Test XOAUTH2 using Dovecot and Keycloak
By setting up Dovecot to use OAuth2 authentication via Keycloak, we can use Perl to send emails to Dovecot's SMTP submission service which is secured using XOAUTH2 backed by Keycloak as the OAuth2 identity provider.
This provides a (relatively) simple way of testing XOAUTH2 email authentication without needing a properly configured Google or Microsoft account.
Test plan: 0. Apply the patch
- ktd --sso --dovecot up
- Setup Keycloak as per the instructions at https://wiki.koha-community.org/w/index.php?title=Testing_SSO
- Go to "kohaoidc" client, click "Credentials" tab, and show the "Client Secret". Make note of this value.
- Run the following:
perl /kohadevbox/test_xoauth2_email.pl --to awesome@awesome.com
--client_id kohaoidc --client_secret <client_secret>
--username service-account-kohaoidc
--idp http://sso:8082/auth/realms/test/protocol/openid-connect/token - If you get a "500 5.5.2 Line too long" message, you'll need to do some of the following in Keycloak (due to a protocol bug in Net::SMTP):
- Click "Realm settings", click "Tokens" tab, change "Default Signature Algorithm" from "RS256" to "ES256", click "Save"
- Go to "Client", choose "kohaoidc", click "Service account roles" tab, click "default-roles-test" and click "Unassign". Then go to "Client scopes" tab for the "kohaoidc" client, change "Default" to "Optional" for all the scopes with "Default" Assigned type.
- Try running the test_xoauth2_email.pl command again
- Note that it should now say "235 2.7.0 Logged in"
References: https://github.com/minusdavid/simple-sasl-xoauth2/wiki#dovecot-smtp-submission-service-using-xoauth2