> On 19/01/2021 07:17 福田泰葵 <taiki.fuk...@justsystems.com> wrote:
>
>
> Dear Sir or Madam
> Unable to build OAuth2.0 authentication to Gmail using dovecot as proxy.
> I have a question about how to use dovecot as a proxy to perform OAuth 2.0
> authentication to Gmail using a mail client.
Mail client is required, in this case, to provide valid oauth2 bearer token. I
don't think google supports other ways.
> 1. Is the following all I need to do to authenticate to Gmail using dovecot
> as a proxy?
> * passdb
> passdb {
> driver = oauth2
> mechanisms = oauthbearer xoauth2
> args = /etc/dovecot/dovecot-oauth2.token.conf.ext
> }
> passdb {
> driver = oauth2
> mechanisms = plain login
> args = /etc/dovecot/dovecot-oauth2.plain.conf.ext
> }
>
The plain config is a way to do 'password grant' authentication. This is when
username and password is used to acquire a bearer token.
> * create dovecot-oauth2.token.conf.ext and dovecot-oauth2.plain.conf.ext
> * create gmail service account api
> 2. grant_url in dovecot-oauth2.token.conf.ext and
> dovecot-oauth2.plain.conf.ext is URL for obtaining a Google access token for
> a web server that I have built myself?
> 3. I use a Gmail service account, so I don’t need a client ID and secret
> ID, right?
> 4. Do I set introspection_url to the URL of my own web server with the
> access token used for authentication to Google as the response?
No. The introspection URL needs to point to a location where dovecot can figure
out more information about the user with token. If I recall correctly, the
token endpoint
For gmail, you need to use https://www.googleapis.com/oauth2/v2/userinfo
> 5. The documentation says “pass_attrs = host=127.0.0.1”, but if you are
> authenticating to Gmail, I should use
> “pass_attrs = proxy=y host=%{if;%s;eq;imap;imap.gmail.com
> (http://imap.gmail.com);%{if;%s;eq;pop3;smtp .gmail.com
> (http://gmail.com);pop.gmail.com (http://pop.gmail.com)}}
> port=%{if;%s;eq;imap;993;%{if;%s;eq;pop3;587;465}} proxy_mech=xoauth2
> pass=%{oauth2:access_token} user=%{oauth2:email oauth2:email}”?
I would use something more readable, like passwd-file driver with
username_format=%s
The access token is also imported as %{token} in passdb.
> 6. What is the difference between dovecot-oauth2.token.conf.ext and
> dovecot-oauth2.plain.conf.ext ? Do I need to configure both?
> I used
> https://doc.dovecot.org/configuration_manual/authentication/oauth2/#proxy as
> a reference.
> I would appreciate your reply.
> Yours faithfully,
> ------------------------------
> e-mail: taiki.fuk...@justsystems.com
> TEL: 03-5324-7900
> mobile: 080-6198-7328
> ------------------------------
So this might work
/etc/dovecot/oauth2-token.conf.ext
introspection_url = https://www.googleapis.com/oauth2/v2/userinfo
introspection_mode = auth
username_attribute = email
pass_attrs = proxy=y proxy_mech=xoauth2
/etc/dovecot/dovecot.conf
auth_mechanisms = xoauth2 oauthbearer
passdb {
driver = oauth2
args = /etc/dovecot/oauth2-token.conf.ext
result_success = continue-ok
}
passdb {
driver = passwd-file
args = username_format=%s /etc/dovecot/endpoints
skip = unauthenticated
}
/etc/dovecot/endpoints
imap::::::: host=imap.gmail.com
pop3::::::: host=pop3.gmail.com
submission::::::: host=smtp.gmail.com
Aki
