Integration with Gluu OpenID

[sugar]

I have installed roundcube 1.5.0
and I want to integrate it with Gluu 3.1.6 by OpenID Connect.

I just configure OAuth in config.inc.php

Code: [Select]

$config['assets_path'] = '/';
$config['oauth_provider'] = 'generic';
$config['oauth_provider_name'] = 'MyIDService';
$config['oauth_client_id'] = '---myclientid---';
$config['oauth_client_secret'] = '---myclientsecret---';
$config['oauth_auth_uri'] = 'https://glu/oxauth/restv1/authorize';
$config['oauth_token_uri'] = 'https://glu/oxauth/restv1/token';
$config['oauth_identity_uri'] = 'https://glu/oxauth/restv1/userinfo';
$config['oauth_scope'] = 'openid email profile';
$config['oauth_verify_peer'] = true;
$config['oauth_auth_parameters'] = [];
$config['oauth_identity_fields'] = null;
$config['oauth_login_redirect'] = false;

but now, Gluu auth is successful but after I was returned to RoundCube login screen, and I can't get access to my mail.

Please help, I don't know where is roundcube logs.

[sugar]

Now I have an error 401 by request token 

RoundCube config.inc.php

Code: [Select]

$config['assets_path'] = '/';
$config['oauth_provider'] = 'generic';
$config['oauth_provider_name'] = 'Gluu';
$config['oauth_client_id'] = '@!8533.87B8.9339.0918!0001!CD6C.0A70!0008!76CD.B7B6.CE69.854C';
$config['oauth_client_secret'] = 'supersecret';
$config['oauth_auth_uri'] = 'https://gluu.local/oxauth/restv1/authorize';
$config['oauth_token_uri'] = 'https://gluu.local/oxauth/restv1/token';
$config['oauth_identity_uri'] = 'https://gluu.local/oxauth/restv1/userinfo';
$config['oauth_scope'] = 'openid email profile';
$config['oauth_verify_peer'] = true;
$config['oauth_auth_parameters'] = [];
$config['oauth_identity_fields'] = null;
$config['oauth_login_redirect'] = false;
#$config['oauth_auth_parameters'] = ['access_type' => 'offline', 'prompt' => 'consent'];
#$config['redirect_uri'] = 'https://mymail.local';
OPENID CONNECT CLIENTS DETAILS

Code: [Select]

- **Name:** mymail.local
- **Client ID:** @!8533.87B8.9339.0918!0001!CD6C.0A70!0008!76CD.B7B6.CE69.854C
- **Subject Type:** pairwise
- **Expirattion date:** Mon Oct 27 00:00:00 UTC 2121
- **ClientSecret:** supersecret
- **Application Type:** web
- **Persist Client Authorizations:** true
- **Pre-Authorization:** false
- **Authentication method for the Token Endpoint:** client_secret_basic
- **Logout Session Required:** false
- **Include Claims In Id Token:** true
- **Disabled:** false
- **Login Redirect URIs:** [https://mymail.local/index.php/login/oauth]
- **Scopes:** [email, openid, profile, user_name]
- **Grant types:** [authorization_code]
- **Response types:** [code]


Code: [Select]

https://gluu.local/oxauth/restv1/token POST HTTP/1.1 code=556a3622-d441-4a52-ae54-2e9aced9d757&client_id=%40%218533.87B8.9339.0918%210001%2
1CD6C.0A70%210008%2176CD.B7B6.CE69.854C&client_secret=supersecret&redirect_uri=https%3A%2F%2Fmymail.local%2Findex.php%2Flogin%2Foauth&grant_type=authorization_code 401


Code: [Select]

{"error":"invalid_client","error_description":"Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client."}

[alec]

- **Authentication method for the Token Endpoint:** client_secret_basic

This looks suspicious, what other options do you have there?

[sugar]

with client secret_post the same situation, 401

all options:

Code: [Select]

client_secret_basic
client_secret_post
client_secret_jwt
private_key_jwt
none

I add header to request in rcmail_oauth.php with authorization and now gluu error changed to

Code: [Select]

{"error":"invalid_grant","error_description":"The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."}

[sugar]

now, I was got error here:

Code: [Select]

$rcmail->login($auth['username'], $auth['authorization'], $storage_host, true)this login failed

in logs roundcube imap.log I have errors

Code: [Select]

A0002 NO [ALERT] Unsupported authentication mechanism.

