Is XOAUTH2 support broken in 2.3.21?
Hi,
I use Roundcube with OIDC. Everything works fine in Dovecot 2.3.20, but broke in 2.3.21. Downgrading to 2.3.20 makes it work again, so it is introduced in the newer release.
Error (2.3.21):
Oct 4 11:03:57 mx dovecot[558531]: imap-login: Disconnected: Connection closed (client didn't finish SASL auth, waited 1 secs): user=<christian@roessner.email>, orig_user=<christian@roessner.email>, method=XOAUTH2, rip=192.168.0.4, lip=192.168.0.2, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
Here is an example with 2.3.20:
Success (2.3.20):
Oct 4 11:17:21 mx dovecot[889914]: imap-login: Login: user=<christian@roessner.email>, orig_user=<christian@roessner.email>, method=XOAUTH2, rip=192.168.0.4, lip=192.168.0.2, mpid=891874, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
Kind regards
Christian Rößner
Rößner-Network-Solutions Zertifizierter ITSiBe / CISO Karl-Bröger-Str. 10, 36304 Alsfeld Fax: +49 6631 78823409, Mobil: +49 171 9905345 USt-IdNr.: DE225643613, https://roessner.website PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5
Citeren Christian Rößner via dovecot dovecot@dovecot.org:
Hi,
I use Roundcube with OIDC. Everything works fine in Dovecot 2.3.20,
but broke in 2.3.21. Downgrading to 2.3.20 makes it work again, so
it is introduced in the newer release.Error (2.3.21):
Oct 4 11:03:57 mx dovecot[558531]: imap-login: Disconnected: Connection closed (client didn't finish SASL auth, waited 1 secs): user=<christian@roessner.email>, orig_user=<christian@roessner.email>, method=XOAUTH2, rip=192.168.0.4, lip=192.168.0.2, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
Here is an example with 2.3.20:
Success (2.3.20):
Oct 4 11:17:21 mx dovecot[889914]: imap-login: Login: user=<christian@roessner.email>, orig_user=<christian@roessner.email>, method=XOAUTH2, rip=192.168.0.4, lip=192.168.0.2, mpid=891874, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
Searching the archives might give a lead to what's going on (and a
possible workaround):
https://dovecot.org/mailman3/archives/list/dovecot@dovecot.org/thread/RR2GXL...
Hi,
Am 04.10.2023 um 12:56 schrieb Arjen de Korte build+dovecot@de-korte.org:
Citeren Christian Rößner via dovecot dovecot@dovecot.org:
Hi,
I use Roundcube with OIDC. Everything works fine in Dovecot 2.3.20, but broke in 2.3.21. Downgrading to 2.3.20 makes it work again, so it is introduced in the newer release.
Error (2.3.21):
Oct 4 11:03:57 mx dovecot[558531]: imap-login: Disconnected: Connection closed (client didn't finish SASL auth, waited 1 secs): user=<christian@roessner.email>, orig_user=<christian@roessner.email>, method=XOAUTH2, rip=192.168.0.4, lip=192.168.0.2, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
Here is an example with 2.3.20:
Success (2.3.20):
Oct 4 11:17:21 mx dovecot[889914]: imap-login: Login: user=<christian@roessner.email>, orig_user=<christian@roessner.email>, method=XOAUTH2, rip=192.168.0.4, lip=192.168.0.2, mpid=891874, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
Searching the archives might give a lead to what's going on (and a possible workaround):
https://dovecot.org/mailman3/archives/list/dovecot@dovecot.org/thread/RR2GXL...
I get a different error from RC:
Oct 04 12:08:48 node1 8868c38d7990[158494]: errors: <48ea0f68> IMAP Error: Login failed for christian@roessner.email against mail.roessner-net.de from 192.168.32.1 (X-Real-IP: 2003:a:a05:a600:858:7851:547f:8aed,X-Forwarded-For: 2003:a:a05:a600:858:7851:547f:8aed). AUTHENTICATE XOAUTH2: A0001 NO [AUTHENTICATIONFAILED] Authentication failed. in /var/www/html/program/lib/Roundcube/rcube_imap.php on line 211 (GET /index.php/login/oauth?code=ory_ac_L5_NrO7EjgIccmV-_Tq1Y1_vls6i9NS8lbO7mHYwVeQ.maAkpsqdG95hkLutiDi4aB2KDPvj_pQ65qD-tuY9zBI&scope=openid+offline_access+profile+email+dovecot&state=J3WpRsBcOrnw)
And changing the introspection_url parameter did not change anything.
Thanks in advance
Christian Rößner
Rößner-Network-Solutions Zertifizierter ITSiBe / CISO Karl-Bröger-Str. 10, 36304 Alsfeld Fax: +49 6631 78823409, Mobil: +49 171 9905345 USt-IdNr.: DE225643613, https://roessner.website PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5
Christian Rößner
Rößner-Network-Solutions Zertifizierter ITSiBe / CISO Karl-Bröger-Str. 10, 36304 Alsfeld Fax: +49 6631 78823409, Mobil: +49 171 9905345 USt-IdNr.: DE225643613, https://roessner.website PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5
On 04/10/2023 15:13 EEST Christian Rößner via dovecot dovecot@dovecot.org wrote:
Hi,
Am 04.10.2023 um 12:56 schrieb Arjen de Korte build+dovecot@de-korte.org:
Citeren Christian Rößner via dovecot dovecot@dovecot.org:
Hi,
I use Roundcube with OIDC. Everything works fine in Dovecot 2.3.20, but broke in 2.3.21. Downgrading to 2.3.20 makes it work again, so it is introduced in the newer release.
Error (2.3.21):
Oct 4 11:03:57 mx dovecot[558531]: imap-login: Disconnected: Connection closed (client didn't finish SASL auth, waited 1 secs): user=<christian@roessner.email>, orig_user=<christian@roessner.email>, method=XOAUTH2, rip=192.168.0.4, lip=192.168.0.2, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
Here is an example with 2.3.20:
Success (2.3.20):
Oct 4 11:17:21 mx dovecot[889914]: imap-login: Login: user=<christian@roessner.email>, orig_user=<christian@roessner.email>, method=XOAUTH2, rip=192.168.0.4, lip=192.168.0.2, mpid=891874, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
Searching the archives might give a lead to what's going on (and a possible workaround):
https://dovecot.org/mailman3/archives/list/dovecot@dovecot.org/thread/RR2GXL...
