Re: Is XOAUTH2 support broken in 2.3.21?

Wed, 04 Oct 2023 06:27:56 -0700 

> On 04/10/2023 15:13 EEST Christian Rößner via dovecot <dovecot@dovecot.org> 
> wrote:
> 
>  
> Hi,
> 
> > Am 04.10.2023 um 12:56 schrieb Arjen de Korte <build+dove...@de-korte.org>:
> > 
> > Citeren Christian Rößner via dovecot <dovecot@dovecot.org>:
> > 
> >> Hi,
> >> 
> >> I use Roundcube with OIDC. Everything works fine in Dovecot 2.3.20, but 
> >> broke in 2.3.21. Downgrading to 2.3.20 makes it work again, so it is 
> >> introduced in the newer release.
> >> 
> >> Error (2.3.21):
> >> ```
> >> Oct  4 11:03:57 mx dovecot[558531]: imap-login: Disconnected: Connection 
> >> closed (client didn't finish SASL auth, waited 1 secs): 
> >> user=<christian@roessner.email>, orig_user=<christian@roessner.email>, 
> >> method=XOAUTH2, rip=192.168.0.4, lip=192.168.0.2, TLS, TLSv1.3 with cipher 
> >> TLS_AES_256_GCM_SHA384 (256/256 bits)
> >> ```
> >> 
> >> Here is an example with 2.3.20:
> >> 
> >> Success (2.3.20):
> >> ```
> >> Oct  4 11:17:21 mx dovecot[889914]: imap-login: Login: 
> >> user=<christian@roessner.email>, orig_user=<christian@roessner.email>, 
> >> method=XOAUTH2, rip=192.168.0.4, lip=192.168.0.2, mpid=891874, TLS, 
> >> TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
> >> ```
> > 
> > Searching the archives might give a lead to what's going on (and a possible 
> > workaround):
> > 
> > https://dovecot.org/mailman3/archives/list/dovecot@dovecot.org/thread/RR2GXLOAS6U3MZCQCA4T4S6QXCRV5GST
> 
> I get a different error from RC:
> 
> ```
> Oct 04 12:08:48 node1 8868c38d7990[158494]: errors: <48ea0f68> IMAP Error: 
> Login failed for christian@roessner.email against mail.roessner-net.de from 
> 192.168.32.1 (X-Real-IP: 2003:a:a05:a600:858:7851:547f:8aed,X-Forwarded-For: 
> 2003:a:a05:a600:858:7851:547f:8aed). AUTHENTICATE XOAUTH2: A0001 NO 
> [AUTHENTICATIONFAILED] Authentication failed. in 
> /var/www/html/program/lib/Roundcube/rcube_imap.php on line 211 (GET 
> /index.php/login/oauth?code=ory_ac_L5_NrO7EjgIccmV-_Tq1Y1_vls6i9NS8lbO7mHYwVeQ.maAkpsqdG95hkLutiDi4aB2KDPvj_pQ65qD-tuY9zBI&scope=openid+offline_access+profile+email+dovecot&state=J3WpRsBcOrnw)
> ```
> 
> And changing the introspection_url parameter did not change anything.
> 
> Thanks in advance
> 
> Christian Rößner
> -- 

Can you provide auth_debug=yes logs?

Aki
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Reply via email to