On 5 Oct 2023, at 9:26, Aki Tuomi wrote: > Ok, i guess the problem is that it's somehow thinking it got everything > already from the tokeninfo endpoint. Can you try enabling forced > introspection?
It is already forced :-) Christian > > Aki > >> On 05/10/2023 10:13 EEST Christian Rößner <li...@mlserv.org> wrote: >> >> >>> Am 05.10.2023 um 09:08 schrieb Christian Rößner <li...@mlserv.org>: >>> >>> Hi, >>> >>>> Am 05.10.2023 um 08:22 schrieb Aki Tuomi via dovecot <dovecot@dovecot.org>: >>>> >>>> You seem to be using userinfo and not introspect endpoint in your >>>> configuration. Does userinfo return active too? >>> >>> tokeninfo_url = https://oauth.authserv.me:4444/userinfo?access_token= >>> introspection_url = https://oauth.authserv.me:4445/admin/oauth2/introspect >>> >> Here is an example of the userinfo results (I have a test client for this): >> >> ```json >> { >> "OAuth2Token": { >> "access_token": "ory_at_***HIDDEN***", >> "token_type": "bearer", >> "refresh_token": "ory_rt_***HIDDEN***", >> "expiry": "2023-10-05T10:09:52.394731+02:00" >> }, >> "IDTokenClaims": { >> "at_hash": "6UQR9dqFoaH1a-ztuZsmfg", >> "aud": [ >> "718f4a52-e1a8-431d-9146-15809cfe3240" >> ], >> "auth_time": 1696489790, >> "dovecot_mailbox_path": >> "sdbox:~/sdbox:VOLATILEDIR=/srv/vmail/volatile/%2.256Nu/%Lu:LISTINDEX=/srv/vmail/listindex/%2.256Nu/%Lu/dovecot.list.index", >> "dovecot_user": "de10...@srvint.net", >> "email": "christian@roessner.email", >> "exp": 1696493393, >> "family_name": "Rößner", >> "given_name": "Christian", >> "groups": [ >> "admin", >> "user", >> "superadmin", >> "familie", >> "kanzlei" >> ], >> "iat": 1696489793, >> "iss": "https://oauth.authserv.me:4444";, >> "jti": "***", >> "name": "Christian Rößner", >> "nickname": "croessner", >> "nonce": "***", >> "preferred_username": "croessner", >> "rat": 1696489779, >> "sid": "***", >> "sub": "977c6572-d017-103b-836b-b5fc6e126160" >> } >> } >> ``` >> >> I do not see something like an active flag. >> >> Christian >> >>>> >>>> Aki >>>> >>>>> On 04/10/2023 20:05 EEST Christian Rößner via dovecot >>>>> <dovecot@dovecot.org> wrote: >>>>> >>>>> >>>>> Hi, >>>>> >>>>> well I fear there is still something wrong. >>>>> >>>>>> Am 04.10.2023 um 15:05 schrieb Aki Tuomi via dovecot >>>>>> <dovecot@dovecot.org>: >>>>>> >>>>>>> >>>>>>> On 04/10/2023 16:02 EEST Christian Rößner <li...@mlserv.org> wrote: >>>>>>> >>>>>>> >>>>>>> Hi, >>>>>>> >>>>>>>> Am 04.10.2023 um 14:31 schrieb Aki Tuomi <aki.tu...@open-xchange.com>: >>>>>>>> >>>>>>>>> >>>>>>>>> On 04/10/2023 15:13 EEST Christian Rößner via dovecot >>>>>>>>> <dovecot@dovecot.org> wrote: >>>>>>>>> >>>>>>>>> >>>>>>>>> Hi, >>>>>>>>> >>>>>>>>>> Am 04.10.2023 um 12:56 schrieb Arjen de Korte >>>>>>>>>> <build+dove...@de-korte.org>: >>>>>>>>>> >>>>>>>>>> Citeren Christian Rößner via dovecot <dovecot@dovecot.org>: >>>>>>>>>> >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> I use Roundcube with OIDC. Everything works fine in Dovecot 2.3.20, >>>>>>>>>>> but broke in 2.3.21. Downgrading to 2.3.20 makes it work again, so >>>>>>>>>>> it is introduced in the newer release. >>>>>>>>>>> >>>>>>>>>>> Error (2.3.21): >>>>>>>>>>> ``` >>>>>>>>>>> Oct 4 11:03:57 mx dovecot[558531]: imap-login: Disconnected: >>>>>>>>>>> Connection closed (client didn't finish SASL auth, waited 1 secs): >>>>>>>>>>> user=<christian@roessner.email>, >>>>>>>>>>> orig_user=<christian@roessner.email>, method=XOAUTH2, >>>>>>>>>>> rip=192.168.0.4, lip=192.168.0.2, TLS, TLSv1.3 with cipher >>>>>>>>>>> TLS_AES_256_GCM_SHA384 (256/256 bits) >>>>>>>>>>> ``` >>>>>>>>>>> >>>>>>>>>>> Here is an example with 2.3.20: >>>>>>>>>>> >>>>>>>>>>> Success (2.3.20): >>>>>>>>>>> ``` >>>>>>>>>>> Oct 4 11:17:21 mx dovecot[889914]: imap-login: Login: >>>>>>>>>>> user=<christian@roessner.email>, >>>>>>>>>>> orig_user=<christian@roessner.email>, method=XOAUTH2, >>>>>>>>>>> rip=192.168.0.4, lip=192.168.0.2, mpid=891874, TLS, TLSv1.3 with >>>>>>>>>>> cipher TLS_AES_256_GCM_SHA384 (256/256 bits) >>>>>>>>>>> ``` >>>>>>>>>> >>>>>>>>>> Searching the archives might give a lead to what's going on (and a >>>>>>>>>> possible workaround): >>>>>>>>>> >>>>>>>>>> https://dovecot.org/mailman3/archives/list/dovecot@dovecot.org/thread/RR2GXLOAS6U3MZCQCA4T4S6QXCRV5GST >>>>>>>>> >>>>>>>>> I get a different error from RC: >>>>>>>>> >>>>>>>>> ``` >>>>>>>>> Oct 04 12:08:48 node1 8868c38d7990[158494]: errors: <48ea0f68> IMAP >>>>>>>>> Error: Login failed for christian@roessner.email against >>>>>>>>> mail.roessner-net.de from 192.168.32.1 (X-Real-IP: >>>>>>>>> 2003:a:a05:a600:858:7851:547f:8aed,X-Forwarded-For: >>>>>>>>> 2003:a:a05:a600:858:7851:547f:8aed). AUTHENTICATE XOAUTH2: A0001 NO >>>>>>>>> [AUTHENTICATIONFAILED] Authentication failed. in >>>>>>>>> /var/www/html/program/lib/Roundcube/rcube_imap.php on line 211 (GET >>>>>>>>> /index.php/login/oauth?code=ory_ac_L5_NrO7EjgIccmV-_Tq1Y1_vls6i9NS8lbO7mHYwVeQ.maAkpsqdG95hkLutiDi4aB2KDPvj_pQ65qD-tuY9zBI&scope=openid+offline_access+profile+email+dovecot&state=J3WpRsBcOrnw) >>>>>>>>> ``` >>>>>>>>> >>>>>>>>> And changing the introspection_url parameter did not change anything. >>>>>>>>> >>>>>>>>> Thanks in advance >>>>>>>>> >>>>>>>>> Christian Rößner >>>>>>>>> -- >>>>>>>> >>>>>>>> Can you provide auth_debug=yes logs? >>>>>>> >>>>>>> Turning n debug showed the problem: >>>>>>> >>>>>>> ``` >>>>>>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: >>>>>>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): oauth2 >>>>>>> active_attribute "active" is not present in the oauth2 server's response >>>>>>> ``` >>>>>>> >>>>>>> In earlier configuration tests I had an 'active' claim. Dovecot prior >>>>>>> 2.3.21 seems to had ignored a missing field, while newer version expect >>>>>>> it to be present if configured. >>>>>>> >>>>>>> Thanks. >>>>>>> >>>>>>> Christian Rößner >>>>>>> -- >>>>>> >>>>>> Yes, this was a bug that was fixed, that the active attribute is now >>>>>> actually checked. >>>>> >>>>> I thought I had mistakenly removed the active field, but I did not: >>>>> >>>>> ``` >>>>> curl -X POST -d 'scope=email&token=****HIDDEN***' >>>>> https://oauth.authserv.me:4445/admin/oauth2/introspect >>>>> >>>>> {"active":true,"scope":"openid profile email groups dovecot offline >>>>> offline_access","client_id":"718f4a52-e1a8-431d-9146-15809cfe3240","sub":"977c6572-d017-103b-836b-b5fc6e126160","exp":1696442299,"iat":1696438699,"nbf":1696438699,"aud":[],"iss":"https://oauth.authserv.me:4444","token_type":"Bearer","token_use":"access_token"} >>>>> ``` >>>>> >>>>> As you can see, the 'active' field exists, but Dovecot expects it to be a >>>>> claim, which it is not. >>>>> >>>>> From auth_debug: >>>>> >>>>> ``` >>>>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: >>>>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Making >>>>> token validation lookup to >>>>> https://oauth.authserv.me:4444/userinfo?access_token= >>>>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: >>>>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): Token >>>>> validation succeeded >>>>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: >>>>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): >>>>> Processing field auth_time >>>>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: >>>>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): >>>>> Processing field dovecot_mailbox_path >>>>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: >>>>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): >>>>> Processing