I get a different error from RC:
Oct 04 12:08:48 node1 8868c38d7990[158494]: errors: <48ea0f68> IMAP Error: Login failed for christian@roessner.email against mail.roessner-net.de from 192.168.32.1 (X-Real-IP: 2003:a:a05:a600:858:7851:547f:8aed,X-Forwarded-For: 2003:a:a05:a600:858:7851:547f:8aed). AUTHENTICATE XOAUTH2: A0001 NO [AUTHENTICATIONFAILED] Authentication failed. in /var/www/html/program/lib/Roundcube/rcube_imap.php on line 211 (GET /index.php/login/oauth?code=ory_ac_L5_NrO7EjgIccmV-_Tq1Y1_vls6i9NS8lbO7mHYwVeQ.maAkpsqdG95hkLutiDi4aB2KDPvj_pQ65qD-tuY9zBI&scope=openid+offline_access+profile+email+dovecot&state=J3WpRsBcOrnw)
And changing the introspection_url parameter did not change anything.
Thanks in advance
Christian Rößner
Can you provide auth_debug=yes logs?
Aki
Hi,
Am 04.10.2023 um 14:31 schrieb Aki Tuomi aki.tuomi@open-xchange.com:
On 04/10/2023 15:13 EEST Christian Rößner via dovecot dovecot@dovecot.org wrote:
Hi,
Am 04.10.2023 um 12:56 schrieb Arjen de Korte build+dovecot@de-korte.org:
Citeren Christian Rößner via dovecot dovecot@dovecot.org:
Hi,
I use Roundcube with OIDC. Everything works fine in Dovecot 2.3.20, but broke in 2.3.21. Downgrading to 2.3.20 makes it work again, so it is introduced in the newer release.
Error (2.3.21):
Oct 4 11:03:57 mx dovecot[558531]: imap-login: Disconnected: Connection closed (client didn't finish SASL auth, waited 1 secs): user=<christian@roessner.email>, orig_user=<christian@roessner.email>, method=XOAUTH2, rip=192.168.0.4, lip=192.168.0.2, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
Here is an example with 2.3.20:
Success (2.3.20):
Oct 4 11:17:21 mx dovecot[889914]: imap-login: Login: user=<christian@roessner.email>, orig_user=<christian@roessner.email>, method=XOAUTH2, rip=192.168.0.4, lip=192.168.0.2, mpid=891874, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
Searching the archives might give a lead to what's going on (and a possible workaround):
https://dovecot.org/mailman3/archives/list/dovecot@dovecot.org/thread/RR2GXL...
I get a different error from RC:
Oct 04 12:08:48 node1 8868c38d7990[158494]: errors: <48ea0f68> IMAP Error: Login failed for christian@roessner.email against mail.roessner-net.de from 192.168.32.1 (X-Real-IP: 2003:a:a05:a600:858:7851:547f:8aed,X-Forwarded-For: 2003:a:a05:a600:858:7851:547f:8aed). AUTHENTICATE XOAUTH2: A0001 NO [AUTHENTICATIONFAILED] Authentication failed. in /var/www/html/program/lib/Roundcube/rcube_imap.php on line 211 (GET /index.php/login/oauth?code=ory_ac_L5_NrO7EjgIccmV-_Tq1Y1_vls6i9NS8lbO7mHYwVeQ.maAkpsqdG95hkLutiDi4aB2KDPvj_pQ65qD-tuY9zBI&scope=openid+offline_access+profile+email+dovecot&state=J3WpRsBcOrnw)
And changing the introspection_url parameter did not change anything.
Thanks in advance
Christian Rößner
Can you provide auth_debug=yes logs?
Turning n debug showed the problem:
Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): oauth2 active_attribute "active" is not present in the oauth2 server's response
In earlier configuration tests I had an 'active' claim. Dovecot prior 2.3.21 seems to had ignored a missing field, while newer version expect it to be present if configured.
Thanks.
Christian Rößner
Rößner-Network-Solutions Zertifizierter ITSiBe / CISO Karl-Bröger-Str. 10, 36304 Alsfeld Fax: +49 6631 78823409, Mobil: +49 171 9905345 USt-IdNr.: DE225643613, https://roessner.website PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5
On 04/10/2023 16:02 EEST Christian Rößner lists@mlserv.org wrote:
Hi,
Am 04.10.2023 um 14:31 schrieb Aki Tuomi aki.tuomi@open-xchange.com:
On 04/10/2023 15:13 EEST Christian Rößner via dovecot dovecot@dovecot.org wrote:
Hi,
Am 04.10.2023 um 12:56 schrieb Arjen de Korte build+dovecot@de-korte.org:
Citeren Christian Rößner via dovecot dovecot@dovecot.org:
Hi,
I use Roundcube with OIDC. Everything works fine in Dovecot 2.3.20, but broke in 2.3.21. Downgrading to 2.3.20 makes it work again, so it is introduced in the newer release.
Error (2.3.21):
Oct 4 11:03:57 mx dovecot[558531]: imap-login: Disconnected: Connection closed (client didn't finish SASL auth, waited 1 secs): user=<christian@roessner.email>, orig_user=<christian@roessner.email>, method=XOAUTH2, rip=192.168.0.4, lip=192.168.0.2, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
Here is an example with 2.3.20:
Success (2.3.20):
Oct 4 11:17:21 mx dovecot[889914]: imap-login: Login: user=<christian@roessner.email>, orig_user=<christian@roessner.email>, method=XOAUTH2, rip=192.168.0.4, lip=192.168.0.2, mpid=891874, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
Searching the archives might give a lead to what's going on (and a possible workaround):
https://dovecot.org/mailman3/archives/list/dovecot@dovecot.org/thread/RR2GXL...
I get a different error from RC:
Oct 04 12:08:48 node1 8868c38d7990[158494]: errors: <48ea0f68> IMAP Error: Login failed for christian@roessner.email against mail.roessner-net.de from 192.168.32.1 (X-Real-IP: 2003:a:a05:a600:858:7851:547f:8aed,X-Forwarded-For: 2003:a:a05:a600:858:7851:547f:8aed). AUTHENTICATE XOAUTH2: A0001 NO [AUTHENTICATIONFAILED] Authentication failed. in /var/www/html/program/lib/Roundcube/rcube_imap.php on line 211 (GET /index.php/login/oauth?code=ory_ac_L5_NrO7EjgIccmV-_Tq1Y1_vls6i9NS8lbO7mHYwVeQ.maAkpsqdG95hkLutiDi4aB2KDPvj_pQ65qD-tuY9zBI&scope=openid+offline_access+profile+email+dovecot&state=J3WpRsBcOrnw)
And changing the introspection_url parameter did not change anything.
Thanks in advance
Christian Rößner
Can you provide auth_debug=yes logs?
Turning n debug showed the problem:
Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): oauth2 active_attribute "active" is not present in the oauth2 server's response
In earlier configuration tests I had an 'active' claim. Dovecot prior 2.3.21 seems to had ignored a missing field, while newer version expect it to be present if configured.
Thanks.
Christian Rößner
Yes, this was a bug that was fixed, that the active attribute is now actually checked.
Aki
Hi,
well I fear there is still something wrong.
