Executed test plan on Noble. Failing before installing dovecot-core from -proposed
trying to authenticate (single aud) passdb: [email protected] auth succeeded extra fields: [email protected] token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2V4YW1wbGUuY29tIiwic3ViIjoidGVzdEBleGFtcGxlLmNvbSIsImF1ZCI6ImRvdmVjb3QiLCJleHAiOjE3NzMxNjY1OTF9.joJPOS3OZ77Y5JD8MUbM7y2_Woo3sps2mXswX59bOSqB8o1n4LhF6tHoQ_--eeIdfQxbDFSrEEAt4AnjN4P_B2uAvuOBml4HfNCexTFsT2uASlrIOvo9TIHO2GaDGN1jXtYvsEg6_eG-VNhutCMDM42NOYws_5me7MdyfZM9EM2Y2CBnChLtEEfh9iQqhNigP96E2E7iYD1PdghMBHk8pIWCc6duIT7Hq1Ha6YRvrt_KHSI_bitGGBh6N-l52vevfA8m2M6ym1UPwgfF1NJ_MxA60l-EIZE4pNjyPBUKg8xNGKQrhLlj1BpNfO5UjgnCGE_4SaI6xKAYkji_BTZJWg trying to authenticate (multiple aud) passdb: [email protected] auth failed extra fields: [email protected] After installing dovecot-core from -proposed trying to authenticate (single aud) passdb: [email protected] auth succeeded extra fields: [email protected] token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2V4YW1wbGUuY29tIiwic3ViIjoidGVzdEBleGFtcGxlLmNvbSIsImF1ZCI6ImRvdmVjb3QiLCJleHAiOjE3NzMxNjY2ODl9.1sQ28eugLTirCGVbGyRYycibM24LH4ZopEGpWzc-Ml6Vs0mMrKUaZsdH5vSkzP-tWbrMooNUcDnQV3f-NW0G_Q_eKFUSfhoPR9WHDS-K4fk38hpkk4muO-4YCqVtQ6Crvg7O_VEB960VLnnTfezPwxUijyhPCjRjml0YLhZ4uxmY4zGtk2RKGEaTKmzNbhthEBNSLIOA5MCXwAqZC0pj0Aozf_2UBKSNyVPOnbT9v9ZlEUvpaHY3QoSI-S8BS-1fS4Ou9CYJG-fE1HWrX5bQTxChWINXdNnPBQ3zbo-ikXLjkWwm31NFs7K6aRtVIrrx1s2GO-unTSrCBO-H6c7deA trying to authenticate (multiple aud) passdb: [email protected] auth succeeded extra fields: [email protected] token=eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2V4YW1wbGUuY29tIiwic3ViIjoidGVzdEBleGFtcGxlLmNvbSIsImF1ZCI6WyJkb3ZlY290IiwiaHR0cHM6Ly9leGFtcGxlLmNvbSJdLCJleHAiOjE3NzMxNjY2ODl9.1fxxYUqxHU2NCg5iGXmYJ7Lu0yJ6A8O7-PwzQK2d0mlAPya0sLnQ_XmCYq-pMqSbtNLIz32CBL6_bGdW8OY6PfoMclm-fTrq1xPRILiBuiyMMj-9IJbo5M42RhMsNXwspNBTulrVJToFV2LC9MJYkj51WTcSVZfNUn7OvCqKQe8wSiy5WkeQ6skqDMkNzMdv56Q9wwr6aUQhT8meiVutt5EFbUa64GI-K8B2dxe8v-jXCuyrjtLSvp7tzjzZSOtMkSZg31knd1xUE27-JMGEqZ8lIAVHcvqD46C9RCcamnZvIVOvQjXj0NdbAvECzSub-PqTzvM1BqZDhjeTGiYu6Q ** Description changed: [ Impact ] * Local OAuth2 authentication fails if the JWT aud claim is an array. From RFC7519: > In the general case, the "aud" value is an array of case-sensitive strings, > each containing a StringOrURI value. In the special case when the JWT has > one audience, the "aud" value MAY be a single case-sensitive string > containing a StringOrURI value. * Many IdPs (Keycloak, for example) can be configured to send "aud" as an array if the token is meant for multiple audiences. * The inability to parse array claims breaks compatibility with compliant IdPs. [ Test Plan ] * On a fresh Ubuntu Noble LXC container, run the following script as root. echo initial setup apt update && apt install -y python3-jwt python3-cryptography openssl dovecot-core echo key generation and dictionary setup mkdir -p /etc/dovecot/keys/default/RS256/ openssl genrsa -out /etc/dovecot/keys/test.pem 2048 openssl rsa -in /etc/dovecot/keys/test.pem -pubout -out /etc/dovecot/keys/default/RS256/default find /etc/dovecot/keys -type d -exec chmod 755 {} \; chmod 644 /etc/dovecot/keys/default/RS256/default