blob: 5928cf56351c0cdb8201ae879313e780921b4551 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
|
Open Authentication v2.0 database
=================================
Since v2.2.28. This database works with a oauth2 provider such as google or
facebook. You are recommended to use xoauth2 or oauthbearer <authentication
mechanisms> [Authentication.Mechanisms.txt] with this. The responses from
endpoints must be JSON objects.
Configuration
-------------
Common
------
In dovecot.conf put
---%<-------------------------------------------------------------------------
auth_mechanisms = $auth_mechanisms oauthbearer xoauth2
passdb {
driver = oauth2
mechanisms = xoauth2 oauthbearer
args = /etc/dovecot/dovecot-oauth2.conf.ext
}
---%<-------------------------------------------------------------------------
Backend
-------
Configuration file example for Google
[https://developers.google.com/identity/protocols/OAuth2]
---%<-------------------------------------------------------------------------
tokeninfo_url = https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=
introspection_url = https://www.googleapis.com/oauth2/v2/userinfo
#force_introspection = yes
username_attribute = email
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
---%<-------------------------------------------------------------------------
Configuration file example for WSO2 Identity Server
[http://wso2.com/identity-and-access-management]
---%<-------------------------------------------------------------------------
introspection_mode = post
introspection_url =
https://adminuser:adminpass@server.name:port/oauth2/introspect
username_attribute = username
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
active_attribute = active
active_value = true
---%<-------------------------------------------------------------------------
Proxy
-----
If you want to forward oauth2 authentication to your backend, you can use
various ways
Without proxy authentication
---%<-------------------------------------------------------------------------
passdb {
driver = static
args = nopasssword=y proxy=y proxy_mech=%m ...
}
---%<-------------------------------------------------------------------------
or with proxy authentication, put into dovecot-oauth2.conf.ext
---%<-------------------------------------------------------------------------
pass_attrs = proxy=y proxy_mech=%m
---%<-------------------------------------------------------------------------
Proxy with password grant (since v2.3.6)
----------------------------------------
If you want to configure proxy to get token and pass it to backend
passdb settings
---%<-------------------------------------------------------------------------
passdb {
driver = oauth2
mechanisms = oauthbearer xoauth2
args = /usr/local/etc/dovecot/dovecot-oauth2.token.conf.ext
}
passdb {
driver = oauth2
mechanisms = plain login
args = /usr/local/etc/dovecot/dovecot-oauth2.plain.conf.ext
}
---%<-------------------------------------------------------------------------
put into dovecot-oauth2.token.conf.ext
---%<-------------------------------------------------------------------------
grant_url = http://localhost:8000/token
client_id = verySecretClientId
client_secret = verySecretSecret
tokeninfo_url = http://localhost:8000/oauth2?oauth=
introspection_url = http://localhost:8000/introspect
introspection_mode = post
use_grant_password = no
debug = yes
username_attribute = username
pass_attrs = pass=%{oauth2:access_token}
---%<-------------------------------------------------------------------------
put into dovecot-oauth2.plain.conf.ext
---%<-------------------------------------------------------------------------
grant_url = http://localhost:8000/token
client_id = verySecretClientId
client_secret = verySecretSecret
introspection_url = http://localhost:8000/introspect
introspection_mode = post
use_grant_password = yes
debug = yes
username_attribute = username
pass_attrs = host=127.0.0.1 proxy=y proxy_mech=xoauth2
pass=%{oauth2:access_token}
---%<-------------------------------------------------------------------------
Full config file
----------------
---%<-------------------------------------------------------------------------
### OAuth2 password database configuration
## url for verifying token validity. Token is appended to the URL
# tokeninfo_url = http://endpoint/oauth/tokeninfo?access_token=
## introspection endpoint, used to gather extra fields and other information.
# introspection_url = http://endpoint/oauth/me
## How introspection is made, valid values are
## auth = GET request with Bearer authentication
## get = GET request with token appended to URL
## post = POST request with token=bearer_token as content
# introspection_mode = auth
## Force introspection even if tokeninfo contains wanted fields
## Set this to yes if you are using active_attribute
# force_introspection = no
## wanted scope of validity (optional)
# scope = something
## username attribute in response (default: email)
# username_attribute = email
## username normalization format (default: %Lu)
# username_format = %Lu
## Attribute name for checking whether account is disabled (optional)
# active_attribute =
## Expected value in active_attribute (empty = require present, but anything
goes)
# active_value =
## Extra fields to set in passdb response (in passdb static style)
# pass_attrs =
## Timeout in milliseconds
# timeout_msecs = 0
## Enable debug logging
# debug = no
## Max parallel connections (how many simultaneous connections to open)
# max_parallel_connections = 1
## Max pipelined requests (how many requests to send per connection, requires
server-side support)
# max_pipelined_requests = 1
## HTTP request raw log directory
# rawlog_dir = /tmp/oauth2
## TLS settings
# tls_ca_cert_file = /path/to/ca-certificates.txt
# tls_ca_cert_dir = /path/to/certs/
# tls_cert_file = /path/to/client/cert
# tls_key_file = /path/to/client/key
# tls_cipher_suite = HIGH:!SSLv2
# tls_allow_invalid_cert = FALSE
---%<-------------------------------------------------------------------------
(This file was created from the wiki on 2019-06-19 12:42)
|