Am 04.10.2023 um 15:05 schrieb Aki Tuomi via dovecot dovecot@dovecot.org:
On 04/10/2023 16:02 EEST Christian Rößner lists@mlserv.org wrote:
Hi,
Am 04.10.2023 um 14:31 schrieb Aki Tuomi aki.tuomi@open-xchange.com:
On 04/10/2023 15:13 EEST Christian Rößner via dovecot dovecot@dovecot.org wrote:
Hi,
Am 04.10.2023 um 12:56 schrieb Arjen de Korte build+dovecot@de-korte.org:
Citeren Christian Rößner via dovecot dovecot@dovecot.org:
Hi,
I use Roundcube with OIDC. Everything works fine in Dovecot 2.3.20, but broke in 2.3.21. Downgrading to 2.3.20 makes it work again, so it is introduced in the newer release.
Error (2.3.21):
Oct 4 11:03:57 mx dovecot[558531]: imap-login: Disconnected: Connection closed (client didn't finish SASL auth, waited 1 secs): user=<christian@roessner.email>, orig_user=<christian@roessner.email>, method=XOAUTH2, rip=192.168.0.4, lip=192.168.0.2, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
Here is an example with 2.3.20:
Success (2.3.20):
Oct 4 11:17:21 mx dovecot[889914]: imap-login: Login: user=<christian@roessner.email>, orig_user=<christian@roessner.email>, method=XOAUTH2, rip=192.168.0.4, lip=192.168.0.2, mpid=891874, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
Searching the archives might give a lead to what's going on (and a possible workaround):
https://dovecot.org/mailman3/archives/list/dovecot@dovecot.org/thread/RR2GXL...
I get a different error from RC:
Oct 04 12:08:48 node1 8868c38d7990[158494]: errors: <48ea0f68> IMAP Error: Login failed for christian@roessner.email against mail.roessner-net.de from 192.168.32.1 (X-Real-IP: 2003:a:a05:a600:858:7851:547f:8aed,X-Forwarded-For: 2003:a:a05:a600:858:7851:547f:8aed). AUTHENTICATE XOAUTH2: A0001 NO [AUTHENTICATIONFAILED] Authentication failed. in /var/www/html/program/lib/Roundcube/rcube_imap.php on line 211 (GET /index.php/login/oauth?code=ory_ac_L5_NrO7EjgIccmV-_Tq1Y1_vls6i9NS8lbO7mHYwVeQ.maAkpsqdG95hkLutiDi4aB2KDPvj_pQ65qD-tuY9zBI&scope=openid+offline_access+profile+email+dovecot&state=J3WpRsBcOrnw)
And changing the introspection_url parameter did not change anything.
Thanks in advance
Christian Rößner
Can you provide auth_debug=yes logs?
Turning n debug showed the problem:
Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): oauth2 active_attribute "active" is not present in the oauth2 server's response
In earlier configuration tests I had an 'active' claim. Dovecot prior 2.3.21 seems to had ignored a missing field, while newer version expect it to be present if configured.
Thanks.
Christian Rößner
Yes, this was a bug that was fixed, that the active attribute is now actually checked.
I thought I had mistakenly removed the active field, but I did not:
curl -X POST -d 'scope=email&token=****HIDDEN***' https://oauth.authserv.me:4445/admin/oauth2/introspect
{"active":true,"scope":"openid profile email groups dovecot offline offline_access","client_id":"718f4a52-e1a8-431d-9146-15809cfe3240","sub":"977c6572-d017-103b-836b-b5fc6e126160","exp":1696442299,"iat":1696438699,"nbf":1696438699,"aud":[],"iss":"https://oauth.authserv.me:4444","token_type":"Bearer","token_use":"access_token"}
As you can see, the 'active' field exists, but Dovecot expects it to be a claim, which it is not.
From auth_debug:
Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Making token validation lookup to https://oauth.authserv.me:4444/userinfo?access_token=
Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Token validation succeeded
Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field auth_time
Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field dovecot_mailbox_path
Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field dovecot_user
Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field email
Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field family_name
Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field given_name
Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field iat
Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field iss
Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field name
Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field nickname
Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field preferred_username
Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field rat
Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field sub
Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): oauth2 active_attribute "active" is not present in the oauth2 server's response
Oct 4 14:50:31 mx dovecot[1302421]: auth: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): oauth2 failed: Token is not valid: Missing active_attribute from token
Is this a bug or does the active field shown above nothing have to do with the active field in the dovecot configuration?
I would expect the field shown above.
Thanks in advance
Christian Rößner
Rößner-Network-Solutions Zertifizierter ITSiBe / CISO Karl-Bröger-Str. 10, 36304 Alsfeld Fax: +49 6631 78823409, Mobil: +49 171 9905345 USt-IdNr.: DE225643613, https://roessner.website PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5
You seem to be using userinfo and not introspect endpoint in your configuration. Does userinfo return active too?
Aki
On 04/10/2023 20:05 EEST Christian Rößner via dovecot dovecot@dovecot.org wrote:
Hi,
well I fear there is still something wrong.
Am 04.10.2023 um 15:05 schrieb Aki Tuomi via dovecot dovecot@dovecot.org:
On 04/10/2023 16:02 EEST Christian Rößner lists@mlserv.org wrote:
Hi,
Am 04.10.2023 um 14:31 schrieb Aki Tuomi aki.tuomi@open-xchange.com:
On 04/10/2023 15:13 EEST Christian Rößner via dovecot dovecot@dovecot.org wrote:
Hi,
Am 04.10.2023 um 12:56 schrieb Arjen de Korte build+dovecot@de-korte.org:
Citeren Christian Rößner via dovecot dovecot@dovecot.org:
> Hi, > > I use Roundcube with OIDC. Everything works fine in Dovecot 2.3.20, but broke in 2.3.21. Downgrading to 2.3.20 makes it work again, so it is introduced in the newer release. > > Error (2.3.21): >
> Oct 4 11:03:57 mx dovecot[558531]: imap-login: Disconnected: Connection closed (client didn't finish SASL auth, waited 1 secs): user=<christian@roessner.email>, orig_user=<christian@roessner.email>, method=XOAUTH2, rip=192.168.0.4, lip=192.168.0.2, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) >
> > Here is an example with 2.3.20: > > Success (2.3.20): >> Oct 4 11:17:21 mx dovecot[889914]: imap-login: Login: user=<christian@roessner.email>, orig_user=<christian@roessner.email>, method=XOAUTH2, rip=192.168.0.4, lip=192.168.0.2, mpid=891874, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) >
Searching the archives might give a lead to what's going on (and a possible workaround):
https://dovecot.org/mailman3/archives/list/dovecot@dovecot.org/thread/RR2GXL...