field dovecot_user >>>>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: >>>>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): >>>>> Processing field email >>>>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: >>>>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): >>>>> Processing field family_name >>>>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: >>>>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): >>>>> Processing field given_name >>>>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: >>>>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): >>>>> Processing field iat >>>>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: >>>>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): >>>>> Processing field iss >>>>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: >>>>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): >>>>> Processing field name >>>>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: >>>>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): >>>>> Processing field nickname >>>>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: >>>>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): >>>>> Processing field preferred_username >>>>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: >>>>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): >>>>> Processing field rat >>>>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: >>>>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): >>>>> Processing field sub >>>>> Oct 4 14:50:31 mx dovecot[1302421]: auth: Debug: >>>>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): oauth2 >>>>> active_attribute "active" is not present in the oauth2 server's response >>>>> Oct 4 14:50:31 mx dovecot[1302421]: auth: >>>>> oauth2(christian@roessner.email,192.168.0.4,<3kfgc+MGeuXAqAAE>): oauth2 >>>>> failed: Token is not valid: Missing active_attribute from token >>>>> ``` >>>>> >>>>> Is this a bug or does the active field shown above nothing have to do >>>>> with the active field in the dovecot configuration? >>>>> >>>>> I would expect the field shown above. >>>>> >>>>> Thanks in advance >>>>> >>>>> Christian Rößner >>>>> -- >>>>> Rößner-Network-Solutions >>>>> Zertifizierter ITSiBe / CISO >>>>> Karl-Bröger-Str. 10, 36304 Alsfeld >>>>> Fax: +49 6631 78823409, Mobil: +49 171 9905345 >>>>> USt-IdNr.: DE225643613, https://roessner.website >>>>> PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5 >>>>> >>>>> _______________________________________________ >>>>> dovecot mailing list -- dovecot@dovecot.org >>>>> To unsubscribe send an email to dovecot-le...@dovecot.org >>>> _______________________________________________ >>>> dovecot mailing list -- dovecot@dovecot.org >>>> To unsubscribe send an email to dovecot-le...@dovecot.org >>> >>> Christian Rößner >>> -- >>> Rößner-Network-Solutions >>> Zertifizierter ITSiBe / CISO >>> Karl-Bröger-Str. 10, 36304 Alsfeld >>> Fax: +49 6631 78823409, Mobil: +49 171 9905345 >>> USt-IdNr.: DE225643613, https://roessner.website >>> PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5 >> >> Christian Rößner >> -- >> Rößner-Network-Solutions >> Zertifizierter ITSiBe / CISO >> Karl-Bröger-Str. 10, 36304 Alsfeld >> Fax: +49 6631 78823409, Mobil: +49 171 9905345 >> USt-IdNr.: DE225643613, https://roessner.website >> PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5 Rößner-Network-Solutions Zertifizierter ITSiBe / CISO Karl-Bröger-Str. 10, 36304 Alsfeld Fax: +49 6631 78823409, Mobil: +49 171 9905345 USt-IdNr.: DE225643613, https://roessner.website PGP fingerprint: 658D 1342 B762 F484 2DDF 1E88 38A5 4346 D727 94E5 _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
