2.3.21 broke XOAUTH authentication against Keycloak
I have Roundcube and Dovecot2 setup to authenticate against Keycloak using the XOAUTH2 method, as follows:
introspection_url = https://[...]/realms/[...]/protocol/openid-connect/token/introspect introspection_mode = post username_attribute = email client_id = [...] client_secret = [...] tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
Since upgrading to 2.3.21 XOAUTH2 fails to authenticate with:
dovecot: auth: Error: oauth2([...],[...],<[...]>): oauth2 failed: Introspection failed: No username returned
WARN [org.keycloak.events] (executor-thread-45) type=INTROSPECT_TOKEN_ERROR, realmId=[...], clientId=null, userId=null, ipAddress=[...], error=client_not_found WARN [org.keycloak.events] (executor-thread-45) type=INTROSPECT_TOKEN_ERROR, realmId=[...], clientId=null, userId=null, ipAddress=[...], error=invalid_request, detail='Authentication failed.'
Downgrading to 2.3.20 fixes the issue.
I believe this change is to blame:
lib-oauth2: Dovecot would send client_id and client_secret as POST parameters to the introspection server. These need to be optionally in Basic auth instead.
Is there anything I should change in my Keycloak/Dovecot config or is this a bug?
On 23/09/2023 12:55 EEST tj@interseclab.org wrote:
I have Roundcube and Dovecot2 setup to authenticate against Keycloak using the XOAUTH2 method, as follows:
introspection_url = https://[...]/realms/[...]/protocol/openid-connect/token/introspect introspection_mode = post username_attribute = email client_id = [...] client_secret = [...] tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
Since upgrading to 2.3.21 XOAUTH2 fails to authenticate with:
dovecot: auth: Error: oauth2([...],[...],<[...]>): oauth2 failed: Introspection failed: No username returned
WARN [org.keycloak.events] (executor-thread-45) type=INTROSPECT_TOKEN_ERROR, realmId=[...], clientId=null, userId=null, ipAddress=[...], error=client_not_found WARN [org.keycloak.events] (executor-thread-45) type=INTROSPECT_TOKEN_ERROR, realmId=[...], clientId=null, userId=null, ipAddress=[...], error=invalid_request, detail='Authentication failed.'
Downgrading to 2.3.20 fixes the issue.
I believe this change is to blame:
lib-oauth2: Dovecot would send client_id and client_secret as POST parameters to the introspection server. These need to be optionally in Basic auth instead.
Is there anything I should change in my Keycloak/Dovecot config or is this a bug?
Try changing introspection_url to https://client_id:client_secret@server/....
Aki
participants (2)
-
Aki Tuomi
-
tj@interseclab.org