I get a different error from RC:
Oct 04 12:08:48 node1 8868c38d7990[158494]: errors: <48ea0f68> IMAP Error: Login failed for christian@roessner.email against mail.roessner-net.de from 192.168.32.1 (X-Real-IP: 2003:a:a05:a600:858:7851:547f:8aed,X-Forwarded-For: 2003:a:a05:a600:858:7851:547f:8aed). AUTHENTICATE XOAUTH2: A0001 NO [AUTHENTICATIONFAILED] Authentication failed. in /var/www/html/program/lib/Roundcube/rcube_imap.php on line 211 (GET /index.php/login/oauth?code=ory_ac_L5_NrO7EjgIccmV-_Tq1Y1_vls6i9NS8lbO7mHYwVeQ.maAkpsqdG95hkLutiDi4aB2KDPvj_pQ65qD-tuY9zBI&scope=openid+offline_access+profile+email+dovecot&state=J3WpRsBcOrnw)
And changing the introspection_url parameter did not change anything.
Thanks in advance
Christian Rößner
Can you provide auth_debug=yes logs?
Turning n debug showed the problem:
Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): oauth2 active_attribute "active" is not present in the oauth2 server's response
In earlier configuration tests I had an 'active' claim. Dovecot prior 2.3.21 seems to had ignored a missing field, while newer version expect it to be present if configured.
Thanks.
Christian Rößner
Yes, this was a bug that was fixed, that the active attribute is now actually checked.
I thought I had mistakenly removed the active field, but I did not:
curl -X POST -d 'scope=email&token=****HIDDEN***' https://oauth.authserv.me:4445/admin/oauth2/introspect {"active":true,"scope":"openid profile email groups dovecot offline offline_access","client_id":"718f4a52-e1a8-431d-9146-15809cfe3240","sub":"977c6572-d017-103b-836b-b5fc6e126160","exp":1696442299,"iat":1696438699,"nbf":1696438699,"aud":[],"iss":"https://oauth.authserv.me:4444","token_type":"Bearer","token_use":"access_token"}
As you can see, the 'active' field exists, but Dovecot expects it to be a claim, which it is not.
From auth_debug:
Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Making token validation lookup to https://oauth.authserv.me:4444/userinfo?access_token= Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Token validation succeeded Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field auth_time Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field dovecot_mailbox_path Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field dovecot_user Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field email Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field family_name Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field given_name Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field iat Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field iss Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field name Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field nickname Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field preferred_username Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field rat Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field sub Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): oauth2 active_attribute "active" is not present in the oauth2 server's response Oct 4 14:50:31 mx dovecot[1302421]: auth: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): oauth2 failed: Token is not valid: Missing active_attribute from token
Is this a bug or does the active field shown above nothing have to do with the active field in the dovecot configuration?
I would expect the field shown above.
Thanks in advance
Christian Rößner
Rößner-Network-Solutions Zertifizierter ITSiBe / CISO Karl-Bröger-Str. 10, 36304 Alsfeld Fax: +49 6631 78823409, Mobil: +49 171 9905345 USt-IdNr.: DE225643613, https://roessner.website PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Hi,
Am 05.10.2023 um 08:22 schrieb Aki Tuomi via dovecot dovecot@dovecot.org:
You seem to be using userinfo and not introspect endpoint in your configuration. Does userinfo return active too?
tokeninfo_url = https://oauth.authserv.me:4444/userinfo?access_token= introspection_url = https://oauth.authserv.me:4445/admin/oauth2/introspect
I consider tokeninfo_url to be a userinfo URL and introspection_url for introspection ;-)
The curl command I showed is against the introspection endpoint.
The userinfo endpoint does not list the active flag.
Christian
Aki
On 04/10/2023 20:05 EEST Christian Rößner via dovecot dovecot@dovecot.org wrote:
Hi,
well I fear there is still something wrong.
Am 04.10.2023 um 15:05 schrieb Aki Tuomi via dovecot dovecot@dovecot.org:
On 04/10/2023 16:02 EEST Christian Rößner lists@mlserv.org wrote:
Hi,
Am 04.10.2023 um 14:31 schrieb Aki Tuomi aki.tuomi@open-xchange.com:
On 04/10/2023 15:13 EEST Christian Rößner via dovecot dovecot@dovecot.org wrote:
Hi,
> Am 04.10.2023 um 12:56 schrieb Arjen de Korte build+dovecot@de-korte.org: > > Citeren Christian Rößner via dovecot dovecot@dovecot.org: > >> Hi, >> >> I use Roundcube with OIDC. Everything works fine in Dovecot 2.3.20, but broke in 2.3.21. Downgrading to 2.3.20 makes it work again, so it is introduced in the newer release. >> >> Error (2.3.21): >>
>> Oct 4 11:03:57 mx dovecot[558531]: imap-login: Disconnected: Connection closed (client didn't finish SASL auth, waited 1 secs): user=<christian@roessner.email>, orig_user=<christian@roessner.email>, method=XOAUTH2, rip=192.168.0.4, lip=192.168.0.2, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) >>
>> >> Here is an example with 2.3.20: >> >> Success (2.3.20): >>>> Oct 4 11:17:21 mx dovecot[889914]: imap-login: Login: user=<christian@roessner.email>, orig_user=<christian@roessner.email>, method=XOAUTH2, rip=192.168.0.4, lip=192.168.0.2, mpid=891874, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) >>
> > Searching the archives might give a lead to what's going on (and a possible workaround): > > https://dovecot.org/mailman3/archives/list/dovecot@dovecot.org/thread/RR2GXL...I get a different error from RC:
Oct 04 12:08:48 node1 8868c38d7990[158494]: errors: <48ea0f68> IMAP Error: Login failed for christian@roessner.email against mail.roessner-net.de from 192.168.32.1 (X-Real-IP: 2003:a:a05:a600:858:7851:547f:8aed,X-Forwarded-For: 2003:a:a05:a600:858:7851:547f:8aed). AUTHENTICATE XOAUTH2: A0001 NO [AUTHENTICATIONFAILED] Authentication failed. in /var/www/html/program/lib/Roundcube/rcube_imap.php on line 211 (GET /index.php/login/oauth?code=ory_ac_L5_NrO7EjgIccmV-_Tq1Y1_vls6i9NS8lbO7mHYwVeQ.maAkpsqdG95hkLutiDi4aB2KDPvj_pQ65qD-tuY9zBI&scope=openid+offline_access+profile+email+dovecot&state=J3WpRsBcOrnw)
And changing the introspection_url parameter did not change anything.
Thanks in advance
Christian Rößner
Can you provide auth_debug=yes logs?
Turning n debug showed the problem:
Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): oauth2 active_attribute "active" is not present in the oauth2 server's response
In earlier configuration tests I had an 'active' claim. Dovecot prior 2.3.21 seems to had ignored a missing field, while newer version expect it to be present if configured.
Thanks.
Christian Rößner
Yes, this was a bug that was fixed, that the active attribute is now actually checked.
