Dear dovecot list members,
I am currently working on the task of implementing an MFA solution with
OpenID for our SOGo server v5.12.1.20250612-1 and our Dovecot server
v2.3.21.1. For this purpose, we are using a Shibboleth IDP v5.1.4 with
the appropriate OpenID extension via XOAUTH2.
In my opinion, authentication and autorization requests and responses
between SOGo and the IDP are working flawlessly, and with:
SOGoSMTPAuthenticationType = xoauth2;
NGImap4AuthMechanism = xoauth2;
the SOGo server forwards the received access token to the Dovecot
server. On the Dovecot side, I have configured the server as follows:
/etc/dovecot/conf.d/10-auth.conf:
disable_plaintext_auth = yes
auth_username_format = %Ln
auth_master_user_separator = *
auth_mechanisms = plain login
auth_verbose = yes
auth_verbose_passwords = no
auth_debug = yes
auth_debug_passwords = yes
mail_debug = yes
verbose_ssl = yes
!include auth-master.conf.ext
!include auth-oauth2.conf.ext
/etc/dovecot/conf.d/auth-oauth2.conf.ext
auth_mechanisms = $auth_mechanisms plain xoauth2 oauthbearer
passdb {
driver = oauth2
mechanisms = xoauth2 oauthbearer
args = /etc/dovecot/dovecot-oauth2.conf.ext
}
userdb {
driver = static
args = uid=vmail gid=vmail home=/var/vmail/%u
}
service auth {
unix_listener /var/spool/postfix/private/auth {
mode = 0660
# Assuming the default Postfix user and group
user = postfix
group = postfix
}
}
/etc/dovecot/dovecot-oauth2.conf.ext
introspection_mode = post
introspection_url =
https://<ID>>:<SECRET>@idp-test.uni-konstanz.de/idp/profile/oauth2/introspection
username_attribute = mail
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
active_attribute = active
active_value = true
As soon as the SOGo server contacts the Dovecot server, and the latter
contacts the IDP server, I see the following error message in the
Dovecot server logs:
Jun 13 11:44:47 bamenda dovecot: auth: Debug: http-client[1]: request
[Req7: POST
https://idp-test.uni-konstanz.de/idp/profile/oauth2/introspection]: Free
(requests lef
t=1)
Jun 13 11:44:47 bamenda dovecot: auth: Debug:
oauth2(pop519315,134.34.240.55,<kMaO5XA3FrWGIvA3>): Introspection succeeded
Jun 13 11:44:47 bamenda dovecot: auth: Debug:
oauth2(pop519315,134.34.240.55,<kMaO5XA3FrWGIvA3>): Processing field active
Jun 13 11:44:47 bamenda dovecot: auth: Debug:
oauth2(pop519315,134.34.240.55,<kMaO5XA3FrWGIvA3>): oauth2
active_attribute check failed: expected active="true" but got "false"
Jun 13 11:44:47 bamenda dovecot: auth:
oauth2(pop519315,134.34.240.55,<kMaO5XA3FrWGIvA3>): oauth2 failed:
Introspection failed: Provided token is not valid
Jun 13 11:44:47 bamenda dovecot: auth: Debug:
oauth2(pop519315,134.34.240.55,<kMaO5XA3FrWGIvA3>): Finished passdb lookup
Jun 13 11:44:47 bamenda dovecot: auth: Debug:
auth(pop519315,134.34.240.55,<kMaO5XA3FrWGIvA3>): Auth request finished
Is the error on the IDP side, or is there something wrong with my
Dovecot configuration, or both? How can I make Dovecot more verbose the
way I could see all the tokens exchanged with SOGo and IDP?
I would greatly appreciate your help.
Best regards,
Markus Grandpré
--
Markus Ludwig Grandpré
Universität Konstanz
Kommunikations-, Informations-, Medienzentrum (KIM)
Abteilung IT-Dienste Forschung und Lehre,
B803, Tel: +49 7531 88 4342
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
