Author Topic: Integration with Gluu OpenID  (Read 396 times)

Offline sugar

  • Newbie
  • *
  • Posts: 6
Integration with Gluu OpenID
« on: October 27, 2021, 06:40:56 AM »
I have installed roundcube 1.5.0
and I want to integrate it with Gluu 3.1.6 by OpenID Connect.

I just configure OAuth in config.inc.php
Code: [Select]
$config['assets_path'] = '/';
$config['oauth_provider'] = 'generic';
$config['oauth_provider_name'] = 'MyIDService';
$config['oauth_client_id'] = '---myclientid---';
$config['oauth_client_secret'] = '---myclientsecret---';
$config['oauth_auth_uri'] = 'https://glu/oxauth/restv1/authorize';
$config['oauth_token_uri'] = 'https://glu/oxauth/restv1/token';
$config['oauth_identity_uri'] = 'https://glu/oxauth/restv1/userinfo';
$config['oauth_scope'] = 'openid email profile';
$config['oauth_verify_peer'] = true;
$config['oauth_auth_parameters'] = [];
$config['oauth_identity_fields'] = null;
$config['oauth_login_redirect'] = false;

but now, Gluu auth is successful but after I was returned to RoundCube login screen, and I can't get access to my mail.

Please help, I don't know where is roundcube logs. :(

Offline sugar

  • Newbie
  • *
  • Posts: 6
Re: Integration with Gluu OpenID
« Reply #1 on: October 28, 2021, 04:14:00 AM »
Now I have an error 401 by request token  :(

RoundCube config.inc.php
Code: [Select]
$config['assets_path'] = '/';
$config['oauth_provider'] = 'generic';
$config['oauth_provider_name'] = 'Gluu';
$config['oauth_client_id'] = '@!8533.87B8.9339.0918!0001!CD6C.0A70!0008!76CD.B7B6.CE69.854C';
$config['oauth_client_secret'] = 'supersecret';
$config['oauth_auth_uri'] = 'https://gluu.local/oxauth/restv1/authorize';
$config['oauth_token_uri'] = 'https://gluu.local/oxauth/restv1/token';
$config['oauth_identity_uri'] = 'https://gluu.local/oxauth/restv1/userinfo';
$config['oauth_scope'] = 'openid email profile';
$config['oauth_verify_peer'] = true;
$config['oauth_auth_parameters'] = [];
$config['oauth_identity_fields'] = null;
$config['oauth_login_redirect'] = false;
#$config['oauth_auth_parameters'] = ['access_type' => 'offline', 'prompt' => 'consent'];
#$config['redirect_uri'] = 'https://mymail.local';
OPENID CONNECT CLIENTS DETAILS
Code: [Select]
- **Name:** mymail.local
- **Client ID:** @!8533.87B8.9339.0918!0001!CD6C.0A70!0008!76CD.B7B6.CE69.854C
- **Subject Type:** pairwise
- **Expirattion date:** Mon Oct 27 00:00:00 UTC 2121
- **ClientSecret:** supersecret
- **Application Type:** web
- **Persist Client Authorizations:** true
- **Pre-Authorization:** false
- **Authentication method for the Token Endpoint:** client_secret_basic
- **Logout Session Required:** false
- **Include Claims In Id Token:** true
- **Disabled:** false
- **Login Redirect URIs:** [https://mymail.local/index.php/login/oauth]
- **Scopes:** [email, openid, profile, user_name]
- **Grant types:** [authorization_code]
- **Response types:** [code]
Code: [Select]
https://gluu.local/oxauth/restv1/token POST HTTP/1.1 code=556a3622-d441-4a52-ae54-2e9aced9d757&client_id=%40%218533.87B8.9339.0918%210001%2
1CD6C.0A70%210008%2176CD.B7B6.CE69.854C&client_secret=supersecret&redirect_uri=https%3A%2F%2Fmymail.local%2Findex.php%2Flogin%2Foauth&grant_type=authorization_code 401
Code: [Select]
{"error":"invalid_client","error_description":"Client authentication failed (e.g. unknown client, no client authentication included, or unsupported authentication method). The authorization server MAY return an HTTP 401 (Unauthorized) status code to indicate which HTTP authentication schemes are supported. If the client attempted to authenticate via the Authorization request header field, the authorization server MUST respond with an HTTP 401 (Unauthorized) status code, and include the WWW-Authenticate response header field matching the authentication scheme used by the client."}

Offline alec

  • Hero Member
  • *****
  • Posts: 1,299
Re: Integration with Gluu OpenID
« Reply #2 on: October 28, 2021, 04:20:10 AM »
Quote
- **Authentication method for the Token Endpoint:** client_secret_basic
This looks suspicious, what other options do you have there?

