Open Authentication v2.0 database
=================================
Since v2.2.28. This database works with a oauth2 provider such as google or
facebook. You are recommended to use xoauth2 or oauthbearer <authentication
mechanisms> [Authentication.Mechanisms.txt] with this. The responses from
endpoints must be JSON objects.
Configuration
-------------
Common
------
In dovecot.conf put
---%<-------------------------------------------------------------------------
auth_mechanisms = $auth_mechanisms oauthbearer xoauth2
passdb {
driver = oauth2
mechanisms = xoauth2 oauthbearer
args = /etc/dovecot/dovecot-oauth2.conf.ext
}
---%<-------------------------------------------------------------------------
Backend
-------
Configuration file example for Google
[https://developers.google.com/identity/protocols/OAuth2]
---%<-------------------------------------------------------------------------
tokeninfo_url = https://www.googleapis.com/oauth2/v3/tokeninfo?access_token=
introspection_url = https://www.googleapis.com/oauth2/v2/userinfo
#force_introspection = yes
username_attribute = email
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
---%<-------------------------------------------------------------------------
Configuration file example for WSO2 Identity Server
[http://wso2.com/identity-and-access-management]
---%<-------------------------------------------------------------------------
introspection_mode = post
introspection_url =
https://adminuser:adminpass@server.name:port/oauth2/introspect
username_attribute = username
tls_ca_cert_file = /etc/ssl/certs/ca-certificates.crt
active_attribute = active
active_value = true
---%<-------------------------------------------------------------------------
Proxy
-----
If you want to forward oauth2 authentication to your backend, you can use
various ways
Without proxy authentication
---%<-------------------------------------------------------------------------
passdb {
driver = static
args = nopasssword=y proxy=y proxy_mech=%m ...
}
---%<-------------------------------------------------------------------------
or with proxy authentication, put into dovecot-oauth2.conf.ext
---%<-------------------------------------------------------------------------
pass_attrs = proxy=y proxy_mech=%m
---%<-------------------------------------------------------------------------
Full config file
----------------
---%<-------------------------------------------------------------------------
### OAuth2 password database configuration
## url for verifying token validity. Token is appended to the URL
# tokeninfo_url = http://endpoint/oauth/tokeninfo?access_token=
## introspection endpoint, used to gather extra fields and other information.
# introspection_url = http://endpoint/oauth/me
## How introspection is made, valid values are
## auth = GET request with Bearer authentication
## get = GET request with token appended to URL
## post = POST request with token=bearer_token as content
# introspection_mode = auth
## Force introspection even if tokeninfo contains wanted fields
## Set this to yes if you are using active_attribute
# force_introspection = no
## wanted scope of validity (optional)
# scope = something
## username attribute in response (default: email)
# username_attribute = email
## username normalization format (default: %Lu)
# username_format = %Lu
## Attribute name for checking whether account is disabled (optional)
# active_attribute =
## Expected value in active_attribute (empty = require present, but anything
goes)
# active_value =
## Extra fields to set in passdb response (in passdb static style)
# pass_attrs =
## Timeout in milliseconds
# timeout_msecs = 0
## Enable debug logging
# debug = no
## Max parallel connections (how many simultaneous connections to open)
# max_parallel_connections = 1
## Max pipelined requests (how many requests to send per connection, requires
server-side support)
# max_pipelined_requests = 1
## HTTP request raw log directory
# rawlog_dir = /tmp/oauth2
## TLS settings
# tls_ca_cert_file = /path/to/ca-certificates.txt
# tls_ca_cert_dir = /path/to/certs/
# tls_cert_file = /path/to/client/cert
# tls_key_file = /path/to/client/key
# tls_cipher_suite = HIGH:!SSLv2
# tls_allow_invalid_cert = FALSE
---%<-------------------------------------------------------------------------
(This file was created from the wiki on 2017-05-11 04:42)
