Hi Andrea, > Do you know if the same applies also to other clients like Apple Mail > and Outlook 20xx?
Sorry, I have not looked into it so I can't answer this. What I don't understand really in the way OAUTHBEARER or XOAUTH2 works with IMAP is how the client is supposed to know where to obtain a token from (or does it need to be explicitly configured?)... > PS: Can you share your /etc/dovecot/dovecot-oauth2.conf.ext Sure (some values have been replaced by capital letters). I'm doing it quite differently from you, using local introspection: ``` introspection_mode = local local_validation_key_dict = fs:posix:prefix=/etc/dovecot/keys/ issuers = https://XXXX/auth/realms/ZZZ scope = email username_attribute = AAAA username_format = %n # Hack to forcefully validate the aud active_attribute = aud active_value = YYYYY ``` And then I have to populate `/etc/dovecot/keys` as per https://doc.dovecot.org/configuration_manual/authentication/oauth2/#local-validation To debug the authentication/setup, here is what I did: - Obtain a token from our local keycloak: ``` curl --location --request POST 'https://XXXX/auth/realms/ZZZ/protocol/openid-connect/token' --header 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'grant_type=password' --data-urlencode 'client_id=YYYYY' --data-urlencode 'username=${username}' --data-urlencode "password=${password}" --data-urlencode "client_secret=${secret_key}" | jq '"n,a=${username},\u0001host=XXXX\u0001port=993\u0001auth=Bearer \(.access_token)\u0001\u0001" | @base64' -r ``` - Pass that token to IMAP through `a1 authenticate oauthbearer ....` I hope this can help, Cheers, Vincent
OpenPGP_signature
Description: OpenPGP digital signature
