Hi Andrea,> Do you know if the same applies also to other clients like Apple Mail > and Outlook 20xx?Sorry, I have not looked into it so I can't answer this. What I don't understand really in the way OAUTHBEARER or XOAUTH2 works with IMAP is how the client is supposed to know where to obtain a token from (or does it need to be explicitly configured?)...> PS: Can you share? your /etc/dovecot/dovecot-oauth2.conf.extSure (some values have been replaced by capital letters). I'm doing it quite differently from you, using local introspection: ``` introspection_mode = local local_validation_key_dict = fs:posix:prefix=/etc/dovecot/keys/ issuers = https://XXXX/auth/realms/ZZZ scope = email username_attribute = AAAA username_format = %n # Hack to forcefully validate the aud active_attribute = aud active_value = YYYYY ``` And then I have to populate `/etc/dovecot/keys` as per https://doc.dovecot.org/configuration_manual/authentication/oauth2/#local-validation To debug the authentication/setup, here is what I did: - Obtain a token from our local keycloak: ``` curl --location --request POST 'https://XXXX/auth/realms/ZZZ/protocol/openid-connect/token' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'grant_type=password' --data-urlencode 'client_id=YYYYY' --data-urlencode 'username=${username}' --data-urlencode "password=${password}" --data-urlencode "client_secret=${secret_key}" | jq '"n,a=${username},\u0001host=XXXX\u0001port=993\u0001auth=Bearer \(.access_token)\u0001\u0001" | @base64' -r ``` - Pass that token to IMAP through `a1 authenticate oauthbearer ....` I hope this can help, Cheers, Vincent -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature URL: <https://dovecot.org/pipermail/dovecot/attachments/20210624/a3dfe5a7/attachment.sig>
Hi Vincent, Thank you very much for your support!!! Il 24/06/21 15:21, Vincent Brillault ha scritto:> Hi Andrea, >> Do you know if the same applies also to other clients like Apple Mail >> and Outlook 20xx? > Sorry, I have not looked into it so I can't answer this. What I don't > understand really in the way OAUTHBEARER or XOAUTH2 works with IMAP is > how the client is supposed to know where to obtain a token from (or does > it need to be explicitly configured?)... >> PS: Can you share? your /etc/dovecot/dovecot-oauth2.conf.ext > Sure (some values have been replaced by capital letters). I'm doing it > quite differently from you, using local introspection: > ``` > introspection_mode = local > local_validation_key_dict = fs:posix:prefix=/etc/dovecot/keys/ > issuers = https://XXXX/auth/realms/ZZZ > scope = email > username_attribute = AAAA > username_format = %n > # Hack to forcefully validate the aud > active_attribute = aud > active_value = YYYYY > ``` > > And then I have to populate `/etc/dovecot/keys` as per > https://doc.dovecot.org/configuration_manual/authentication/oauth2/#local-validation > > To debug the authentication/setup, here is what I did: > - Obtain a token from our local keycloak: > ``` > curl --location --request POST > 'https://XXXX/auth/realms/ZZZ/protocol/openid-connect/token' --header > 'Content-Type: application/x-www-form-urlencoded' --data-urlencode > 'grant_type=password' --data-urlencode 'client_id=YYYYY' > --data-urlencode 'username=${username}' --data-urlencode > "password=${password}" --data-urlencode "client_secret=${secret_key}" | > jq '"n,a=${username},\u0001host=XXXX\u0001port=993\u0001auth=Bearer > \(.access_token)\u0001\u0001" | @base64' -r > ``` > - Pass that token to IMAP through `a1 authenticate oauthbearer ....` > > I hope this can help, > Cheers, > Vincent >-- __________________________ A winner says, "It may be difficult, but it's possible." A loser says, "It may be possible, but it's too difficult." __________________________ TIM San Marino S.p.A. Andrea Gabellini Engineering R&D TIM San Marino S.p.A. - https://www.telecomitalia.sm Via Ventotto Luglio, 212 - Piano -2 47893 - Borgo Maggiore - Republic of San Marino Tel: (+378) 0549 886237 Fax: (+378) 0549 886188 -- Informativa Privacy Questa email ha per destinatari dei contatti presenti negli archivi di TIM San Marino S.p.A.. Tutte le informazioni vengono trattate e tutelate nel rispetto della normativa vigente sulla protezione dei dati personali (Reg. EU 2016/679). Per richiedere informazioni e/o variazioni e/o la cancellazione dei vostri dati presenti nei nostri archivi potete inviare una email a privacy at telecomitalia.sm. Avviso di Riservatezza Il contenuto di questa e-mail e degli eventuali allegati e' strettamente confidenziale e destinato alla/e persona/e a cui e' indirizzato. Se avete ricevuto per errore questa e-mail, vi preghiamo di segnalarcelo immediatamente e di cancellarla dal vostro computer. E' fatto divieto di copiare e divulgare il contenuto di questa e-mail. Ogni utilizzo abusivo delle informazioni qui contenute da parte di persone terze o comunque non indicate nella presente e-mail potra' essere perseguito ai sensi di legge.