I thought I had mistakenly removed the active field, but I did not:
curl -X POST -d 'scope=email&token=****HIDDEN***' https://oauth.authserv.me:4445/admin/oauth2/introspect {"active":true,"scope":"openid profile email groups dovecot offline offline_access","client_id":"718f4a52-e1a8-431d-9146-15809cfe3240","sub":"977c6572-d017-103b-836b-b5fc6e126160","exp":1696442299,"iat":1696438699,"nbf":1696438699,"aud":[],"iss":"https://oauth.authserv.me:4444","token_type":"Bearer","token_use":"access_token"}
As you can see, the 'active' field exists, but Dovecot expects it to be a claim, which it is not.
From auth_debug:
Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Making token validation lookup to https://oauth.authserv.me:4444/userinfo?access_token= Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Token validation succeeded Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field auth_time Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field dovecot_mailbox_path Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field dovecot_user Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field email Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field family_name Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field given_name Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field iat Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field iss Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field name Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field nickname Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field preferred_username Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field rat Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field sub Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): oauth2 active_attribute "active" is not present in the oauth2 server's response Oct 4 14:50:31 mx dovecot[1302421]: auth: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): oauth2 failed: Token is not valid: Missing active_attribute from token
Is this a bug or does the active field shown above nothing have to do with the active field in the dovecot configuration?
I would expect the field shown above.
Thanks in advance
Christian Rößner
Rößner-Network-Solutions Zertifizierter ITSiBe / CISO Karl-Bröger-Str. 10, 36304 Alsfeld Fax: +49 6631 78823409, Mobil: +49 171 9905345 USt-IdNr.: DE225643613, https://roessner.website PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Christian Rößner
Rößner-Network-Solutions Zertifizierter ITSiBe / CISO Karl-Bröger-Str. 10, 36304 Alsfeld Fax: +49 6631 78823409, Mobil: +49 171 9905345 USt-IdNr.: DE225643613, https://roessner.website PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5
Am 05.10.2023 um 09:08 schrieb Christian Rößner lists@mlserv.org:
Hi,
Am 05.10.2023 um 08:22 schrieb Aki Tuomi via dovecot dovecot@dovecot.org:
You seem to be using userinfo and not introspect endpoint in your configuration. Does userinfo return active too?
tokeninfo_url = https://oauth.authserv.me:4444/userinfo?access_token= introspection_url = https://oauth.authserv.me:4445/admin/oauth2/introspect
Here is an example of the userinfo results (I have a test client for this):
{
"OAuth2Token": {
"access_token": "ory_at_***HIDDEN***",
"token_type": "bearer",
"refresh_token": "ory_rt_***HIDDEN***",
"expiry": "2023-10-05T10:09:52.394731+02:00"
},
"IDTokenClaims": {
"at_hash": "6UQR9dqFoaH1a-ztuZsmfg",
"aud": [
"718f4a52-e1a8-431d-9146-15809cfe3240"
],
"auth_time": 1696489790,
"dovecot_mailbox_path": "sdbox:~/sdbox:VOLATILEDIR=/srv/vmail/volatile/%2.256Nu/%Lu:LISTINDEX=/srv/vmail/listindex/%2.256Nu/%Lu/dovecot.list.index",
"dovecot_user": "de10000@srvint.net",
"email": "christian@roessner.email",
"exp": 1696493393,
"family_name": "Rößner",
"given_name": "Christian",
"groups": [
"admin",
"user",
"superadmin",
"familie",
"kanzlei"
],
"iat": 1696489793,
"iss": "https://oauth.authserv.me:4444",
"jti": "***",
"name": "Christian Rößner",
"nickname": "croessner",
"nonce": "***",
"preferred_username": "croessner",
"rat": 1696489779,
"sid": "***",
"sub": "977c6572-d017-103b-836b-b5fc6e126160"
}
}
I do not see something like an active flag.
Christian
Aki
On 04/10/2023 20:05 EEST Christian Rößner via dovecot dovecot@dovecot.org wrote:
Hi,
well I fear there is still something wrong.
Am 04.10.2023 um 15:05 schrieb Aki Tuomi via dovecot dovecot@dovecot.org:
On 04/10/2023 16:02 EEST Christian Rößner lists@mlserv.org wrote:
Hi,
Am 04.10.2023 um 14:31 schrieb Aki Tuomi aki.tuomi@open-xchange.com:
> > On 04/10/2023 15:13 EEST Christian Rößner via dovecot dovecot@dovecot.org wrote: > > > Hi, > >> Am 04.10.2023 um 12:56 schrieb Arjen de Korte build+dovecot@de-korte.org: >> >> Citeren Christian Rößner via dovecot dovecot@dovecot.org: >> >>> Hi, >>> >>> I use Roundcube with OIDC. Everything works fine in Dovecot 2.3.20, but broke in 2.3.21. Downgrading to 2.3.20 makes it work again, so it is introduced in the newer release. >>> >>> Error (2.3.21): >>>
>>> Oct 4 11:03:57 mx dovecot[558531]: imap-login: Disconnected: Connection closed (client didn't finish SASL auth, waited 1 secs): user=<christian@roessner.email>, orig_user=<christian@roessner.email>, method=XOAUTH2, rip=192.168.0.4, lip=192.168.0.2, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) >>>
>>> >>> Here is an example with 2.3.20: >>> >>> Success (2.3.20): >>>>>> Oct 4 11:17:21 mx dovecot[889914]: imap-login: Login: user=<christian@roessner.email>, orig_user=<christian@roessner.email>, method=XOAUTH2, rip=192.168.0.4, lip=192.168.0.2, mpid=891874, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) >>>
>> >> Searching the archives might give a lead to what's going on (and a possible workaround): >> >> https://dovecot.org/mailman3/archives/list/dovecot@dovecot.org/thread/RR2GXL... > > I get a different error from RC: > >> Oct 04 12:08:48 node1 8868c38d7990[158494]: errors: <48ea0f68> IMAP Error: Login failed for christian@roessner.email against mail.roessner-net.de from 192.168.32.1 (X-Real-IP: 2003:a:a05:a600:858:7851:547f:8aed,X-Forwarded-For: 2003:a:a05:a600:858:7851:547f:8aed). AUTHENTICATE XOAUTH2: A0001 NO [AUTHENTICATIONFAILED] Authentication failed. in /var/www/html/program/lib/Roundcube/rcube_imap.php on line 211 (GET /index.php/login/oauth?code=ory_ac_L5_NrO7EjgIccmV-_Tq1Y1_vls6i9NS8lbO7mHYwVeQ.maAkpsqdG95hkLutiDi4aB2KDPvj_pQ65qD-tuY9zBI&scope=openid+offline_access+profile+email+dovecot&state=J3WpRsBcOrnw) >
> > And changing the introspection_url parameter did not change anything. > > Thanks in advance > > Christian Rößner > --Can you provide auth_debug=yes logs?
Turning n debug showed the problem:
Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): oauth2 active_attribute "active" is not present in the oauth2 server's response
In earlier configuration tests I had an 'active' claim. Dovecot prior 2.3.21 seems to had ignored a missing field, while newer version expect it to be present if configured.
Thanks.
