> On 13/06/2025 13:05 EEST Markus Grandpré via dovecot <[email protected]> > wrote: > > > Dear dovecot list members, > > I am currently working on the task of implementing an MFA solution with > OpenID for our SOGo server v5.12.1.20250612-1 and our Dovecot server > v2.3.21.1. For this purpose, we are using a Shibboleth IDP v5.1.4 with > the appropriate OpenID extension via XOAUTH2. > > In my opinion, authentication and autorization requests and responses > between SOGo and the IDP are working flawlessly, and with: > > SOGoSMTPAuthenticationType = xoauth2; > NGImap4AuthMechanism = xoauth2; > > the SOGo server forwards the received access token to the Dovecot > server. On the Dovecot side, I have configured the server as follows: > > > /etc/dovecot/conf.d/10-auth.conf: > > disable_plaintext_auth = yes > auth_username_format = %Ln > auth_master_user_separator = * > auth_mechanisms = plain login > auth_verbose = yes > auth_verbose_passwords = no > auth_debug = yes > auth_debug_passwords = yes > mail_debug = yes > verbose_ssl = yes > !include auth-master.conf.ext > !include auth-oauth2.conf.ext > > > /etc/dovecot/conf.d/auth-oauth2.conf.ext > > auth_mechanisms = $auth_mechanisms plain xoauth2 oauthbearer > passdb { > driver = oauth2 > mechanisms = xoauth2 oauthbearer > args = /etc/dovecot/dovecot-oauth2.conf.ext > } > userdb { > driver = static > args = uid=vmail gid=vmail home=/var/vmail/%u > } > service auth { > unix_listener /var/spool/postfix/private/auth { > mode = 0660 > # Assuming the default Postfix user and group > user = postfix > group = postfix > } > } > > > /etc/dovecot/dovecot-oauth2.conf.ext > > introspection_mode = post > introspection_url = > https://<ID>>:<SECRET>@idp-test.uni-konstanz.de/idp/profile/oauth2/introspection > username_attribute = mail > tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt > active_attribute = active > active_value = true > > > As soon as the SOGo server contacts the Dovecot server, and the latter > contacts the IDP server, I see the following error message in the > Dovecot server logs: > > > Jun 13 11:44:47 bamenda dovecot: auth: Debug: http-client[1]: request > [Req7: POST > https://idp-test.uni-konstanz.de/idp/profile/oauth2/introspection]: Free > (requests lef > t=1) > Jun 13 11:44:47 bamenda dovecot: auth: Debug: > oauth2(pop519315,134.34.240.55,<kMaO5XA3FrWGIvA3>): Introspection succeeded > Jun 13 11:44:47 bamenda dovecot: auth: Debug: > oauth2(pop519315,134.34.240.55,<kMaO5XA3FrWGIvA3>): Processing field active > Jun 13 11:44:47 bamenda dovecot: auth: Debug: > oauth2(pop519315,134.34.240.55,<kMaO5XA3FrWGIvA3>): oauth2 > active_attribute check failed: expected active="true" but got "false" > Jun 13 11:44:47 bamenda dovecot: auth: > oauth2(pop519315,134.34.240.55,<kMaO5XA3FrWGIvA3>): oauth2 failed: > Introspection failed: Provided token is not valid > Jun 13 11:44:47 bamenda dovecot: auth: Debug: > oauth2(pop519315,134.34.240.55,<kMaO5XA3FrWGIvA3>): Finished passdb lookup > Jun 13 11:44:47 bamenda dovecot: auth: Debug: > auth(pop519315,134.34.240.55,<kMaO5XA3FrWGIvA3>): Auth request finished > > > Is the error on the IDP side, or is there something wrong with my > Dovecot configuration, or both? How can I make Dovecot more verbose the > way I could see all the tokens exchanged with SOGo and IDP? > > I would greatly appreciate your help. > > Best regards, > Markus Grandpré > > > > > -- > Markus Ludwig Grandpré > Universität Konstanz > Kommunikations-, Informations-, Medienzentrum (KIM) > Abteilung IT-Dienste Forschung und Lehre, > B803, Tel: +49 7531 88 4342 >
Your IDP is returning with `false` when `true` is expected, which is causing the login to be refused (as expected). Aki _______________________________________________ dovecot mailing list -- [email protected] To unsubscribe send an email to [email protected]
