Dovecot ACLs and XOAUTH2

Aki Tuomi aki.tuomi at open-xchange.com
Mon Aug 22 12:04:28 UTC 2022 

> On 22/08/2022 14:32 EEST Felix Auringer <felix.auringer at giz.berlin> wrote:
> 
>  
> On 8/22/22 10:14, Aki Tuomi wrote:
> > Hi!
> > 
> > You need to export them in passdb. You can do `userdb_some_field=%{oauth2:some_field}`.
> 
> That is exactly what I have been looking for, thank you! Is it also 
> possible to extract arrays and objects from the token with this syntax? 
> For example, I tried to save `allowed-origins` which is a list of 
> strings but the field in the userdb was empty (but present). However, 
> the field was processed according to the logs.
> 

Currently the support is very limited. You can extract strings and numbers from a flat object.

> Furthermore, it seems that only keys that have a string or an array 
> value are processed, so it may not even be possible to extract a parent 
> object. For a structure like this:
> 
> ```
> {
>    "azp": "roundcube-test",
>    "realm_access": {
>      "roles": [...]
>    },
>    "resource_access": {
>      "realm-management": {
>        "roles": [...]
>      },
>      "account": {
>        "roles": [...]
>      }
>    }
> }
> ```
> 
> the log only shows:
> 
> auth: Debug: oauth2(...): Processing field azp
> auth: Debug: oauth2(...): Processing field roles
> 
> auth: Debug: oauth2(...): Processing field roles
> 
> auth: Debug: oauth2(...): Processing field roles
> 
> It also doesn't work to extract the whole token with 
> `userdb_token=%{oauth2:access_token}` (this syntax however works for 
> proxy authentication). Otherwise, I could just save the whole token in 
> the user database.
> 

You should be able to extract the whole access token like that, although I didn't say in my previous mail that the %{oauth2:} is valid only within the oauth2 passdb currently.

Additionally, the user's token is available as %w / %{password} on all passdbs. The best way I can think of right now is to use Lua passdb to complex token handling. 

> Is there some syntax I did not find in the documentation that would 
> enable me to extract either the whole token or a whole JSON object / array?
> 

> Best regards,
> Felix
> ---

Aki

More information about the dovecot mailing list