This is an automated email from the ASF dual-hosted git repository. btellier pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/james-project.git
commit 24edc560f16c56dfddc6eca0852a85f808ba1235 Author: Felix Auringer <[email protected]> AuthorDate: Mon Sep 8 15:08:46 2025 +0200 refactor(examples): small improvements for oidc example - More modern syntax in compose file. - Remove non-working links from readme. - Use consistent container names (always ending in .example.com). - Reduce output of test script. --- examples/oidc/README.md | 14 +++---- examples/oidc/apisix/conf/apisix.yaml | 2 +- examples/oidc/{docker-compose.yml => compose.yaml} | 43 ++++++++++------------ examples/oidc/james/usersrepository.xml | 2 +- examples/oidc/test.sh | 33 +++++++++-------- 5 files changed, 46 insertions(+), 48 deletions(-) diff --git a/examples/oidc/README.md b/examples/oidc/README.md index 08d7eae74e..8fe5e13e92 100644 --- a/examples/oidc/README.md +++ b/examples/oidc/README.md @@ -6,12 +6,10 @@ This is example of an OIDC setup with James. The API Gateway for example is [Apisix](https://apisix.apache.org/), we can use Apisix for websocket gateway, horizontal scaling, etc... -This [docker-compose](docker-compose.yml) will start the following services: +This [docker compose](./compose.yaml) will start the following services: - apisix: The image `linagora/apisix:3.2.0-debian-javaplugin` was created by Linagora. It based on `apisix:3.2.0-debian`, it already contain apisix plugin for SLO (Single Logout) and rewrite the `X-User` header. - - Dockerfile: [here](https://github.com/linagora/tmail-backend/blob/master/demo/apisix/Dockerfile) - - Project `tmail-apisix-plugin-runner`: [here](https://github.com/linagora/tmail-backend/tree/master/demo/apisix/tmail-apisix-plugin-runner) - Apisix being the OIDC gateway against James by exposing two endpoints: - `POST /jmap` for JMAP requests against James with normal authentication - `POST /oidc/jmap` for JMAP request against James with a JWT token issued by the LemonLDAP @@ -161,21 +159,21 @@ Use websocket with endpoint `ws://apisix.example.com:9080/oidc/jmap/ws` and the We would use Thunderbird version 91.4.1 as a mail client (above versions should work). * Open `/thunderbird/omni.ja` in your host, find and modify `OAuth2Providers.jsm`: - * Add James hostname in kHostnames: `["localhost", ["james.local", "email"]],` + * Add James hostname in kHostnames: `["localhost", ["james.example.com", "email"]],` * Register using `james-thunderbird` Keycloak client in kIssuers: ``` [ - "james.local", + "james.example.com", [ "james-thunderbird", //client_id from keycloak "Xw9ht1veTu0Tk5sMMy03PdzY3AiFvssw", // client_secret from keycloak - "http://keycloak.local:8080/auth/realms/oidc/protocol/openid-connect/auth";, - "http://keycloak.local:8080/auth/realms/oidc/protocol/openid-connect/token";, + "http://sso.example.com:8080/auth/realms/oidc/protocol/openid-connect/auth";, + "http://sso.example.com:8080/auth/realms/oidc/protocol/openid-connect/token";, ], ] ``` -* Adding a line `127.0.0.1 keycloak.local` to your `/etc/hosts` so Thunderbird can resolve the address of keycloak. +* Adding a line `127.0.0.1 sso.example.com` to your `/etc/hosts` so Thunderbird can resolve the address of keycloak. * Run Thunderbird, configure it using `james-user@localhost` account against these IMAP/SMTP settings: * IMAP: server: localhost, port: 143, connection security: No, authentication method: OAUTH2  diff --git a/examples/oidc/apisix/conf/apisix.yaml b/examples/oidc/apisix/conf/apisix.yaml index cc8d14db34..cf27c1afe2 100644 --- a/examples/oidc/apisix/conf/apisix.yaml +++ b/examples/oidc/apisix/conf/apisix.yaml @@ -219,7 +219,7 @@ upstreams: - id: jmap_upstream nodes: - "james:80": 1 + "james.example.com:80": 1 type: roundrobin plugin_configs: diff --git a/examples/oidc/docker-compose.yml b/examples/oidc/compose.yaml similarity index 71% rename from examples/oidc/docker-compose.yml rename to examples/oidc/compose.yaml index 31e0261d84..dc39fd20ba 100644 --- a/examples/oidc/docker-compose.yml +++ b/examples/oidc/compose.yaml @@ -1,5 +1,3 @@ -version: "3" - services: apisix: container_name: apisix.example.com @@ -8,11 +6,11 @@ services: - ./apisix/conf/apisix.yaml:/usr/local/apisix/conf/apisix.yaml - ./apisix/conf/config.yaml:/usr/local/apisix/conf/config.yaml environment: - - X_USER_SECRET=xusersecret123 + X_USER_SECRET: xusersecret123 networks: - james ports: - - "9080:9080/tcp" + - "127.0.0.1:9080:9080" james: depends_on: @@ -20,10 +18,9 @@ services: networks: - james image: apache/james:memory-latest - container_name: james - hostname: james.local - command: - - --generate-keystore + container_name: james.example.com + hostname: james.example.com + command: [--generate-keystore] volumes: - ./james/usersrepository.xml:/root/conf/usersrepository.xml - ./james/jmap.properties:/root/conf/jmap.properties @@ -31,14 +28,14 @@ services: - ./james/smtpserver.xml:/root/conf/smtpserver.xml - ./james/managesieveserver.xml:/root/conf/managesieveserver.xml ports: - - "8000:8000" - - "143:143" - - "587:587" - - "4190:4190" + - "127.0.0.1:8000:8000" + - "127.0.0.1:143:143" + - "127.0.0.1:587:587" + - "127.0.0.1:4190:4190" healthcheck: test: ["CMD", "curl", "-f", "http://james:8000/domains";] - sso.example.com: + sso: depends_on: - ldap image: quay.io/keycloak/keycloak:16.1.0 @@ -46,25 +43,25 @@ services: volumes: - ./keycloak/realm-oidc.json:/tmp/realm-oidc.json ports: - - "8080:8080" + - "127.0.0.1:8080:8080" environment: - - KEYCLOAK_USER=admin - - KEYCLOAK_PASSWORD=admin - - KEYCLOAK_IMPORT=/tmp/realm-oidc.json + KEYCLOAK_USER: admin + KEYCLOAK_PASSWORD: admin + KEYCLOAK_IMPORT: /tmp/realm-oidc.json networks: - james ldap: - container_name: ldap + container_name: ldap.example.com image: osixia/openldap:1.5.0 ports: - - "389:389" - - "636:636" + - "127.0.0.1:389:389" + - "127.0.0.1:636:636" command: [--copy-service] volumes: - ./ldap/populate.ldif:/container/service/slapd/assets/config/bootstrap/ldif/data.ldif environment: - - LDAP_DOMAIN=localhost + LDAP_DOMAIN: localhost networks: - james @@ -75,7 +72,7 @@ services: networks: - james ports: - - "6379:6379" + - "127.0.0.1:6379:6379" networks: - james: \ No newline at end of file + james: diff --git a/examples/oidc/james/usersrepository.xml b/examples/oidc/james/usersrepository.xml index a0c316db38..3f348fd41c 100644 --- a/examples/oidc/james/usersrepository.xml +++ b/examples/oidc/james/usersrepository.xml @@ -22,7 +22,7 @@ <usersrepository name="LocalUsers" class="org.apache.james.user.ldap.ReadOnlyUsersLDAPRepository" - ldapHost="ldap://ldap:389"; + ldapHost="ldap://ldap.example.com:389"; principal="cn=admin,dc=localhost" credentials="admin" userBase="ou=people,dc=localhost" diff --git a/examples/oidc/test.sh b/examples/oidc/test.sh index 5477975955..c956aea0e3 100755 --- a/examples/oidc/test.sh +++ b/examples/oidc/test.sh @@ -1,8 +1,10 @@ #!/bin/sh -set -eux +# You need to start the compose project before running this script! -docker-compose up -d +set -eu +# Uncomment the following line to print more information. +# set -x GET_TOKEN_RESPONSE=`curl --location 'http://sso.example.com:8080/auth/realms/oidc/protocol/openid-connect/token' \ --header 'Content-Type: application/x-www-form-urlencoded' \ @@ -14,7 +16,9 @@ GET_TOKEN_RESPONSE=`curl --location 'http://sso.example.com:8080/auth/realms/oid --data-urlencode 'password=secret' 2>/dev/null` ACCESS_TOKEN=`echo $GET_TOKEN_RESPONSE 2>/dev/null |perl -pe 's/^.*"access_token"\s*:\s*"(.