Dovecot and xoauth2: oauth2 active_attribute check failed
Dear dovecot list members,
I am currently working on the task of implementing an MFA solution with OpenID for our SOGo server v5.12.1.20250612-1 and our Dovecot server v2.3.21.1. For this purpose, we are using a Shibboleth IDP v5.1.4 with the appropriate OpenID extension via XOAUTH2.
In my opinion, authentication and autorization requests and responses between SOGo and the IDP are working flawlessly, and with:
SOGoSMTPAuthenticationType = xoauth2;
NGImap4AuthMechanism = xoauth2;the SOGo server forwards the received access token to the Dovecot server. On the Dovecot side, I have configured the server as follows:
/etc/dovecot/conf.d/10-auth.conf:
disable_plaintext_auth = yes auth_username_format = %Ln auth_master_user_separator = * auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = no auth_debug = yes auth_debug_passwords = yes mail_debug = yes verbose_ssl = yes !include auth-master.conf.ext !include auth-oauth2.conf.ext
/etc/dovecot/conf.d/auth-oauth2.conf.ext
auth_mechanisms = $auth_mechanisms plain xoauth2 oauthbearer passdb { driver = oauth2 mechanisms = xoauth2 oauthbearer args = /etc/dovecot/dovecot-oauth2.conf.ext } userdb { driver = static args = uid=vmail gid=vmail home=/var/vmail/%u } service auth { unix_listener /var/spool/postfix/private/auth { mode = 0660 # Assuming the default Postfix user and group user = postfix group = postfix } }
/etc/dovecot/dovecot-oauth2.conf.ext
introspection_mode = post introspection_url = https://<ID>>:<SECRET>@idp-test.uni-konstanz.de/idp/profile/oauth2/introspection username_attribute = mail tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt active_attribute = active active_value = true
As soon as the SOGo server contacts the Dovecot server, and the latter contacts the IDP server, I see the following error message in the Dovecot server logs:
Jun 13 11:44:47 bamenda dovecot: auth: Debug: http-client[1]: request [Req7: POST https://idp-test.uni-konstanz.de/idp/profile/oauth2/introspection]: Free (requests lef t=1) Jun 13 11:44:47 bamenda dovecot: auth: Debug: oauth2(pop519315,134.34.240.55,<kMaO5XA3FrWGIvA3>): Introspection succeeded Jun 13 11:44:47 bamenda dovecot: auth: Debug: oauth2(pop519315,134.34.240.55,<kMaO5XA3FrWGIvA3>): Processing field active Jun 13 11:44:47 bamenda dovecot: auth: Debug: oauth2(pop519315,134.34.240.55,<kMaO5XA3FrWGIvA3>): oauth2 active_attribute check failed: expected active="true" but got "false" Jun 13 11:44:47 bamenda dovecot: auth: oauth2(pop519315,134.34.240.55,<kMaO5XA3FrWGIvA3>): oauth2 failed: Introspection failed: Provided token is not valid Jun 13 11:44:47 bamenda dovecot: auth: Debug: oauth2(pop519315,134.34.240.55,<kMaO5XA3FrWGIvA3>): Finished passdb lookup Jun 13 11:44:47 bamenda dovecot: auth: Debug: auth(pop519315,134.34.240.55,<kMaO5XA3FrWGIvA3>): Auth request finished
Is the error on the IDP side, or is there something wrong with my Dovecot configuration, or both? How can I make Dovecot more verbose the way I could see all the tokens exchanged with SOGo and IDP?
I would greatly appreciate your help.
Best regards, Markus Grandpré
-- Markus Ludwig Grandpré Universität Konstanz Kommunikations-, Informations-, Medienzentrum (KIM) Abteilung IT-Dienste Forschung und Lehre, B803, Tel: +49 7531 88 4342
On 13/06/2025 13:05 EEST Markus Grandpré via dovecot <dovecot@dovecot.org> wrote:
Dear dovecot list members,
I am currently working on the task of implementing an MFA solution with OpenID for our SOGo server v5.12.1.20250612-1 and our Dovecot server v2.3.21.1. For this purpose, we are using a Shibboleth IDP v5.1.4 with the appropriate OpenID extension via XOAUTH2.
