summaryrefslogtreecommitdiffstats
path: root/doc/wiki/PasswordDatabase.oauth2.txt
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 09:51:24 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-28 09:51:24 +0000
commitf7548d6d28c313cf80e6f3ef89aed16a19815df1 (patch)
treea3f6f2a3f247293bee59ecd28e8cd8ceb6ca064a /doc/wiki/PasswordDatabase.oauth2.txt
parentInitial commit. (diff)
downloaddovecot-f7548d6d28c313cf80e6f3ef89aed16a19815df1.tar.xz
dovecot-f7548d6d28c313cf80e6f3ef89aed16a19815df1.zip
Adding upstream version 1:2.3.19.1+dfsg1.upstream/1%2.3.19.1+dfsg1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'doc/wiki/PasswordDatabase.oauth2.txt')
-rw-r--r--doc/wiki/PasswordDatabase.oauth2.txt192
1 files changed, 192 insertions, 0 deletions
diff --git a/doc/wiki/PasswordDatabase.oauth2.txt b/doc/wiki/PasswordDatabase.oauth2.txt
new file mode 100644
index 0000000..5928cf5
--- /dev/null
+++ b/doc/wiki/PasswordDatabase.oauth2.txt
@@ -0,0 +1,192 @@
+Open Authentication v2.0 database
+=================================
+
+Since v2.2.28. This database works with a oauth2 provider such as google or
+facebook. You are recommended to use xoauth2 or oauthbearer <authentication
+mechanisms> [Authentication.Mechanisms.txt] with this. The responses from
+endpoints must be JSON objects.
+
+Configuration
+-------------
+
+Common
+------
+
+In dovecot.conf put
+
+---%<-------------------------------------------------------------------------
+auth_mechanisms = $auth_mechanisms oauthbearer xoauth2
+
+passdb {
+ driver = oauth2
+ mechanisms = xoauth2 oauthbearer
+ args = /etc/dovecot/dovecot-oauth2.conf.ext
+}
+---%<-------------------------------------------------------------------------
+
+Backend
+-------
+
+Configuration file example for Google
+[https://developers.google.com/identity/protocols/OAuth2]
+
+---%<-------------------------------------------------------------------------
+tokeninfo_url = https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=
+introspection_url = https://www.googleapis.com/oauth2/v2/userinfo
+#force_introspection = yes
+username_attribute = email
+tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
+---%<-------------------------------------------------------------------------
+
+Configuration file example for WSO2 Identity Server
+[http://wso2.com/identity-and-access-management]
+
+---%<-------------------------------------------------------------------------
+introspection_mode = post
+introspection_url =
+https://adminuser:adminpass@server.name:port/oauth2/introspect
+username_attribute = username
+tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
+active_attribute = active
+active_value = true
+---%<-------------------------------------------------------------------------
+
+Proxy
+-----
+
+If you want to forward oauth2 authentication to your backend, you can use
+various ways
+
+Without proxy authentication
+
+---%<-------------------------------------------------------------------------
+passdb {
+ driver = static
+ args = nopasssword=y proxy=y proxy_mech=%m ...
+}
+---%<-------------------------------------------------------------------------
+
+or with proxy authentication, put into dovecot-oauth2.conf.ext
+
+---%<-------------------------------------------------------------------------
+pass_attrs = proxy=y proxy_mech=%m
+---%<-------------------------------------------------------------------------
+
+Proxy with password grant (since v2.3.6)
+----------------------------------------
+
+If you want to configure proxy to get token and pass it to backend
+
+passdb settings
+
+---%<-------------------------------------------------------------------------
+passdb {
+ driver = oauth2
+ mechanisms = oauthbearer xoauth2
+ args = /usr/local/etc/dovecot/dovecot-oauth2.token.conf.ext
+}
+
+passdb {
+ driver = oauth2
+ mechanisms = plain login
+ args = /usr/local/etc/dovecot/dovecot-oauth2.plain.conf.ext
+}
+---%<-------------------------------------------------------------------------
+
+put into dovecot-oauth2.token.conf.ext
+
+---%<-------------------------------------------------------------------------
+grant_url = http://localhost:8000/token
+client_id = verySecretClientId
+client_secret = verySecretSecret
+tokeninfo_url = http://localhost:8000/oauth2?oauth=
+introspection_url = http://localhost:8000/introspect
+introspection_mode = post
+use_grant_password = no
+debug = yes
+username_attribute = username
+pass_attrs = pass=%{oauth2:access_token}
+---%<-------------------------------------------------------------------------
+
+put into dovecot-oauth2.plain.conf.ext
+
+---%<-------------------------------------------------------------------------
+grant_url = http://localhost:8000/token
+client_id = verySecretClientId
+client_secret = verySecretSecret
+introspection_url = http://localhost:8000/introspect
+introspection_mode = post
+use_grant_password = yes
+debug = yes
+username_attribute = username
+pass_attrs = host=127.0.0.1 proxy=y proxy_mech=xoauth2
+pass=%{oauth2:access_token}
+---%<-------------------------------------------------------------------------
+
+Full config file
+----------------
+
+---%<-------------------------------------------------------------------------
+### OAuth2 password database configuration
+
+## url for verifying token validity. Token is appended to the URL
+# tokeninfo_url = http://endpoint/oauth/tokeninfo?access_token=
+
+## introspection endpoint, used to gather extra fields and other information.
+# introspection_url = http://endpoint/oauth/me
+
+## How introspection is made, valid values are
+## auth = GET request with Bearer authentication
+## get = GET request with token appended to URL
+## post = POST request with token=bearer_token as content
+# introspection_mode = auth
+
+## Force introspection even if tokeninfo contains wanted fields
+## Set this to yes if you are using active_attribute
+# force_introspection = no
+
+## wanted scope of validity (optional)
+# scope = something
+
+## username attribute in response (default: email)
+# username_attribute = email
+
+## username normalization format (default: %Lu)
+# username_format = %Lu
+
+## Attribute name for checking whether account is disabled (optional)
+# active_attribute =
+
+## Expected value in active_attribute (empty = require present, but anything
+goes)
+# active_value =
+
+## Extra fields to set in passdb response (in passdb static style)
+# pass_attrs =
+
+## Timeout in milliseconds
+# timeout_msecs = 0
+
+## Enable debug logging
+# debug = no
+
+## Max parallel connections (how many simultaneous connections to open)
+# max_parallel_connections = 1
+
+## Max pipelined requests (how many requests to send per connection, requires
+server-side support)
+# max_pipelined_requests = 1
+
+## HTTP request raw log directory
+# rawlog_dir = /tmp/oauth2
+
+## TLS settings
+# tls_ca_cert_file = /path/to/ca-certificates.txt
+# tls_ca_cert_dir = /path/to/certs/
+# tls_cert_file = /path/to/client/cert
+# tls_key_file = /path/to/client/key
+# tls_cipher_suite = HIGH:!SSLv2
+# tls_allow_invalid_cert = FALSE
+---%<-------------------------------------------------------------------------
+
+(This file was created from the wiki on 2019-06-19 12:42)