Christian Rößner
Yes, this was a bug that was fixed, that the active attribute is now actually checked.
I thought I had mistakenly removed the active field, but I did not:
curl -X POST -d 'scope=email&token=****HIDDEN***' https://oauth.authserv.me:4445/admin/oauth2/introspect {"active":true,"scope":"openid profile email groups dovecot offline offline_access","client_id":"718f4a52-e1a8-431d-9146-15809cfe3240","sub":"977c6572-d017-103b-836b-b5fc6e126160","exp":1696442299,"iat":1696438699,"nbf":1696438699,"aud":[],"iss":"https://oauth.authserv.me:4444","token_type":"Bearer","token_use":"access_token"}
As you can see, the 'active' field exists, but Dovecot expects it to be a claim, which it is not.
From auth_debug:
Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Making token validation lookup to https://oauth.authserv.me:4444/userinfo?access_token= Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Token validation succeeded Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field auth_time Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field dovecot_mailbox_path Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field dovecot_user Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field email Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field family_name Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field given_name Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field iat Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field iss Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field name Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field nickname Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field preferred_username Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field rat Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field sub Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): oauth2 active_attribute "active" is not present in the oauth2 server's response Oct 4 14:50:31 mx dovecot[1302421]: auth: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): oauth2 failed: Token is not valid: Missing active_attribute from token
Is this a bug or does the active field shown above nothing have to do with the active field in the dovecot configuration?
I would expect the field shown above.
Thanks in advance
Christian Rößner
Rößner-Network-Solutions Zertifizierter ITSiBe / CISO Karl-Bröger-Str. 10, 36304 Alsfeld Fax: +49 6631 78823409, Mobil: +49 171 9905345 USt-IdNr.: DE225643613, https://roessner.website PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Christian Rößner
Rößner-Network-Solutions Zertifizierter ITSiBe / CISO Karl-Bröger-Str. 10, 36304 Alsfeld Fax: +49 6631 78823409, Mobil: +49 171 9905345 USt-IdNr.: DE225643613, https://roessner.website PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5
Christian Rößner
Rößner-Network-Solutions Zertifizierter ITSiBe / CISO Karl-Bröger-Str. 10, 36304 Alsfeld Fax: +49 6631 78823409, Mobil: +49 171 9905345 USt-IdNr.: DE225643613, https://roessner.website PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5
Ok, i guess the problem is that it's somehow thinking it got everything already from the tokeninfo endpoint. Can you try enabling forced introspection?
Aki
On 05/10/2023 10:13 EEST Christian Rößner lists@mlserv.org wrote:
Am 05.10.2023 um 09:08 schrieb Christian Rößner lists@mlserv.org:
Hi,
Am 05.10.2023 um 08:22 schrieb Aki Tuomi via dovecot dovecot@dovecot.org:
You seem to be using userinfo and not introspect endpoint in your configuration. Does userinfo return active too?
tokeninfo_url = https://oauth.authserv.me:4444/userinfo?access_token= introspection_url = https://oauth.authserv.me:4445/admin/oauth2/introspect
Here is an example of the userinfo results (I have a test client for this):
{ "OAuth2Token": { "access_token": "ory_at_***HIDDEN***", "token_type": "bearer", "refresh_token": "ory_rt_***HIDDEN***", "expiry": "2023-10-05T10:09:52.394731+02:00" }, "IDTokenClaims": { "at_hash": "6UQR9dqFoaH1a-ztuZsmfg", "aud": [ "718f4a52-e1a8-431d-9146-15809cfe3240" ], "auth_time": 1696489790, "dovecot_mailbox_path": "sdbox:~/sdbox:VOLATILEDIR=/srv/vmail/volatile/%2.256Nu/%Lu:LISTINDEX=/srv/vmail/listindex/%2.256Nu/%Lu/dovecot.list.index", "dovecot_user": "de10000@srvint.net", "email": "christian@roessner.email", "exp": 1696493393, "family_name": "Rößner", "given_name": "Christian", "groups": [ "admin", "user", "superadmin", "familie", "kanzlei" ], "iat": 1696489793, "iss": "https://oauth.authserv.me:4444", "jti": "***", "name": "Christian Rößner", "nickname": "croessner", "nonce": "***", "preferred_username": "croessner", "rat": 1696489779, "sid": "***", "sub": "977c6572-d017-103b-836b-b5fc6e126160" } }
I do not see something like an active flag.
Christian
Aki
On 04/10/2023 20:05 EEST Christian Rößner via dovecot dovecot@dovecot.org wrote:
Hi,
well I fear there is still something wrong.
Am 04.10.2023 um 15:05 schrieb Aki Tuomi via dovecot dovecot@dovecot.org:
On 04/10/2023 16:02 EEST Christian Rößner lists@mlserv.org wrote:
Hi,
> Am 04.10.2023 um 14:31 schrieb Aki Tuomi aki.tuomi@open-xchange.com: > >> >> On 04/10/2023 15:13 EEST Christian Rößner via dovecot dovecot@dovecot.org wrote: >> >> >> Hi, >> >>> Am 04.10.2023 um 12:56 schrieb Arjen de Korte build+dovecot@de-korte.org: >>> >>> Citeren Christian Rößner via dovecot dovecot@dovecot.org: >>> >>>> Hi, >>>> >>>> I use Roundcube with OIDC. Everything works fine in Dovecot 2.3.20, but broke in 2.3.21. Downgrading to 2.3.20 makes it work again, so it is introduced in the newer release. >>>> >>>> Error (2.3.21): >>>>
>>>> Oct 4 11:03:57 mx dovecot[558531]: imap-login: Disconnected: Connection closed (client didn't finish SASL auth, waited 1 secs): user=<christian@roessner.email>, orig_user=<christian@roessner.email>, method=XOAUTH2, rip=192.168.0.4, lip=192.168.0.2, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) >>>>
>>>> >>>> Here is an example with 2.3.20: >>>> >>>> Success (2.3.20): >>>>>>>> Oct 4 11:17:21 mx dovecot[889914]: imap-login: Login: user=<christian@roessner.email>, orig_user=<christian@roessner.email>, method=XOAUTH2, rip=192.168.0.4, lip=192.168.0.2, mpid=891874, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) >>>>
>>> >>> Searching the archives might give a lead to what's going on (and a possible workaround): >>> >>> https://dovecot.org/mailman3/archives/list/dovecot@dovecot.org/thread/RR2GXL... >> >> I get a different error from RC: >> >>>> Oct 04 12:08:48 node1 8868c38d7990[158494]: errors: <48ea0f68> IMAP Error: Login failed for christian@roessner.email against mail.roessner-net.de from 192.168.32.1 (X-Real-IP: 2003:a:a05:a600:858:7851:547f:8aed,X-Forwarded-For: 2003:a:a05:a600:858:7851:547f:8aed). AUTHENTICATE XOAUTH2: A0001 NO [AUTHENTICATIONFAILED] Authentication failed. in /var/www/html/program/lib/Roundcube/rcube_imap.php on line 211 (GET /index.php/login/oauth?code=ory_ac_L5_NrO7EjgIccmV-_Tq1Y1_vls6i9NS8lbO7mHYwVeQ.maAkpsqdG95hkLutiDi4aB2KDPvj_pQ65qD-tuY9zBI&scope=openid+offline_access+profile+email+dovecot&state=J3WpRsBcOrnw) >>
>> >> And changing the introspection_url parameter did not change anything. >> >> Thanks in advance >> >> Christian Rößner >> -- > > Can you provide auth_debug=yes logs?Turning n debug showed the problem:
Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): oauth2 active_attribute "active" is not present in the oauth2 server's response
In earlier configuration tests I had an 'active' claim. Dovecot prior 2.3.21 seems to had ignored a missing field, while newer version expect it to be present if configured.
