> On 19/01/2021 07:17 ???? <taiki.fukuda at justsystems.com> wrote:
>
>
> Dear Sir or Madam
> Unable to build OAuth2.0 authentication to Gmail using dovecot as proxy.
> I have a question about how to use dovecot as a proxy to perform OAuth 2.0
authentication to Gmail using a mail client.
Mail client is required, in this case, to provide valid oauth2 bearer token. I
don't think google supports other ways.
> 1. Is the following all I need to do to authenticate to Gmail using
dovecot as a proxy?
> * passdb
> passdb {
> driver = oauth2
> mechanisms = oauthbearer xoauth2
> args = /etc/dovecot/dovecot-oauth2.token.conf.ext
> }
> passdb {
> driver = oauth2
> mechanisms = plain login
> args = /etc/dovecot/dovecot-oauth2.plain.conf.ext
> }
>
The plain config is a way to do 'password grant' authentication. This is
when username and password is used to acquire a bearer token.
> * create dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext
> * create gmail service account api
> 2. grant_url in dovecot-oauth2.token.conf.ext and
dovecot-oauth2.plain.conf.ext is URL for obtaining a Google access token for a
web server that I have built myself?
> 3. I use a Gmail service account, so I don?t need a client ID and secret
ID, right?
> 4. Do I set introspection_url to the URL of my own web server with the
access token used for authentication to Google as the response?
No. The introspection URL needs to point to a location where dovecot can figure
out more information about the user with token. If I recall correctly, the token
endpoint
For gmail, you need to use https://www.googleapis.com/oauth2/v2/userinfo
> 5. The documentation says ?pass_attrs = host=127.0.0.1?, but if you are
authenticating to Gmail, I should use
> ?pass_attrs = proxy=y host=%{if;%s;eq;imap;imap.gmail.com
(http://imap.gmail.com);%{if;%s;eq;pop3;smtp .gmail.com
(http://gmail.com);pop.gmail.com (http://pop.gmail.com)}}
port=%{if;%s;eq;imap;993;%{if;%s;eq;pop3;587;465}} proxy_mech=xoauth2
pass=%{oauth2:access_token} user=%{oauth2:email oauth2:email}??
I would use something more readable, like passwd-file driver with
username_format=%s
The access token is also imported as %{token} in passdb.
> 6. What is the difference between dovecot-oauth2.token.conf.ext and
dovecot-oauth2.plain.conf.ext ? Do I need to configure both?
> I used
https://doc.dovecot.org/configuration_manual/authentication/oauth2/#proxy as a
reference.
> I would appreciate your reply.
> Yours faithfully,
> ------------------------------
> e-mail: taiki.fukuda at justsystems.com
> TEL: 03-5324-7900
> mobile: 080-6198-7328
> ------------------------------
So this might work
/etc/dovecot/oauth2-token.conf.ext
introspection_url = https://www.googleapis.com/oauth2/v2/userinfo
introspection_mode = auth
username_attribute = email
pass_attrs = proxy=y proxy_mech=xoauth2
/etc/dovecot/dovecot.conf
auth_mechanisms = xoauth2 oauthbearer
passdb {
driver = oauth2
args = /etc/dovecot/oauth2-token.conf.ext
result_success = continue-ok
}
passdb {
driver = passwd-file
args = username_format=%s /etc/dovecot/endpoints
skip = unauthenticated
}
/etc/dovecot/endpoints
imap::::::: host=imap.gmail.com
pop3::::::: host=pop3.gmail.com
submission::::::: host=smtp.gmail.com
Aki