Dovecot Proxy - Oauth2 mech add custom fields

Fri Feb 14 13:36:26 EET 2020

Hi,

I have a problem with configuring dovecot passdb for Oauth2 with keyclock.
A user can access more mailbox, mailboxes are associated with the user.

When a user login with this method:

OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] Dovecot ready.
a login mailbox*user password

Dovecot when requiring the grant_url send to Keyclock, for example, this post (I have already enabled raw_log for analysis):

grant_type=password&username=domenico&password=test&client_id=imap-client&client_secret=99e26b26-0f2a-4b64-8f57-c0ca2147d3a0&scope=emailPOST /auth/realms/example/protocol/openid-connect/token/introspect

The call pass to Keyclock only master_user and miss mailbox info.
In fact, the JSON response after login return the only username without mailbox:

[...]
  "scope": "profile email",
  "email_verified": false,
  "preferred_username": "dome.nico"
[...]

When Dovecot proxy connects to the backend, email attribute and user have the same value, master-user. 
This behavior is a problem because when backend tries login access, login with the user and not with the mailbox.

This is backend logging:

2020-02-13 19:34:13 auth: Debug: client passdb out: OK  1       user=domenico  token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJYVy1fSmNnVkF3aW9GUXh1NUhwdjVlbk5uNU8zaW42Y1VpaGJsM2dWX0V3In0.eyJqdGkiOiJhYTMwZ
Dk0Yy0xNjE0LTQzN2QtOTA5Zi01ZTAwNGQ2YjNmZTIiLCJleHAiOjE1ODE2MTE5NTQsIm5iZiI6MCwiaWF0IjoxNTgxNjExNjU0LCJpc3MiOiJodHRwczovL2tleWNsb2FrLXBlYy1pYW0ucGVjLWFwcHMucGFyLXRlYy5pdC9hdXRoL3JlYWxtcy9wZWMiLCJhdWQiOiJhY2NvdW50Iiwi
c3ViIjoiZjphNTA1NWUzMi1lYzhkLTRmZjgtOWZjNS00ODM4MmQ1MzRhODc6ZG9tZS5uaWNvIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoiaW1hcC1jbGllbnQiLCJhdXRoX3RpbWUiOjAsInNlc3Npb25fc3RhdGUiOiIyN2M0ZDMzYy01YjdlLTQzMWMtYjZmMi0yYmI4NjIzYzMyMjkiLCJ
hY3IiOiIxIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2
ZpbGUiXX19LCJzY29wZSI6InByb2ZpbGUgZW1haWwiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6ImRvbWUubmljbyJ9.LlIx-QeRQPr3lK4Cs1vU0qMvHF3uq3h15BGi1atNCBASkM6oPoYWLV-sYdf8hzpRFyOaTcbxN53SN6LfD0hHvUZ2sKHxh7UJ
idmxS4hf1SsZq8wJTASpebcPLtBIX5JBvXmpxa-cVnZDE1JVw5np5-LLNs0j4sgHwgg85mJEoE2VmYJzbGZjUsSTvaAAoCbvTA0MfsNoKyq0E5JrLVdkI-twX7HjAESFqFD4yHe7BS4FG_UjddrSr3uXmXreB44VLZ8B4xBgVRjK9K-sjjkXT8Bkv8WbxUdEEHaarWU_qanI5DlhA0CZXlJ
CyDsNcRwQfwVHOESxXE7ehgIDPm-NjA

I have a mechanism for adding other attributes with Dovecot when calling Keyclock? This for insert email or other fields into the token.