[alec]

Is your IMAP server configured with XOAUTH2 support? If not, this ain't gonna work. Enable imap_debug to see what's going on on the imap communication level.

[sugar]

round cube imap.log

Code: [Select]

[28-Oct-2021 14:01:39 +0300]: <jqr59ao3> [3DA0] Connecting to ssl://mail.mymail.local:993...
[28-Oct-2021 14:01:39 +0300]: <jqr59ao3> [3DA0] S: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=XOAUTH2] Dovecot (Ubuntu) ready.
[28-Oct-2021 14:01:39 +0300]: <jqr59ao3> [3DA0] C: A0002 AUTHENTICATE ****** [110]
[28-Oct-2021 14:01:43 +0300]: <jqr59ao3> [3DA0] S: + some longlong secret code
[28-Oct-2021 14:01:43 +0300]: <jqr59ao3> [3DA0] C: ****** [-2]
[28-Oct-2021 14:01:45 +0300]: <jqr59ao3> [3DA0] S: A0002 NO [AUTHENTICATIONFAILED] Authentication failed.

dovecot.log

Code: [Select]

dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<admin@mymail.local>, method=XOAUTH2, rip=192.168.5.4, lip=192.168.5.4, TLS, session=<2yQkEGjPdpBf2OiF>

Code: [Select]

mail dovecot: auth: Debug: auth client connected (pid=10631)
mail dovecot: auth: Debug: client in: AUTH#0111#011XOAUTH2#011service=imap#011secured#011session=LuJqy2jPtrBf2OiF#011lip=192.168.5.4#011rip=192.168.5.4#011lport=993#011rport=45238#011local_name=mail.mymail.local#011resp=dXNlcj1hLmVzZW5raW5AaW52b2x0YS5ydQFhdXRoPWJlYXJlciAzZjFhYmU4ZC1hZDFhLTRmODMtOTYyNy0wM2JjMDQ4MTdlZTEBAQ== (previous base64 data may contain sensitive data)
mail dovecot: auth: Debug: sql(admin@mymail.local,192.168.5.4,<LuJqy2jPtrBf2OiF>): query: SELECT mailbox.password, mailbox.allow_nets FROM mailbox,domain WHERE mailbox.username='admin@mymail.local' AND mailbox."enableimapsecured"=1 AND mailbox.active=1 AND mailbox.domain=domain.domain AND domain.backupmx=0 AND domain.active=1
mail dovecot: auth: sql(admin@mymail.local,192.168.5.4,<LuJqy2jPtrBf2OiF>): Password mismatch
mail dovecot: auth: Debug: sql(admin@mymail.local,192.168.5.4,<LuJqy2jPtrBf2OiF>): SSHA512(3f1abe8d-ad1a-4f83-9627-03bc04817ee1) != 'pfMG7ocjyKYmTuezDRs7iczG2dXYxGA7FWc8KxBVfvsrrNbYqu2BkwyxBErXbAQiJcI3hmiZ+Q5llAnbjLDWqeHaN0g='
mail dovecot: auth: Debug: client passdb out: CONT#0111#011eyJzdGF0dXMiOiI0MDEiLCJzY2hlbWVzIjoiYmVhcmVyIiwic2NvcGUiOiJtYWlsIn0=
mail dovecot: auth: Debug: client in: CONT#0111#011 (previous base64 data may contain sensitive data)

Code: [Select]

dovecot: auth: Debug: client passdb out: FAIL#0111#011user=admin@mymail.local
I add XOAUTH2 to mechanisms in dovecot.conf
I'm use dovecot 2.2.33.2 version

Code: [Select]

# Authentication mechanisms.
auth_mechanisms = PLAIN LOGIN XOAUTH2


[sugar]

my dovecot service working with sql

Code: [Select]

passdb sql {
    driver = sql
    args = /etc/dovecot/mysql-auth-default.conf.ext
}how I can use it together?! with oauth2

my old web-client worked perfectly with php-oauth2 library, but roundcube hard to integrate with oauth2...