Hello Vincent, I'm trying to use your suggestion but I stopped on a trivial detail... I have created the key dictionary, and dovecot found it, but I receive this error "oauth2 failed: Local validation failed: Cannot load key: Unknown key format" I simply put in a file /etc/dovecot/keys/webmail/RS256/<key id> the value of the public key found on the keycloak console. Which is the correct format of that file? Thanks in advance, Andrea Il 24/06/21 15:21, Vincent Brillault ha scritto:> Hi Andrea, >> Do you know if the same applies also to other clients like Apple Mail >> and Outlook 20xx? > Sorry, I have not looked into it so I can't answer this. What I don't > understand really in the way OAUTHBEARER or XOAUTH2 works with IMAP is > how the client is supposed to know where to obtain a token from (or does > it need to be explicitly configured?)... >> PS: Can you share? your /etc/dovecot/dovecot-oauth2.conf.ext > Sure (some values have been replaced by capital letters). I'm doing it > quite differently from you, using local introspection: > ``` > introspection_mode = local > local_validation_key_dict = fs:posix:prefix=/etc/dovecot/keys/ > issuers = https://XXXX/auth/realms/ZZZ > scope = email > username_attribute = AAAA > username_format = %n > # Hack to forcefully validate the aud > active_attribute = aud > active_value = YYYYY > ``` > > And then I have to populate `/etc/dovecot/keys` as per > https://doc.dovecot.org/configuration_manual/authentication/oauth2/#local-validation > > To debug the authentication/setup, here is what I did: > - Obtain a token from our local keycloak: > ``` > curl --location --request POST > 'https://XXXX/auth/realms/ZZZ/protocol/openid-connect/token' --header > 'Content-Type: application/x-www-form-urlencoded' --data-urlencode > 'grant_type=password' --data-urlencode 'client_id=YYYYY' > --data-urlencode 'username=${username}' --data-urlencode > "password=${password}" --data-urlencode "client_secret=${secret_key}" | > jq '"n,a=${username},\u0001host=XXXX\u0001port=993\u0001auth=Bearer > \(.access_token)\u0001\u0001" | @base64' -r > ``` > - Pass that token to IMAP through `a1 authenticate oauthbearer ....` > > I hope this can help, > Cheers, > Vincent >-- __________________________ Will the information superhighway have any rest stops? __________________________ TIM San Marino S.p.A. Andrea Gabellini Engineering R&D TIM San Marino S.p.A. - https://www.telecomitalia.sm Via Ventotto Luglio, 212 - Piano -2 47893 - Borgo Maggiore - Republic of San Marino Tel: (+378) 0549 886237 Fax: (+378) 0549 886188 -- Informativa Privacy Questa email ha per destinatari dei contatti presenti negli archivi di TIM San Marino S.p.A.. Tutte le informazioni vengono trattate e tutelate nel rispetto della normativa vigente sulla protezione dei dati personali (Reg. EU 2016/679). Per richiedere informazioni e/o variazioni e/o la cancellazione dei vostri dati presenti nei nostri archivi potete inviare una email a privacy at telecomitalia.sm. Avviso di Riservatezza Il contenuto di questa e-mail e degli eventuali allegati e' strettamente confidenziale e destinato alla/e persona/e a cui e' indirizzato. Se avete ricevuto per errore questa e-mail, vi preghiamo di segnalarcelo immediatamente e di cancellarla dal vostro computer. E' fatto divieto di copiare e divulgare il contenuto di questa e-mail. Ogni utilizzo abusivo delle informazioni qui contenute da parte di persone terze o comunque non indicate nella presente e-mail potra' essere perseguito ai sensi di legge.