Thanks.
Christian Rößner
Yes, this was a bug that was fixed, that the active attribute is now actually checked.
I thought I had mistakenly removed the active field, but I did not:
curl -X POST -d 'scope=email&token=****HIDDEN***' https://oauth.authserv.me:4445/admin/oauth2/introspect {"active":true,"scope":"openid profile email groups dovecot offline offline_access","client_id":"718f4a52-e1a8-431d-9146-15809cfe3240","sub":"977c6572-d017-103b-836b-b5fc6e126160","exp":1696442299,"iat":1696438699,"nbf":1696438699,"aud":[],"iss":"https://oauth.authserv.me:4444","token_type":"Bearer","token_use":"access_token"}
As you can see, the 'active' field exists, but Dovecot expects it to be a claim, which it is not.
From auth_debug:
Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Making token validation lookup to https://oauth.authserv.me:4444/userinfo?access_token= Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Token validation succeeded Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field auth_time Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field dovecot_mailbox_path Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field dovecot_user Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field email Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field family_name Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field given_name Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field iat Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field iss Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field name Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field nickname Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field preferred_username Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field rat Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field sub Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): oauth2 active_attribute "active" is not present in the oauth2 server's response Oct 4 14:50:31 mx dovecot[1302421]: auth: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): oauth2 failed: Token is not valid: Missing active_attribute from token
Is this a bug or does the active field shown above nothing have to do with the active field in the dovecot configuration?
I would expect the field shown above.
Thanks in advance
Christian Rößner
Rößner-Network-Solutions Zertifizierter ITSiBe / CISO Karl-Bröger-Str. 10, 36304 Alsfeld Fax: +49 6631 78823409, Mobil: +49 171 9905345 USt-IdNr.: DE225643613, https://roessner.website PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Christian Rößner
Rößner-Network-Solutions Zertifizierter ITSiBe / CISO Karl-Bröger-Str. 10, 36304 Alsfeld Fax: +49 6631 78823409, Mobil: +49 171 9905345 USt-IdNr.: DE225643613, https://roessner.website PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5
Christian Rößner
Rößner-Network-Solutions Zertifizierter ITSiBe / CISO Karl-Bröger-Str. 10, 36304 Alsfeld Fax: +49 6631 78823409, Mobil: +49 171 9905345 USt-IdNr.: DE225643613, https://roessner.website PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5
On 5 Oct 2023, at 9:26, Aki Tuomi wrote:
Ok, i guess the problem is that it's somehow thinking it got everything already from the tokeninfo endpoint. Can you try enabling forced introspection?
It is already forced :-)
Christian
Aki
On 05/10/2023 10:13 EEST Christian Rößner lists@mlserv.org wrote:
Am 05.10.2023 um 09:08 schrieb Christian Rößner lists@mlserv.org:
Hi,
Am 05.10.2023 um 08:22 schrieb Aki Tuomi via dovecot dovecot@dovecot.org:
You seem to be using userinfo and not introspect endpoint in your configuration. Does userinfo return active too?
tokeninfo_url = https://oauth.authserv.me:4444/userinfo?access_token= introspection_url = https://oauth.authserv.me:4445/admin/oauth2/introspect
Here is an example of the userinfo results (I have a test client for this):
{ "OAuth2Token": { "access_token": "ory_at_***HIDDEN***", "token_type": "bearer", "refresh_token": "ory_rt_***HIDDEN***", "expiry": "2023-10-05T10:09:52.394731+02:00" }, "IDTokenClaims": { "at_hash": "6UQR9dqFoaH1a-ztuZsmfg", "aud": [ "718f4a52-e1a8-431d-9146-15809cfe3240" ], "auth_time": 1696489790, "dovecot_mailbox_path": "sdbox:~/sdbox:VOLATILEDIR=/srv/vmail/volatile/%2.256Nu/%Lu:LISTINDEX=/srv/vmail/listindex/%2.256Nu/%Lu/dovecot.list.index", "dovecot_user": "de10000@srvint.net", "email": "christian@roessner.email", "exp": 1696493393, "family_name": "Rößner", "given_name": "Christian", "groups": [ "admin", "user", "superadmin", "familie", "kanzlei" ], "iat": 1696489793, "iss": "https://oauth.authserv.me:4444", "jti": "***", "name": "Christian Rößner", "nickname": "croessner", "nonce": "***", "preferred_username": "croessner", "rat": 1696489779, "sid": "***", "sub": "977c6572-d017-103b-836b-b5fc6e126160" } }
I do not see something like an active flag.
Christian
Aki
On 04/10/2023 20:05 EEST Christian Rößner via dovecot dovecot@dovecot.org wrote:
Hi,
well I fear there is still something wrong.