Thanks all,
Domenico

———
Dovecot Frontend

# 2.3.9.2 (cf2918cac): /config/dovecot/dovecot-proxy/dovecot.conf
# OS: Linux 3.10.0-693.17.1.el7.x86_64 x86_64 CentOS Linux release 7.4.1708 (Core)  
# Hostname: fe-new.example.it
auth_debug = yes
auth_debug_passwords = yes
auth_master_user_separator = *
auth_verbose = yes
auth_verbose_passwords = yes
base_dir = /data/dovecot/var/run/dovecot-proxy
default_vsz_limit = 768 M
disable_plaintext_auth = no
first_valid_gid = 101
first_valid_uid = 102
imap_id_send = 
import_environment = TZ MASTERPWD
info_log_path = /LOGS/imap/dovecot-proxy.log
instance_name = dovecot-proxy
listen = fe-new_imap
log_path = /LOGS/imap/dovecot-proxy.log
log_timestamp = "%Y-%m-%d %H:%M:%S "
mail_gid = 101
mail_location = maildir:%h/Maildir
mail_max_userip_connections = 50
mail_plugins = quota expire mail_log notify
mail_uid = 102
maildir_broken_filename_sizes = yes
mbox_write_locks = fcntl
namespace inbox {
  inbox = yes
  location = 
  mailbox Drafts {
    special_use = \Drafts
  }
  mailbox Junk {
    special_use = \Junk
  }
  mailbox Sent {
    special_use = \Sent
  }
  mailbox "Sent Messages" {
    special_use = \Sent
  }
  mailbox Trash {
    special_use = \Trash
  }
  prefix = INBOX.
  separator = .
  subscriptions = yes
  type = private
}
passdb {
  args = /config/dovecot/dovecot-proxy/dovecot-oauth2.conf
  driver = oauth2
  master = yes
  mechanisms = plain login
}
plugin {
  mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
  mail_log_fields = uid box msgid size
}
postmaster_address = posta at foo.it
protocols = imap pop3
service anvil {
  client_limit = 3000
}
service auth {
  client_limit = 4096
  unix_listener auth-userdb {
    mode = 0600
  }
}
service imap-login {
  inet_listener imap {
    port = 0
  }
  inet_listener imaps {
    port = 993
    ssl = yes
  }
  process_limit = 2500
  process_min_avail = 5
}
service imap {
  drop_priv_before_exec = yes
  process_limit = 2500
  process_min_avail = 5
}
service lmtp {
  inet_listener lmtp {
    port = 24
  }
}
service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
  process_min_avail = 0
  service_count = 1
  vsz_limit = 64 M
}
service managesieve {
  drop_priv_before_exec = yes
  process_limit = 1024
}
service pop3-login {
  inet_listener pop3 {
    port = 0
  }
  inet_listener pop3s {
    port = 995
    ssl = yes
  }
  process_limit = 300
  process_min_avail = 5
}
service pop3 {
  drop_priv_before_exec = yes
  process_limit = 300
  process_min_avail = 5
}
ssl_cert = </certs/cert-selfsigned.crt
ssl_cipher_list = ALL:!LOW:!SSLv2:!EXP:!aNULL:!RC4::!3DES:!IDEA
ssl_dh = # hidden, use -P to show it
ssl_key = # hidden, use -P to show it
protocol lmtp {
  mail_plugins = quota expire mail_log notify
}
protocol lda {
  mail_plugins = quota expire mail_log notify
}
protocol imap {
  mail_plugins = quota imap_quota mail_log notify
}
protocol pop3 {
  mail_plugins = quota mail_log notify
  pop3_uidl_format = UID%u-%v
}

-> /config/dovecot/dovecot-proxy/dovecot-oauth2.conf

grant_url = https://keycloak-iam.apps.example.com/auth/realms/example/protocol/openid-connect/token
use_grant_password = yes

introspection_mode = post
introspection_url = https://keycloak-iam.apps.example.com/auth/realms/example/protocol/openid-connect/token/introspect

username_attribute = username
username_format = %Lu

tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
active_attribute = active
active_value = true

scope = email
send_auth_headers = yes

debug = yes
rawlog_dir = /LOGS/imap/oauth2/
client_id = imap-client
client_secret = 99e26b26-0f2a-4b64-8f57-c0ca2147d3a0

pass_attrs = host=192.160.10.4 proxy=y proxy_mech=xoauth2 pass=%{oauth2:access_token} 