Ok, i guess the problem is that it's somehow thinking it got everything already from the tokeninfo endpoint. Can you try enabling forced introspection?
Aki > On 05/10/2023 10:13 EEST Christian Rößner <li...@mlserv.org> wrote: > > > > Am 05.10.2023 um 09:08 schrieb Christian Rößner <li...@mlserv.org>: > > > > Hi, > > > >> Am 05.10.2023 um 08:22 schrieb Aki Tuomi via dovecot <dovecot@dovecot.org>: > >> > >> You seem to be using userinfo and not introspect endpoint in your > >> configuration. Does userinfo return active too? > > > > tokeninfo_url = https://oauth.authserv.me:4444/userinfo?access_token= > > introspection_url = https://oauth.authserv.me:4445/admin/oauth2/introspect > > > Here is an example of the userinfo results (I have a test client for this): > > ```json > { > "OAuth2Token": { > "access_token": "ory_at_***HIDDEN***", > "token_type": "bearer", > "refresh_token": "ory_rt_***HIDDEN***", > "expiry": "2023-10-05T10:09:52.394731+02:00" > }, > "IDTokenClaims": { > "at_hash": "6UQR9dqFoaH1a-ztuZsmfg", > "aud": [ > "718f4a52-e1a8-431d-9146-15809cfe3240" > ], > "auth_time": 1696489790, > "dovecot_mailbox_path": > "sdbox:~/sdbox:VOLATILEDIR=/srv/vmail/volatile/%2.256Nu/%Lu:LISTINDEX=/srv/vmail/listindex/%2.256Nu/%Lu/dovecot.list.index", > "dovecot_user": "de10...@srvint.net", > "email": "christian@roessner.email", > "exp": 1696493393, > "family_name": "Rößner", > "given_name": "Christian", > "groups": [ > "admin", > "user", > "superadmin", > "familie", > "kanzlei" > ], > "iat": 1696489793, > "iss": "https://oauth.authserv.me:4444";, > "jti": "***", > "name": "Christian Rößner", > "nickname": "croessner", > "nonce": "***", > "preferred_username": "croessner", > "rat": 1696489779, > "sid": "***", > "sub": "977c6572-d017-103b-836b-b5fc6e126160" > } > } > ``` > > I do not see something like an active flag. > > Christian > > >> > >> Aki > >> > >>> On 04/10/2023 20:05 EEST Christian Rößner via dovecot > >>> <dovecot@dovecot.org> wrote: > >>> > >>> > >>> Hi, > >>> > >>> well I fear there is still something wrong. > >>> > >>>> Am 04.10.2023 um 15:05 schrieb Aki Tuomi via dovecot > >>>> <dovecot@dovecot.org>: > >>>> > >>>>> > >>>>> On 04/10/2023 16:02 EEST Christian Rößner <li...@mlserv.org> wrote: > >>>>> > >>>>> > >>>>> Hi, > >>>>> > >>>>>> Am 04.10.2023 um 14:31 schrieb Aki Tuomi <aki.tu...@open-xchange.com>: > >>>>>> > >>>>>>> > >>>>>>> On 04/10/2023 15:13 EEST Christian Rößner via dovecot > >>>>>>> <dovecot@dovecot.org> wrote: > >>>>>>> > >>>>>>> > >>>>>>> Hi, > >>>>>>> > >>>>>>>> Am 04.10.2023 um 12:56 schrieb Arjen de Korte > >>>>>>>> <build+dove...@de-korte.org>: > >>>>>>>> > >>>>>>>> Citeren Christian Rößner via dovecot <dovecot@dovecot.org>: > >>>>>>>> > >>>>>>>>> Hi, > >>>>>>>>> > >>>>>>>>> I use Roundcube with OIDC. Everything works fine in Dovecot 2.3.20, > >>>>>>>>> but broke in 2.3.21. Downgrading to 2.3.20 makes it work again, so > >>>>>>>>> it is introduced in the newer release. > >>>>>>>>> > >>>>>>>>> Error (2.3.21): > >>>>>>>>> ``` > >>>>>>>>> Oct 4 11:03:57 mx dovecot[558531]: imap-login: Disconnected: > >>>>>>>>> Connection closed (client didn't finish SASL auth, waited 1 secs): > >>>>>>>>> user=<christian@roessner.email>, > >>>>>>>>> orig_user=<christian@roessner.email>, method=XOAUTH2, > >>>>>>>>> rip=192.168.0.4, lip=192.168.0.2, TLS, TLSv1.3 with cipher > >>>>>>>>> TLS_AES_256_GCM_SHA384 (256/256 bits) > >>>>>>>>> ``` > >>>>>>>>> > >>>>>>>>> Here is an example with 2.3.20: > >>>>>>>>> > >>>>>>>>> Success (2.3.20): > >>>>>>>>> ``` > >>>>>>>>> Oct 4 11:17:21 mx dovecot[889914]: imap-login: Login: > >>>>>>>>> user=<christian@roessner.email>, > >>>>>>>>> orig_user=<christian@roessner.email>, method=XOAUTH2, > >>>>>>>>> rip=192.168.0.4, lip=192.168.0.2, mpid=891874, TLS, TLSv1.3 with > >>>>>>>>> cipher TLS_AES_256_GCM_SHA384 (256/256 bits) > >>>>>>>>> ``` > >>>>>>>> > >>>>>>>> Searching the archives might give a lead to what's going on (and a > >>>>>>>> possible workaround): > >>>>>>>> > >>>>>>>> https://dovecot.org/mailman3/archives/list/dovecot@dovecot.org/thread/RR2GXLOAS6U3MZCQCA4T4S6QXCRV5GST > >>>>>>> > >>>>>>> I get a different error from RC: > >>>>>>> > >>>>>>> ``` > >>>>>>> Oct 04 12:08:48 node1 8868c38d7990[158494]: errors: <48ea0f68> IMAP > >>>>>>> Error: Login failed for christian@roessner.email against > >>>>>>> mail.roessner-net.de from 192.168.32.1 (X-Real-IP: > >>>>>>> 2003:a:a05:a600:858:7851:547f:8aed,X-Forwarded-For: > >>>>>>> 2003:a:a05:a600:858:7851:547f:8aed). AUTHENTICATE XOAUTH2: A0001 NO > >>>>>>> [AUTHENTICATIONFAILED] Authentication failed. in > >>>>>>> /var/www/html/program/lib/Roundcube/rcube_imap.php on line 211 (GET > >>>>>>> /index.php/login/oauth?code=ory_ac_L5_NrO7EjgIccmV-_Tq1Y1_vls6i9NS8lbO7mHYwVeQ.maAkpsqdG95hkLutiDi4aB2KDPvj_pQ65qD-tuY9zBI&scope=openid+offline_access+profile+email+dovecot&state=J3WpRsBcOrnw) > >>>>>>> ``` > >>>>>>> > >>>>>>> And changing the introspection_url parameter did not change anything. > >>>>>>> > >>>>>>> Thanks in advance > >>>>>>> > >>>>>>> Christian Rößner > >>>>>>> -- > >>>>>> > >>>>>> Can you provide auth_debug=yes logs? > >>>>> > >>>>> Turning n debug showed the problem: > >>>>> > >>>>> ``` > >>>>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: > >>>>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): oauth2 > >>>>> active_attribute "active" is not present in the oauth2 server's