[
https://issues.apache.org/jira/browse/JAMES-4108?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17923094#comment-17923094
]
Benoit Tellier commented on JAMES-4108:
---------------------------------------
Yes this bug should already be fixed on master.
Feel free to open a backport pr.
Best regards,
Benoit
> James stuck in authentication loop after successful XOAUTH2 authentication
> --------------------------------------------------------------------------
>
> Key: JAMES-4108
> URL: https://issues.apache.org/jira/browse/JAMES-4108
> Project: James Server
> Issue Type: Bug
> Components: SMTPServer
> Affects Versions: 3.9.0
> Reporter: Felix
> Priority: Major
>
> I have set up a JAMES server with XOAUTH2.
> When I authenticate at the SMTP server with `AUTH XOAUTH2 <token>`,
> everything works fine.
> When I first send `AUTH XOAUTH2` (empty initial response), the server answers
> with `334` (as it should). I then send my token after that and the server
> responds `235 Authentication successful.`. But no matter what I send after
> that (it does not even have to be a valid command), the server responds
> alternately with
> 1. `334
> eyJzdGF0dXMiOiJpbnZhbGlkX3Rva2VuIiwic2NvcGUiOiJlbWFpbCIsInNjaGVtZXMiOiJodHRwczovLzxkb21haW4+L2F1dGgvcmVhbG1zLzxyZWFsbT4vLndlbGwta25vd24vb3BlbmlkLWNvbmZpZ3VyYXRpb24ifQ==`
> (own domain removed), decoded: `
> {"status":"invalid_token","scope":"email","schemes":"https://<domain>/auth/realms/<realm>/.well-known/openid-configuration"}
> ` and
> 2. `535 Authentication Failed`
> It seems like - although there was a successful authentication - the server
> seems to still be stuck in the XOAUTH2 authentication handler.
> I suspect that this is related to a recent bug (fixed in
> [https://github.com/apache/james-project/pull/2428]) where sending an empty
> initial response (only `AUTH XOAUTH2`) to the SMTP server resulted in a Null
> Pointer Exception.
> The IMAP server does not have these problems (no exception and no auth loop).
> Release 3.8.2 still has the null pointer exception (does not include the fix)
> but does not have the authentication loop (or it cannot be triggered because
> of the exception).
> Reproduce:
> - Clone and checkout
> [https://github.com/apache/james-project/commit/b3b75b5b5343d8a3d838617addab3e9c3b40e5d4]
> (current master at time of writing)
> - Build project with `mvn clean install -Dmaven.javadoc.skip=true
> -DskipTests`
> - Copy sample configuration from repo:
> [https://github.com/apache/james-project/tree/b3b75b5b5343d8a3d838617addab3e9c3b40e5d4/server/apps/jpa-app/sample-configuration]
> - Remove imap servers in `imapserver.xml` (not relevant here)
> - Remove lmtp server in `lmtpserver.xml` (not relevant here)
> - Remove managesieve server in `managesieveserver.xml` (not relevant here)
> - Remove pop3 server in `pop3server.xml` (not relevant here)
> - Remove all smtp servers except the port 25 one in `smtpserver.xml` (the
> others are not relevant here)
> - Change port of smtp server from 25 to 2525 in `smtpserver.xml` (enables
> starting without evelated privileges)
> - Configure the auth section of the smtp server in `smtpserver.xml` (see
> below)
> - Remove `authorizedAddresses` from the `smtpserver.xml` (I want to showcase
> OIDC authentication here)
> - Change the log file from `/logs/james.log` to `./james.log` in
> `logback.xml`
> - Add domain that will be in the token as the default domain in
> `domainlist.xml`
> - Start server with `java -javaagent:james-server-jpa
> app.lib/openjpa-4.0.0.jar -Dworking.directory=.
> -Djdk.tls.ephemeralDHKeySize=2048
> -Dlogback.configurationFile=conf/logback.xml -jar james-server-jpa-app.jar
> --generate-keystore`
> My full SMTP config (comments from the sample config removed):
> {code:xml}
> <smtpservers>
> <smtpserver enabled="true">
> <jmxName>smtpserver-global</jmxName>
> <bind>0.0.0.0:2525</bind>
> <connectionBacklog>200</connectionBacklog>
> <tls socketTLS="false" startTLS="false">
> <keystore>file://conf/keystore</keystore>
> <keystoreType>PKCS12</keystoreType>
> <secret>james72laBalle</secret>
>
> <provider>org.bouncycastle.jce.provider.BouncyCastleProvider</provider>
> <algorithm>SunX509</algorithm>
> </tls>
> <connectiontimeout>360</connectiontimeout>
> <connectionLimit>0</connectionLimit>
> <connectionLimitPerIP>0</connectionLimitPerIP>
> <auth>
> <announce>always</announce>
> <plainAuthEnabled>true</plainAuthEnabled>
> <requireSSL>false</requireSSL>
> <oidc>
>
> <oidcConfigurationURL>https://<domain>/auth/realms/<realm>/.well-known/openid-configuration</oidcConfigurationURL>
>
> <jwksURL>https://<domain>/auth/realms/<realm>/protocol/openid-connect/certs</jwksURL>
> <claim>sub-email</claim>
> <scope>email</scope>
> </oidc>
> </auth>
> <verifyIdentity>true</verifyIdentity>
> <maxmessagesize>0</maxmessagesize>
> <addressBracketsEnforcement>true</addressBracketsEnforcement>
> <smtpGreeting>Apache JAMES awesome SMTP Server</smtpGreeting>
> <handlerchain>
> <handler
> class="org.apache.james.smtpserver.fastfail.ValidRcptHandler"/>
> <handler
> class="org.apache.james.smtpserver.CoreCmdHandlerLoader"/>
> </handlerchain>
> </smtpserver>
> </smtpservers>
> {code}
> My platform (output von `mvn --version`):
> {code:java}
> Apache Maven 3.9.9 (8e8579a9e76f7d015ee5ec7bfcdc97d260186937)
> Maven home: /usr/share/java/maven
> Java version: 21.0.6, vendor: Arch Linux, runtime:
> /usr/lib/jvm/java-21-openjdk
> Default locale: en_US, platform encoding: UTF-8
> OS name: "linux", version: "6.12.10-arch1-1", arch: "amd64", family: "unix"
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