echo writing minimal dovecot configuration: cat << EOF > /etc/dovecot/dovecot.conf auth_debug = yes auth_debug_passwords = yes auth_mechanisms = xoauth2 oauthbearer plain passdb { driver = oauth2 mechanisms = xoauth2 oauthbearer plain args = /etc/dovecot/dovecot-oauth2.conf.ext } userdb { driver = static args = uid=1000 gid=1000 home=/tmp/%u } EOF cat << EOF > /etc/dovecot/dovecot-oauth2.conf.ext introspection_mode = local client_id = dovecot local_validation_key_dict = fs:posix:prefix=/etc/dovecot/keys/ username_attribute = sub EOF systemctl restart dovecot echo generating test JWT cat << EOF > gen-jwt.py import jwt, time, os aud = 'dovecot' if 'SINGLE' in os.environ else ['dovecot', 'https://example.com'] with open('/etc/dovecot/keys/test.pem', 'rb') as f: key = f.read() payload = { 'iss': 'https://example.com', 'sub': '[email protected]', 'aud': aud, 'exp': int(time.time()) + 3600, } print(jwt.encode(payload, key, algorithm='RS256')) EOF - echo trying to authenticate (single aud) + echo 'trying to authenticate (single aud)' doveadm auth test [email protected] "$(SINGLE=1 python3 gen-jwt.py)" - echo trying to authenticate (multiple aud) + echo 'trying to authenticate (multiple aud)' doveadm auth test [email protected] "$(python3 gen-jwt.py)" [ Where problems could occur ] Problems with this change would manifest themselves in the oauth2 code, which is the area touched by this fix, particularly with jwt tokens. These could range from regressions (single aud tokens that were working before now break), to new bugs in handling multiple auds. The test plan covers both scenarios to try to mitigate this. Other authentication mechanisms should remain unchanged. [ Other Info ] * Fixed upstream in 2.4.0 and local JWT validation was introduced in 2.3.11, so this could only possibly affect Jammy and Noble. * However, the "aud" field validation was only added in 63e0c9e, which is only present in 2.3.21.1. * When running the test plan above on a Jammy system, authentication works. [ Original Bug Description ] Description: Ubuntu 24.04.1 LTS Release: 24.04 dovecot-core/noble-updates 1:2.3.21+dfsg1-2ubuntu6.1 On Ubuntu’s Dovecot build, local OAuth2/JWT validation fails if the JWT aud claim is a JSON array. Dovecot logs: Local validation failed: client_id set but aud is missing This happens even though aud is present (as an array): { "aud": ["dovecot", "https://checkin.thga.de";], ... } Upstream Dovecot release-2.3.21 uses an array-aware accessor: get_field_multiple(tree, "aud") Source: src/lib-oauth2/oauth2-jwt.c (release-2.3.21 branch) But Ubuntu appears to be built from code corresponding to the 2.3.21 tag where it uses: get_field(tree, "aud") Source: src/lib-oauth2/oauth2-jwt.c (2.3.21 tag) With get_field(), aud arrays are not handled, so aud is treated as missing. ** Tags removed: verification-needed-noble ** Tags added: verification-done-noble -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2142200 Title: dovecot-core: OAuth2 JWT validation fails with client_id set but aud is missing when aud claim is an array To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dovecot/+bug/2142200/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
