> On 23/09/2023 12:55 EEST t...@interseclab.org wrote: > > > I have Roundcube and Dovecot2 setup to authenticate against Keycloak > using the XOAUTH2 method, as follows: > > introspection_url = > https://[...]/realms/[...]/protocol/openid-connect/token/introspect > introspection_mode = post > username_attribute = email > client_id = [...] > client_secret = [...] > tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt > > Since upgrading to 2.3.21 XOAUTH2 fails to authenticate with: > > dovecot: auth: Error: oauth2([...],[...],<[...]>): oauth2 failed: > Introspection failed: No username returned > > WARN [org.keycloak.events] (executor-thread-45) > type=INTROSPECT_TOKEN_ERROR, realmId=[...], clientId=null, userId=null, > ipAddress=[...], error=client_not_found > WARN [org.keycloak.events] (executor-thread-45) > type=INTROSPECT_TOKEN_ERROR, realmId=[...], clientId=null, userId=null, > ipAddress=[...], error=invalid_request, detail='Authentication failed.' > > Downgrading to 2.3.20 fixes the issue. > > I believe this change is to blame: > > lib-oauth2: Dovecot would send client_id and client_secret as POST > parameters to the introspection server. These need to be optionally in > Basic auth instead. > > Is there anything I should change in my Keycloak/Dovecot config or is > this a bug?
Try changing introspection_url to https://client_id:client_secret@server/.... Aki _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
