dovecot - Jun 2021 - oauth2

Hello,

Dovecot 2.3.15 installed from repository on CentOS 7.9

I would like to try the oauth2 mechanism to autenticate my users.

I have installed a working demo of KeyCloak and I have a working 
installation of Dovecot 2.3.15 with LDAP backend and plain authentication.

My Thunderbird client always says "that the server doesn't manage the 
authentication method", but with a "openssl s_client? -connect"
command
I get:

* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE 
LITERAL+ AUTH=PLAIN AUTH=OAUTHBEARER AUTH=XOAUTH2] IMAP ready.

Putting Dovecot in debug I can't see any error or warning on oauth2 
authentication.

I'm following the offical guide:

auth_mechanisms = plain oauthbearer xoauth2

passdb {
 ? driver = oauth2
 ? mechanisms = xoauth2 oauthbearer
 ? args = /etc/dovecot/dovecot-oauth2.conf.ext
}

/etc/dovecot/dovecot-oauth2.conf.ext:
tokeninfo_url =
https://www.googleapis.com/oauth2/v3/tokeninfo?access_tokenintrospection_url =
https://www.googleapis.com/oauth2/v2/userinfo
#force_introspection = yes
username_attribute = email
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt

I'm using an explicit wrong configuration to thrown some errors and 
verify that Dovecot is really using the OAUTH2 mechanism, but I don't 
get any errors...

What I'm doing wrong?

Thanks,
Andrea

-- 

__________________________
Okay, okay, I'll take it back ... UNfuck you !
__________________________

TIM San Marino S.p.A.
Andrea Gabellini
Engineering R&D
TIM San Marino S.p.A. - https://www.telecomitalia.sm
Via Ventotto Luglio, 212 - Piano -2
47893 - Borgo Maggiore - Republic of San Marino
Tel: (+378) 0549 886237
Fax: (+378) 0549 886188



--
Informativa Privacy

Questa email ha per destinatari dei contatti presenti negli archivi di TIM San
Marino S.p.A.. Tutte le informazioni vengono trattate e tutelate nel rispetto
della normativa vigente sulla protezione dei dati personali (Reg. EU 2016/679).
Per richiedere informazioni e/o variazioni e/o la cancellazione dei vostri dati
presenti nei nostri archivi potete inviare una email a privacy at
telecomitalia.sm.

Avviso di Riservatezza

Il contenuto di questa e-mail e degli eventuali allegati e' strettamente
confidenziale e destinato alla/e persona/e a cui e' indirizzato. Se avete
ricevuto per errore questa e-mail, vi preghiamo di segnalarcelo immediatamente e
di cancellarla dal vostro computer. E' fatto divieto di copiare e divulgare
il contenuto di questa e-mail. Ogni utilizzo abusivo delle informazioni qui
contenute da parte di persone terze o comunque non indicate nella presente
e-mail potra' essere perseguito ai sensi di legge.

Hi!
> I would like to try the oauth2 mechanism to autenticate my users.
>
> [...]
> 
> My Thunderbird client [...]
Not a Thunderbird/Dovecot expert here, so only talking about my
experience. We have a setup here with Dovecot supporting OAUTHBEARER &
XOAUTH2 to allow our web-based interface (Open-Xchange) to use our SSO
(also provided by Keycloak) and that works fine. However, we also got
questions from users about Thunderbird so I had a quick look into it.

From what I understand, from digging into https://bugzilla.mozilla.org/
and Thunderbird source code, Thunderbird is using a static list of
Oauth2 providers, for which it stores the
clientId/clientSecret/authorizationEndpoint/tokenEndpoint statically in
its source code.

As a result, I think Thunderbird can't support Oauth2 for a standard
Dovecot installation without patches... (But I would love to be proven
wrong and be able to provide Oauth support to our users!)

Cheers,
Vincent

PS: Thunderbird hardcoded list:
https://github.com/mozilla/releases-comm-central/blob/master/mailnews/base/src/OAuth2Providers.jsm

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL:
<https://dovecot.org/pipermail/dovecot/attachments/20210624/6f801fda/attachment.sig>