> On 24/10/2023 17:25 EEST Alexander Leidinger via dovecot > <dovecot@dovecot.org> wrote: > > > Am 2023-10-24 15:14, schrieb Aki Tuomi: > >> On 24/10/2023 15:49 EEST Alexander Leidinger via dovecot > >> <dovecot@dovecot.org> wrote: > >> > >> > >> Am 2023-10-23 08:43, schrieb Aki Tuomi: > >> > Don't set tokeninfo url if you require POST query. It's not mandatory > >> > to set all endpoints. > >> > >> If I comment out the tokeninfo_url (the rest the same as in the > >> qorking > >> config below in the quote), I get the error message "oauth2 failed: > >> Introspection failed: No username returned" from dovecot. > >> > >> > Also if you are using jwt, you can also opt to do local validation > >> > instead. > >> > >> How should a config look like for this? From > >> https://doc.dovecot.org/configuration_manual/authentication/oauth2/ > >> I'm > >> not sure what to do. > >> > >> Would it be: > >> - introspection_mode = local > >> - local_validation_key_dict = ... > >> - switching the oidc provider to jwt > >> - downloading the cert from the oidc server and putting it into the > >> key-dict > >> ? > > > > Yep. As in the example in docs. > > Doesn't work. Not even a trace in the debug log. The webmail package > (roundcube) didn't finish the sasl auth: > ---snip--- > imap-login: Disconnected: Connection closed (client didn't finish SASL > auth, waited 6 secs): user=<...@...>, method=XOAUTH2,... > ---snip--- > > In the example there is "typ":"JWT" which I don't have: > ---snip--- > "keys": [ > { > "kid": "4ED...more...vi7umzYdS4", > "kty": "RSA", > "alg": "RS256", > "use": "sig", > "n": "pj0BLB...more...Q", > "e": "AQAB", > "x5c": [ > "MIICoTCCA...much_more...o8M0a6VE=" > ], > "x5t": "yeW...more...z2mnh4", > "x5t#S256": "f37pijf...more...VIF5FHMlYHbBn0" > }, > ---snip--- > > The above is from the "jwks_uri" endpoint as per the > .well-known/openid-configuration. There is no other URL which lists > "kid"s. > > I created the /path/to/keys/RS256/4ED...more...vi7umzYdS4 with the > content MIICoTCCA...much_more...o8M0a6VE= owned and accessible by the > dovecot user. > > There is a second key with: > ---snip--- > "alg": "RSA-OAEP", > "use": "enc", > ---snip--- > As this is not listed as supported, I didn't create an entry in the dict > for this. > > Bye, > Alexander. > > >> Do I still need the openid_configureation_url and introspection_url? > >> client_secret can go in this case I assume. > >> > > > > You should probably leave client_id there. But you do not need the > > rest. openid_configuration_url is presented to clients as oidc > > discovery url. > > > > Aki > > > >> Bye, > >> Alexander. > >> > >> > Aki > >> > > >> >> On 17/10/2023 16:03 EEST Alexander Leidinger via dovecot > >> >> <dovecot@dovecot.org> wrote: > >> [...] > >> >> The working but not really up to the OIDC spec dovecot config is: > >> >> > >> >> auth-oauth2.token.conf.ext: > >> >> ---snip--- > >> >> openid_configuration_url = > >> >> https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration > >> >> #tokeninfo_url = > >> >> https://oauth2.domain.tld/realms/MyRealm/Leidinger/protocol/openid-connect/token > >> >> tokeninfo_url = > >> >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash= > >> >> introspection_url = > >> >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect > >> >> introspection_mode = auth > >> >> #active_attribute = active > >> >> #active_value = true > >> >> client_id = myid > >> >> client_secret = mysecret > >> >> use_grant_password = no > >> >> #debug = yes > >> >> username_attribute = email > >> >> pass_attrs = pass=%{oauth2:access_token} > >> >> ---snip--- > >> >> > >> >> auth-oauth2.plain.conf.ext: > >> >> ---snip--- > >> >> openid_configuration_url = > >> >> https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration > >> >> #tokeninfo_url = > >> >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token > >> >> tokeninfo_url = > >> >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash= > >> >> introspection_url = > >> >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect > >> >> introspection_mode = auth > >> >> #active_attribute = active > >> >> #active_value = true > >> >> client_id = myid > >> >> client_secret = mysecret > >> >> use_grant_password = yes > >> >> #debug = yes > >> >> username_attribute = email > >> >> pass_attrs = host=<IP of webmail> proxy=y proxy_mech=xoauth2 > >> >> pass=%{oauth2:access_token} > >> >> ---snip--- > >>
You sure there is nothing with auth_debug=yes? This sounds like the client did not want to even try oauth2. Did you enable XOAUTH2 and OAUTHBEARER mechanisms? Aki _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