response > >>>>> ``` > >>>>> > >>>>> In earlier configuration tests I had an 'active' claim. Dovecot prior > >>>>> 2.3.21 seems to had ignored a missing field, while newer version expect > >>>>> it to be present if configured. > >>>>> > >>>>> Thanks. > >>>>> > >>>>> Christian Rößner > >>>>> -- > >>>> > >>>> Yes, this was a bug that was fixed, that the active attribute is now > >>>> actually checked. > >>> > >>> I thought I had mistakenly removed the active field, but I did not: > >>> > >>> ``` > >>> curl -X POST -d 'scope=email&token=****HIDDEN***' > >>> https://oauth.authserv.me:4445/admin/oauth2/introspect > >>> > >>> {"active":true,"scope":"openid profile email groups dovecot offline > >>> offline_access","client_id":"718f4a52-e1a8-431d-9146-15809cfe3240","sub":"977c6572-d017-103b-836b-b5fc6e126160","exp":1696442299,"iat":1696438699,"nbf":1696438699,"aud":[],"iss":"https://oauth.authserv.me:4444","token_type":"Bearer","token_use":"access_token"} > >>> ``` > >>> > >>> As you can see, the 'active' field exists, but Dovecot expects it to be a > >>> claim, which it is not. > >>> > >>> From auth_debug: > >>> > >>> ``` > >>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: > >>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Making > >>> token validation lookup to > >>> https://oauth.authserv.me:4444/userinfo?access_token= > >>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: > >>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Token > >>> validation succeeded > >>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: > >>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): > >>> Processing field auth_time > >>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: > >>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): > >>> Processing field dovecot_mailbox_path > >>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: > >>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): > >>> Processing field dovecot_user > >>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: > >>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): > >>> Processing field email > >>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: > >>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): > >>> Processing field family_name > >>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: > >>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): > >>> Processing field given_name > >>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: > >>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): > >>> Processing field iat > >>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: > >>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): > >>> Processing field iss > >>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: > >>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): > >>> Processing field name > >>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: > >>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): > >>> Processing field nickname > >>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: > >>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): > >>> Processing field preferred_username > >>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: > >>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): > >>> Processing field rat > >>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: > >>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): > >>> Processing field sub > >>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: > >>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): oauth2 > >>> active_attribute "active" is not present in the oauth2 server's response > >>> Oct 4 14:50:31 mx dovecot[1302421]: auth: > >>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): oauth2 > >>> failed: Token is not valid: Missing active_attribute from token > >>> ``` > >>> > >>> Is this a bug or does the active field shown above nothing have to do > >>> with the active field in the dovecot configuration? > >>> > >>> I would expect the field shown above. > >>> > >>> Thanks in advance > >>> > >>> Christian Rößner > >>> -- > >>> Rößner-Network-Solutions > >>> Zertifizierter ITSiBe / CISO > >>> Karl-Bröger-Str. 10, 36304 Alsfeld > >>> Fax: +49 6631 78823409, Mobil: +49 171 9905345 > >>> USt-IdNr.: DE225643613, https://roessner.website > >>> PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5 > >>> > >>> _______________________________________________ > >>> dovecot mailing list -- dovecot@dovecot.org > >>> To unsubscribe send an email to dovecot-le...@dovecot.org > >> _______________________________________________ > >> dovecot mailing list -- dovecot@dovecot.org > >> To unsubscribe send an email to dovecot-le...@dovecot.org > > > > Christian Rößner > > -- > > Rößner-Network-Solutions > > Zertifizierter ITSiBe / CISO > > Karl-Bröger-Str. 10, 36304 Alsfeld > > Fax: +49 6631 78823409, Mobil: +49 171 9905345 > > USt-IdNr.: DE225643613, https://roessner.website > > PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5 > > Christian Rößner > -- > Rößner-Network-Solutions > Zertifizierter ITSiBe / CISO > Karl-Bröger-Str. 10, 36304 Alsfeld > Fax: +49 6631 78823409, Mobil: +49 171 9905345 > USt-IdNr.: DE225643613, https://roessner.website > PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5 _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