Am 04.10.2023 um 15:05 schrieb Aki Tuomi via dovecot dovecot@dovecot.org:
> > On 04/10/2023 16:02 EEST Christian Rößner lists@mlserv.org wrote: > > > Hi, > >> Am 04.10.2023 um 14:31 schrieb Aki Tuomi aki.tuomi@open-xchange.com: >> >>> >>> On 04/10/2023 15:13 EEST Christian Rößner via dovecot dovecot@dovecot.org wrote: >>> >>> >>> Hi, >>> >>>> Am 04.10.2023 um 12:56 schrieb Arjen de Korte build+dovecot@de-korte.org: >>>> >>>> Citeren Christian Rößner via dovecot dovecot@dovecot.org: >>>> >>>>> Hi, >>>>> >>>>> I use Roundcube with OIDC. Everything works fine in Dovecot 2.3.20, but broke in 2.3.21. Downgrading to 2.3.20 makes it work again, so it is introduced in the newer release. >>>>> >>>>> Error (2.3.21): >>>>>
>>>>> Oct 4 11:03:57 mx dovecot[558531]: imap-login: Disconnected: Connection closed (client didn't finish SASL auth, waited 1 secs): user=<christian@roessner.email>, orig_user=<christian@roessner.email>, method=XOAUTH2, rip=192.168.0.4, lip=192.168.0.2, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) >>>>>
>>>>> >>>>> Here is an example with 2.3.20: >>>>> >>>>> Success (2.3.20): >>>>>>>>>> Oct 4 11:17:21 mx dovecot[889914]: imap-login: Login: user=<christian@roessner.email>, orig_user=<christian@roessner.email>, method=XOAUTH2, rip=192.168.0.4, lip=192.168.0.2, mpid=891874, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) >>>>>
>>>> >>>> Searching the archives might give a lead to what's going on (and a possible workaround): >>>> >>>> https://dovecot.org/mailman3/archives/list/dovecot@dovecot.org/thread/RR2GXL... >>> >>> I get a different error from RC: >>> >>>>>> Oct 04 12:08:48 node1 8868c38d7990[158494]: errors: <48ea0f68> IMAP Error: Login failed for christian@roessner.email against mail.roessner-net.de from 192.168.32.1 (X-Real-IP: 2003:a:a05:a600:858:7851:547f:8aed,X-Forwarded-For: 2003:a:a05:a600:858:7851:547f:8aed). AUTHENTICATE XOAUTH2: A0001 NO [AUTHENTICATIONFAILED] Authentication failed. in /var/www/html/program/lib/Roundcube/rcube_imap.php on line 211 (GET /index.php/login/oauth?code=ory_ac_L5_NrO7EjgIccmV-_Tq1Y1_vls6i9NS8lbO7mHYwVeQ.maAkpsqdG95hkLutiDi4aB2KDPvj_pQ65qD-tuY9zBI&scope=openid+offline_access+profile+email+dovecot&state=J3WpRsBcOrnw) >>>
>>> >>> And changing the introspection_url parameter did not change anything. >>> >>> Thanks in advance >>> >>> Christian Rößner >>> -- >> >> Can you provide auth_debug=yes logs? > > Turning n debug showed the problem: > >> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): oauth2 active_attribute "active" is not present in the oauth2 server's response >
> > In earlier configuration tests I had an 'active' claim. Dovecot prior 2.3.21 seems to had ignored a missing field, while newer version expect it to be present if configured. > > Thanks. > > Christian Rößner > --Yes, this was a bug that was fixed, that the active attribute is now actually checked.
I thought I had mistakenly removed the active field, but I did not:
curl -X POST -d 'scope=email&token=****HIDDEN***' https://oauth.authserv.me:4445/admin/oauth2/introspect {"active":true,"scope":"openid profile email groups dovecot offline offline_access","client_id":"718f4a52-e1a8-431d-9146-15809cfe3240","sub":"977c6572-d017-103b-836b-b5fc6e126160","exp":1696442299,"iat":1696438699,"nbf":1696438699,"aud":[],"iss":"https://oauth.authserv.me:4444","token_type":"Bearer","token_use":"access_token"}
As you can see, the 'active' field exists, but Dovecot expects it to be a claim, which it is not.
From auth_debug:
Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Making token validation lookup to https://oauth.authserv.me:4444/userinfo?access_token= Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Token validation succeeded Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field auth_time Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field dovecot_mailbox_path Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field dovecot_user Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field email Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field family_name Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field given_name Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field iat Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field iss Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field name Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field nickname Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field preferred_username Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field rat Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Processing field sub Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): oauth2 active_attribute "active" is not present in the oauth2 server's response Oct 4 14:50:31 mx dovecot[1302421]: auth: oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): oauth2 failed: Token is not valid: Missing active_attribute from token
Is this a bug or does the active field shown above nothing have to do with the active field in the dovecot configuration?
I would expect the field shown above.
Thanks in advance
Christian Rößner
Rößner-Network-Solutions Zertifizierter ITSiBe / CISO Karl-Bröger-Str. 10, 36304 Alsfeld Fax: +49 6631 78823409, Mobil: +49 171 9905345 USt-IdNr.: DE225643613, https://roessner.website PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
Christian Rößner
Rößner-Network-Solutions Zertifizierter ITSiBe / CISO Karl-Bröger-Str. 10, 36304 Alsfeld Fax: +49 6631 78823409, Mobil: +49 171 9905345 USt-IdNr.: DE225643613, https://roessner.website PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5
Christian Rößner
Rößner-Network-Solutions Zertifizierter ITSiBe / CISO Karl-Bröger-Str. 10, 36304 Alsfeld Fax: +49 6631 78823409, Mobil: +49 171 9905345 USt-IdNr.: DE225643613, https://roessner.website PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5
Rößner-Network-Solutions Zertifizierter ITSiBe / CISO Karl-Bröger-Str. 10, 36304 Alsfeld Fax: +49 6631 78823409, Mobil: +49 171 9905345 USt-IdNr.: DE225643613, https://roessner.website PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5
Hi again,
Am 04.10.2023 um 12:56 schrieb Arjen de Korte build+dovecot@de-korte.org:
Citeren Christian Rößner via dovecot dovecot@dovecot.org:
Hi,
I use Roundcube with OIDC. Everything works fine in Dovecot 2.3.20, but broke in 2.3.21. Downgrading to 2.3.20 makes it work again, so it is introduced in the newer release.
Error (2.3.21):
Oct 4 11:03:57 mx dovecot[558531]: imap-login: Disconnected: Connection closed (client didn't finish SASL auth, waited 1 secs): user=<christian@roessner.email>, orig_user=<christian@roessner.email>, method=XOAUTH2, rip=192.168.0.4, lip=192.168.0.2, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
Here is an example with 2.3.20:
Success (2.3.20):
Oct 4 11:17:21 mx dovecot[889914]: imap-login: Login: user=<christian@roessner.email>, orig_user=<christian@roessner.email>, method=XOAUTH2, rip=192.168.0.4, lip=192.168.0.2, mpid=891874, TLS, TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
I thought it would be oviously what is going wrong, so I did not show any configuration stuff. Here are some more details from the dovecot configuration:
tokeninfo_url = https://oauth.authserv.me:4444/userinfo?access_token=
introspection_url = https://oauth.authserv.me:4445/admin/oauth2/introspect
introspection_mode = post
force_introspection = yes
scope = email
username_attribute = email
username_format = %Lu
active_attribute = active
active_value = true
openid_configuration_url = https://oauth.authserv.me:4444/.well-known/openid-configuration
pass_attrs = \
dovecot_user=user \
dovecot_mailbox_home=userdb_home \
dovecot_mailbox_path=userdb_mail
max_parallel_connections = 10
tls_allow_invalid_cert = yes
The OAuth2/OIDC server is Ory-hydra. The authentication backend is https://authserv.io https://authserv.io/, my own OpenSource project.
Kind regards
Christian Rößner
Rößner-Network-Solutions Zertifizierter ITSiBe / CISO Karl-Bröger-Str. 10, 36304 Alsfeld Fax: +49 6631 78823409, Mobil: +49 171 9905345 USt-IdNr.: DE225643613, https://roessner.website PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5
participants (3)
-
Aki Tuomi
-
Arjen de Korte
-
Christian Rößner