Offline sugar

  • Newbie
  • *
  • Posts: 6
Re: Integration with Gluu OpenID
« Reply #3 on: October 28, 2021, 05:59:25 AM »
with client secret_post the same situation, 401

all options:
Code: [Select]
client_secret_basic
client_secret_post
client_secret_jwt
private_key_jwt
none

I add header to request in rcmail_oauth.php with authorization and now gluu error changed to
Code: [Select]
{"error":"invalid_grant","error_description":"The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."}
« Last Edit: October 28, 2021, 06:04:30 AM by sugar »

Offline sugar

  • Newbie
  • *
  • Posts: 6
Re: Integration with Gluu OpenID
« Reply #4 on: October 28, 2021, 06:17:55 AM »
now, I was got error here:
Code: [Select]
$rcmail->login($auth['username'], $auth['authorization'], $storage_host, true)this login failed :(

in logs roundcube imap.log I have errors
Code: [Select]
A0002 NO [ALERT] Unsupported authentication mechanism.

Offline alec

  • Hero Member
  • *****
  • Posts: 1,299
Re: Integration with Gluu OpenID
« Reply #5 on: October 28, 2021, 06:39:52 AM »
Is your IMAP server configured with XOAUTH2 support? If not, this ain't gonna work. Enable imap_debug to see what's going on on the imap communication level.

Offline sugar

  • Newbie
  • *
  • Posts: 6
Re: Integration with Gluu OpenID
« Reply #6 on: October 28, 2021, 07:03:08 AM »
round cube imap.log
Code: [Select]
[28-Oct-2021 14:01:39 +0300]: <jqr59ao3> [3DA0] Connecting to ssl://mail.mymail.local:993...
[28-Oct-2021 14:01:39 +0300]: <jqr59ao3> [3DA0] S: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN AUTH=XOAUTH2] Dovecot (Ubuntu) ready.
[28-Oct-2021 14:01:39 +0300]: <jqr59ao3> [3DA0] C: A0002 AUTHENTICATE ****** [110]
[28-Oct-2021 14:01:43 +0300]: <jqr59ao3> [3DA0] S: + some longlong secret code
[28-Oct-2021 14:01:43 +0300]: <jqr59ao3> [3DA0] C: ****** [-2]
[28-Oct-2021 14:01:45 +0300]: <jqr59ao3> [3DA0] S: A0002 NO [AUTHENTICATIONFAILED] Authentication failed.

dovecot.log

Code: [Select]
dovecot: imap-login: Disconnected (auth failed, 1 attempts in 2 secs): user=<admin@mymail.local>, method=XOAUTH2, rip=192.168.5.4, lip=192.168.5.4, TLS, session=<2yQkEGjPdpBf2OiF>
Code: [Select]
mail dovecot: auth: Debug: auth client connected (pid=10631)
mail dovecot: auth: Debug: client in: AUTH#0111#011XOAUTH2#011service=imap#011secured#011session=LuJqy2jPtrBf2OiF#011lip=192.168.5.4#011rip=192.168.5.4#011lport=993#011rport=45238#011local_name=mail.mymail.local#011resp=dXNlcj1hLmVzZW5raW5AaW52b2x0YS5ydQFhdXRoPWJlYXJlciAzZjFhYmU4ZC1hZDFhLTRmODMtOTYyNy0wM2JjMDQ4MTdlZTEBAQ== (previous base64 data may contain sensitive data)
mail dovecot: auth: Debug: sql(admin@mymail.local,192.168.5.4,<LuJqy2jPtrBf2OiF>): query: SELECT mailbox.password, mailbox.allow_nets FROM mailbox,domain WHERE mailbox.username='admin@mymail.local' AND mailbox."enableimapsecured"=1 AND mailbox.active=1 AND mailbox.domain=domain.domain AND domain.backupmx=0 AND domain.active=1
mail dovecot: auth: sql(admin@mymail.local,192.168.5.4,<LuJqy2jPtrBf2OiF>): Password mismatch
mail dovecot: auth: Debug: sql(admin@mymail.local,192.168.5.4,<LuJqy2jPtrBf2OiF>): SSHA512(3f1abe8d-ad1a-4f83-9627-03bc04817ee1) != 'pfMG7ocjyKYmTuezDRs7iczG2dXYxGA7FWc8KxBVfvsrrNbYqu2BkwyxBErXbAQiJcI3hmiZ+Q5llAnbjLDWqeHaN0g='
mail dovecot: auth: Debug: client passdb out: CONT#0111#011eyJzdGF0dXMiOiI0MDEiLCJzY2hlbWVzIjoiYmVhcmVyIiwic2NvcGUiOiJtYWlsIn0=
mail dovecot: auth: Debug: client in: CONT#0111#011 (previous base64 data may contain sensitive data)
Code: [Select]
dovecot: auth: Debug: client passdb out: FAIL#0111#011user=admin@mymail.local
I add XOAUTH2 to mechanisms in dovecot.conf
I'm use dovecot 2.2.33.2 version
Code: [Select]
# Authentication mechanisms.
auth_mechanisms = PLAIN LOGIN XOAUTH2
« Last Edit: October 28, 2021, 08:28:41 AM by sugar »

Offline sugar

  • Newbie
  • *
  • Posts: 6
Re: Integration with Gluu OpenID
« Reply #7 on: October 28, 2021, 09:24:57 AM »
my dovecot service working with sql
Code: [Select]
passdb sql {
    driver = sql
    args = /etc/dovecot/mysql-auth-default.conf.ext
}
how I can use it together?! with oauth2 :(

my old web-client worked perfectly with php-oauth2 library, but roundcube hard to integrate with oauth2...