OAUTH2 problem when migrating to Ubuntu 24.04
Hi,
I have a Dovecot server on Ubuntu 22.04, which works fine with Oauth2. I am building a new container based on Ubuntu 24.04. IMAP seems to work fine with plain authentication, but oauth2 fails (Dovecot v2.3.21). Same configuration as before.
However, I got this message:
May 09 09:41:57 auth: Error: oauth2(fran@mydomain.eu,10.110.41.32,
Weird, as it does indeed seems to get the username (as seen on the log).
Any clue on why this fails?
Best,
Francis
On 09/05/2024 10:46 EEST Francis Augusto Medeiros-Logeay via dovecot dovecot@dovecot.org wrote:
Hi,
I have a Dovecot server on Ubuntu 22.04, which works fine with Oauth2. I am building a new container based on Ubuntu 24.04. IMAP seems to work fine with plain authentication, but oauth2 fails (Dovecot v2.3.21). Same configuration as before.
However, I got this message:
May 09 09:41:57 auth: Error: oauth2(fran@mydomain.eu,10.110.41.32,
): oauth2 failed: Introspection failed: No username returned Weird, as it does indeed seems to get the username (as seen on the log).
Any clue on why this fails?
Best,
Francis
It means that introspection did not return username for the token. This is important, because if the token is not validated to belong to the user attempting to log in, anyone could login as anyone with any token.
Aki
Francis Augusto Medeiros-Logeay Oslo, Norway
On 2024-05-09 10:11, Aki Tuomi wrote:
On 09/05/2024 10:46 EEST Francis Augusto Medeiros-Logeay via dovecot dovecot@dovecot.org wrote:
Hi,
I have a Dovecot server on Ubuntu 22.04, which works fine with Oauth2. I am building a new container based on Ubuntu 24.04. IMAP seems to work fine with plain authentication, but oauth2 fails (Dovecot v2.3.21). Same configuration as before.
However, I got this message:
May 09 09:41:57 auth: Error: oauth2(fran@mydomain.eu,10.110.41.32,
): oauth2 failed: Introspection failed: No username returned Weird, as it does indeed seems to get the username (as seen on the log).
Any clue on why this fails?
Best,
Francis
It means that introspection did not return username for the token. This is important, because if the token is not validated to belong to the user attempting to log in, anyone could login as anyone with any token.
Aki
Actually, the problem was not that. It was some change on Dovecot where suddenly I need to add "clientid:client_secret@" on the url (googled it, and saw that you advised that before). Now it works.
Best, Francis
participants (2)
-
Aki Tuomi
-
Francis Augusto Medeiros-Logeay