How to get email in Bearer JWT token

[hippie131]

This app is awesome! I got it working with auth mode for dovecot but I'd really like to use local mode instead.

When I use local mode, I get this error in dovecot:

Local validation failed: No username returned

I have my dovecot server setup so it can handle more then one domain so I use full email addresses as the usernames for dovecot. When I setup oidc, the email field isn't in the JWT bearer token which causes dovecot to fail with that error. I am requesting the email scope (actually I have it set to openid profile email offline_access in my email client app) and I've also tried adding a custom claim to return email but that doesn't seem to have any influence on the generated bearer JWT token. The only usable field in it is "sub" but that's just the nextcloud username, not the full email address.

Is there a way to add more fields included in the generated JWT bearer token at all?

[H2CK]

Sorry, but I do not understand what you mean with "local mode".
The claim email is contained in the JWT if you request the scope email and if the oidc app can retrieve the email addresses from Nextcloud. I just verified this on my side with the latest version.
Are there any email addresses shown on the user profile page within Nextcloud? From what you describe I would assume that the email addresses are not correctly stored in Nextcloud. (if the Nextcloud UserManager returns null on getEMailAddress() the claim (even a custom_claim) will not be created)
Could you provide debug logs from the oidc app when requesting the JWT token?

[hippie131]

Oh sorry by local mode I mean the dovecot introspection_mode setting. For that you can use local, auth, post or get.

Local from what I understand is basically just using the JWT bearer token and validating against the public key from the OIDC app locally without reaching back out again to the IDP provider.

I think the email addresses are stored correctly in Nextcloud because if it wasn't, auth mode would never work with the userinfo endpoint (in dovecot I have "username_attribute = email" set and it works with auth mode).

[hippie131]

I just tested it manually with curl using the Bearer token generated from an auth attempt and when I query the userinfo endpoint I get both email and my custom claim correctly.

The problem is when I decode the bearer token with 'echo -n "$TokenGoesHere" | cut -d '.' -f2 | base64 -d | jq' there is no email or custom claim there. Just iss, sub, aud, exp, auth_time, iat, acr, client_id, scope and jti

[H2CK]

I currently would guess that you are using and decoding the access token instead of the id token. At least what you describe could match to the difference between the JWT based access token and the id token. Please ensure to use the id token when accessing the claims. The id token is identical to the userinfo endpoint. The JWT based access token (RFC 9068) does not contain the claims specified by the scopes.

If you find "typ": "at+JWT" in the decoded header you can be sure to have an access token in front of you.

[hippie131]

Ah so then i would need to alter my client not dovecot to get it to pass that other token to dovecot? I have that setup like this for the provider settings:

"oauth_provider": {
"issuer": "nextcloud.fakedomain.local",
"clientId": "REDACTED",
"clientSecret": "REDACTED",
"authorizationEndpoint": "https://nextcloud.fakedomain.local/apps/oidc/authorize",
"tokenEndpoint": "https://nextcloud.fakedomain.local/apps/oidc/token",
"redirectionEndpoint": "https://localhost",
"usePKCE": false,
"hostnames": ["fakedomain.local"],
"scopes": "openid profile email offline_access"
}

What would I have to change to get it to pass the right token to Dovecot for local mode introspection to work?

[hippie131]

Just in case it helps, this is my local mode setup in dovecot (dovecot-oauth2.conf.ext):

introspection_mode = local

issuers = https://nextcloud.fakedomain.local
scope = email

local_validation_key_dict = fs:posix:prefix=/etc/dovecot/keys/

username_attribute = email

client_id = REDACTED
client_secret = REDACTED

the key I saved manually in /etc/dovecot/keys/default/RS256/$IDNumberInPEMFormat which seems to work

[H2CK]

I know had a look into the Dovecot documentation how the local mode is working. Dovecot is not using OpenID Connect at all. It just relys on the OAuth2. As the documentation states the local mode only work if access tokens are provided as JWT. This is something the OIDC app can do. But until now further additional identity attributes are not added to the OAuth2 access token and are only available in the OpenID Connect id token.
In one of the next releases I will add those additional identity attributes depending on the scope also to the access token.
In the meantime you should be able to use the introspection mode.

[hippie131]

That would be amazing! Thank you.

[H2CK]

Please test Dovecot local mode with version 1.17.0. The email claim is now also contained in the JWT access token, if the scope email is requested.

[hippie131]

Yes, local mode now works with dovecot. Thank you very much for this change.

This update also seems to have changed the behaviour of the expected local key storage in dovecot so I had to move the locally stored keys from /etc/dovecot/keys/default/RS256/$IDNumberInPEMFormat to /etc/dovecot/keys/$ClientIDGoesHere/RS256/$IDNumberInPEMFormat. This is totally ok of course, just something I noticed so I thought I should include it.