*?)".*$/$1/'` +echo "Access token: $ACCESS_TOKEN" REFRESH_TOKEN=`echo $GET_TOKEN_RESPONSE 2>/dev/null |perl -pe 's/^.*"refresh_token"\s*:\s*"(.*?)".*$/$1/'` +echo "Refresh token: $REFRESH_TOKEN" echo "Got an access_token" if curl -H "Authorization: Bearer $ACCESS_TOKEN" http://sso.example.com:8080/auth/realms/oidc/protocol/openid-connect/userinfo 2>/dev/null| grep james-user >/dev/null; then @@ -23,8 +27,7 @@ else echo "ACCESS_TOKEN VERIFICATION FAILED" fi -echo -n "Trying James: " - +echo -n "Trying James:" APISIX_JMAP_ENDPOINT=apisix.example.com:9080/oidc/jmap/session if curl -v -H 'Accept: application/json; jmapVersion=rfc-8621' -H "Authorization: Bearer $ACCESS_TOKEN" $APISIX_JMAP_ENDPOINT 2>/dev/null | grep uploadUrl >/dev/null; then echo "OK" @@ -33,45 +36,45 @@ else fi XOAUTH2_INITIAL_CLIENT_RESPONSE=`echo -n -e "user=james-user@localhost\x01auth=Bearer ${ACCESS_TOKEN}\x01\x01" | base64 -w 0` +echo "XOAUTH2: $XOAUTH2_INITIAL_CLIENT_RESPONSE" OAUTHBEARER_INITIAL_CLIENT_RESPONSE=`echo -n -e "n,a=james-user@localhost\x01auth=Bearer ${ACCESS_TOKEN}\x01\x01" | base64 -w 0` +echo "OAUTHBEARER: $OAUTHBEARER_INITIAL_CLIENT_RESPONSE" -set +x -MANAGESIEVE_XOAUTH2_RESPONSE=`(echo "AUTHENTICATE \"XOAUTH2\" \"${XOAUTH2_INITIAL_CLIENT_RESPONSE}\""; echo "CAPABILITY"; echo "LOGOUT"; sleep 3) | telnet localhost 4190` -if echo $MANAGESIEVE_XOAUTH2_RESPONSE | grep "\"OWNER\" \"james-user@localhost\"" > /dev/null; then +MANAGESIEVE_XOAUTH2_RESPONSE=`(echo "AUTHENTICATE \"XOAUTH2\" \"${XOAUTH2_INITIAL_CLIENT_RESPONSE}\""; echo "CAPABILITY"; echo "LOGOUT"; sleep 3) | telnet 127.0.0.1 4190` +if echo "$MANAGESIEVE_XOAUTH2_RESPONSE" | grep "\"OWNER\" \"james-user@localhost\"" > /dev/null; then echo "Success: Managesieve XOAUTH2 login" else echo "Error: Managesieve XOAUTH2 login" fi -if echo $MANAGESIEVE_XOAUTH2_RESPONSE | grep "OK channel is closing" > /dev/null; then +if echo "$MANAGESIEVE_XOAUTH2_RESPONSE" | grep "OK channel is closing" > /dev/null; then echo "Success: Managesieve XOAUTH2 logout" else echo "Error: Managesieve XOAUTH2 logout" fi -IMAP_XOAUTH2_RESPONSE=`(echo "a AUTHENTICATE XOAUTH2 ${XOAUTH2_INITIAL_CLIENT_RESPONSE}"; echo "c LOGOUT"; sleep 3) | telnet localhost 143` -if echo $IMAP_XOAUTH2_RESPONSE | grep "a OK AUTHENTICATE completed" > /dev/null; then +IMAP_XOAUTH2_RESPONSE=`(echo "a AUTHENTICATE XOAUTH2 ${XOAUTH2_INITIAL_CLIENT_RESPONSE}"; echo "c LOGOUT"; sleep 3) | telnet 127.0.0.1 143` +if echo "$IMAP_XOAUTH2_RESPONSE" | grep "a OK AUTHENTICATE completed" > /dev/null; then echo "Success: IMAP XOAUTH2 login" else echo "Error: IMAP XOAUTH2 login" fi -if echo $IMAP_XOAUTH2_RESPONSE | grep "c OK LOGOUT completed" > /dev/null; then +if echo "$IMAP_XOAUTH2_RESPONSE" | grep "c OK LOGOUT completed" > /dev/null; then echo "Success: IMAP XOAUTH2 logout" else echo "Error: IMAP XOAUTH2 logout" fi -SMTP_XOAUTH2_RESPONSE=`(echo "AUTH XOAUTH2 ${XOAUTH2_INITIAL_CLIENT_RESPONSE}"; echo "QUIT"; sleep 3) | telnet localhost 587` -if echo $SMTP_XOAUTH2_RESPONSE | grep "235 Authentication successful" > /dev/null; then +SMTP_XOAUTH2_RESPONSE=`(echo "AUTH XOAUTH2 ${XOAUTH2_INITIAL_CLIENT_RESPONSE}"; echo "QUIT"; sleep 3) | telnet 127.0.0.1 587` +if echo "$SMTP_XOAUTH2_RESPONSE" | grep "235 Authentication successful" > /dev/null; then echo "Success: SMTP XOAUTH2 login" else echo "Error: SMTP XOAUTH2 login" fi -if echo $SMTP_XOAUTH2_RESPONSE | grep "221 2.0.0 james.local Service closing transmission channel" > /dev/null; then +if echo "$SMTP_XOAUTH2_RESPONSE" | grep "221 2.0.0 james.example.com Service closing transmission channel" > /dev/null; then echo "Success: SMTP XOAUTH2 logout" else echo "Error: SMTP XOAUTH2 logout" fi -set -x # Logout --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
