correctly then It can do that either as POST parameters or in the Authorization header"
I downgraded Dovecot to Buster version (v1:2.3.4.1-5+deb10u6) and Roundcube / Dovecot are working again.
What could have change between these 2 versions to have that error?
My dovecot Oauth config:
debug = yes
## url for verifying token validity. Token is appended to the URL tokeninfo_url = https://auth.mydomain.name/oauth2/userinfo?access_token=
## introspection endpoint, used to gather extra fields and other information. introspection_url = https://auth.mydomain.name/oauth2/introspect
## How introspection is made, valid values are ## auth = GET request with Bearer authentication ## get = GET request with token appended to URL ## post = POST request with token=bearer_token as content introspection_mode = post
## TLS settings tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
## username attribute in response (default: email) username_attribute = email
I cannot see client_id or client_secret here. They are added automatically as POST fields when present in the config file.
Aki
On 26/10/21 17:48, Aki Tuomi wrote:
On 26/10/2021 16:04 la.jolie@paquerette <la.jolie@paquerette.org> wrote:
Hello,
I upgraded my servers from Debian Buster (v10) to Bullseye (v11). Before the upgrade, I had Roundcube / Dovecot working with LemonLdap (via OAuth).
After the upgrade, i can't connect to Roundcube anymore.
- roundcube (v1.5-rc) stayed the same
- Dovecot upgraded from v1:2.3.4.1-5+deb10u6 to v1:2.3.13+dfsg1-2
I already discussed on the LemonLdap mailing list and the analysis was: "Seems like your app is not sending client_id and client_secret correctly then It can do that either as POST parameters or in the Authorization header"
I downgraded Dovecot to Buster version (v1:2.3.4.1-5+deb10u6) and Roundcube / Dovecot are working again.
What could have change between these 2 versions to have that error?
My dovecot Oauth config:
debug = yes
## url for verifying token validity. Token is appended to the URL tokeninfo_url = https://auth.mydomain.name/oauth2/userinfo?access_token=
## introspection endpoint, used to gather extra fields and other information. introspection_url = https://auth.mydomain.name/oauth2/introspect
## How introspection is made, valid values are ## auth = GET request with Bearer authentication ## get = GET request with token appended to URL ## post = POST request with token=bearer_token as content introspection_mode = post
## TLS settings tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
## username attribute in response (default: email) username_attribute = email I cannot see client_id or client_secret here. They are added automatically as POST fields when present in the config file.
Aki Hello Aki,
Indeed, it seems to be compulsory to have client_id & client_secret in the dovecot-oauth file with bullseye version of dovecot.
NB: For those who were in the same situation, don't forget to protect your dovecot-oauth file as it has now a secret. -rw-r----- 1 dovecot dovecot 1152 oct 27 14:09 /etc/dovecot/dovecot-oauth2.conf.ext
Big thanks for your help.
Best, Kenny
participants (2)
-
Aki Tuomi
-
la.jolie@paquerette