In my opinion, authentication and autorization requests and responses between SOGo and the IDP are working flawlessly, and with:
SOGoSMTPAuthenticationType = xoauth2; NGImap4AuthMechanism = xoauth2;the SOGo server forwards the received access token to the Dovecot server. On the Dovecot side, I have configured the server as follows:
/etc/dovecot/conf.d/10-auth.conf:
disable_plaintext_auth = yes auth_username_format = %Ln auth_master_user_separator = * auth_mechanisms = plain login auth_verbose = yes auth_verbose_passwords = no auth_debug = yes auth_debug_passwords = yes mail_debug = yes verbose_ssl = yes !include auth-master.conf.ext !include auth-oauth2.conf.ext
/etc/dovecot/conf.d/auth-oauth2.conf.ext
auth_mechanisms = $auth_mechanisms plain xoauth2 oauthbearer passdb { driver = oauth2 mechanisms = xoauth2 oauthbearer args = /etc/dovecot/dovecot-oauth2.conf.ext } userdb { driver = static args = uid=vmail gid=vmail home=/var/vmail/%u } service auth { unix_listener /var/spool/postfix/private/auth { mode = 0660 # Assuming the default Postfix user and group user = postfix group = postfix } }
/etc/dovecot/dovecot-oauth2.conf.ext
introspection_mode = post introspection_url = https://<ID>>:<SECRET>@idp-test.uni-konstanz.de/idp/profile/oauth2/introspection username_attribute = mail tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt active_attribute = active active_value = true
As soon as the SOGo server contacts the Dovecot server, and the latter contacts the IDP server, I see the following error message in the Dovecot server logs:
Jun 13 11:44:47 bamenda dovecot: auth: Debug: http-client[1]: request [Req7: POST https://idp-test.uni-konstanz.de/idp/profile/oauth2/introspection]: Free (requests lef t=1) Jun 13 11:44:47 bamenda dovecot: auth: Debug: oauth2(pop519315,134.34.240.55,<kMaO5XA3FrWGIvA3>): Introspection succeeded Jun 13 11:44:47 bamenda dovecot: auth: Debug: oauth2(pop519315,134.34.240.55,<kMaO5XA3FrWGIvA3>): Processing field active Jun 13 11:44:47 bamenda dovecot: auth: Debug: oauth2(pop519315,134.34.240.55,<kMaO5XA3FrWGIvA3>): oauth2 active_attribute check failed: expected active="true" but got "false" Jun 13 11:44:47 bamenda dovecot: auth: oauth2(pop519315,134.34.240.55,<kMaO5XA3FrWGIvA3>): oauth2 failed: Introspection failed: Provided token is not valid Jun 13 11:44:47 bamenda dovecot: auth: Debug: oauth2(pop519315,134.34.240.55,<kMaO5XA3FrWGIvA3>): Finished passdb lookup Jun 13 11:44:47 bamenda dovecot: auth: Debug: auth(pop519315,134.34.240.55,<kMaO5XA3FrWGIvA3>): Auth request finished
Is the error on the IDP side, or is there something wrong with my Dovecot configuration, or both? How can I make Dovecot more verbose the way I could see all the tokens exchanged with SOGo and IDP?
I would greatly appreciate your help.
Best regards, Markus Grandpré
-- Markus Ludwig Grandpré Universität Konstanz Kommunikations-, Informations-, Medienzentrum (KIM) Abteilung IT-Dienste Forschung und Lehre, B803, Tel: +49 7531 88 4342
Your IDP is returning with false when true is expected, which is causing the login to be refused (as expected).
Aki
participants (2)
-
Aki Tuomi
-
Markus Grandpré