Intermittent OAuth Gmail IMAP authentication failure - no response from server - oauth-2.0

I have a java client using javamail and google example code to connect to gmail IMAP server using a client secret and OAuth token. The issue is that about 1/3 of the time, the com.sun.mail.imap.IMAPStore.protocolConnect call fails with an AuthenticationFailedException: Invalid Credentials (Failure) exception.
In the log there are the following lines for each failure:
DEBUG IMAPS: SASL client XOAUTH2
DEBUG IMAPS: SASL callback length: 1
DEBUG IMAPS: SASL callback 0: javax.security.auth.callback.NameCallback#12cdcf4
DEBUG IMAPS: SASL no response
2023-01-04 08:45:55 WARN ImapStoreFactory.getImapStore.140 - Failed to authenticate to 74.125.142.108 after 5 attempts.
(I have a retry loop that backs off after each try up to 5 tries to see if that would help.)
The (partial) stack trace is:
javax.mail.AuthenticationFailedException: Authentication failed to 74.125.142.108 after 5 attempts.
at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:732)
at javax.mail.Service.connect(Service.java:366)
at com.google.code.samples.oauth2.OAuth2Authenticator.connectToImap(OAuth2Authenticator.java:91)
The issue is the SASL no response from the server.
This same code, with the same credentials, works all the other times on the first connection attempt, including to the same IP address, both before and after the failed attempts.
imap.gmail.com resolves to (at least?) 24 different IP addresses that I have seen, and they are all open and accessible from the client machine.
I have tried connecting to a known IP address directly (as opposed to connecting to imap.gmail.com) but then I get a HTTPS certificate failure.
Any ideas as to why this is happening, or how to mitigate or work around would be appreciated.
Thanks!
Linus

Related

How to use unixODBC SSO connection to Snowflake with Rails using externalbrowser authentication?

I have setup a Rails 7.0.4 application to work on a Snowflake database using ruby-odbc and sequel with sequel-snowflake connector. We use SSO for logging in into Snowflake. In the DSN configuration the authentication method is therefore set to "externalbrowser". Frontend is actually handled in React, so also rack-cors is being used. It works fine on Windows, but I have to finally run it on Linux (AlmaLinux 9).
Here I decided to use unixODBC. I set up the DSN and connection works fine using isql (browser window opens, redirects to localhost with SAML token, tells me authentication is good and I can close the window). SQL commands work all fine in the isql shell. Unfortunately, when starting my rails application it fails at the redirect to localhost with This site can't be reached / localhost refused to connect.
I tried many different things, I found on the web (some of them non-sensical):
Tried different browsers (Firefox, Chrome, Brave (same engine as Chrome))
Added URLs to origins line in cors.rb
Turned of HSTS in browsers
Set config.force_ssl in application.rb to false
Used Passenger instead of Puma
Nothing made it work. Comparing the isql the trace messages of isql (which works), with Rails all is completely fine until the browser authentication starts. While isql is all fine, the Rails application shows the following errors:
2023-01-31T13:12:17Z.699 [thread-7067] Info Connection #0 to host xxxxx.west-europe.azure.snowflakecomputing.com left intact.
2023-01-31T13:12:17.699 INFO 7067 sf::RestRequest::httpPerform: http request headers: Content-Type: application/json
Accept: application/json
2023-01-31T13:12:17.699 TRACE 7067 sf::CurDesc::reset: cleanup 0
2023-01-31T13:12:17.699 TRACE 7067 sf::CurDesc::reset: curl_easy_reset 0x42b2d50
2023-01-31T13:12:17.699 TRACE 7067 sf::CurlDescPool::freeCurlDesc: Free curl descriptor 0x42b1bf0(curl=0x42b2d50) back to subpool 0x428de20
2023-01-31T13:12:17.699 TRACE 7067 sf::RestRequest::~RestRequestState: Freed descriptor to pool
2023-01-31T13:12:17.699 DEBUG 7067 sf::AuthenticatorExternalBrowser::getSSOUrl: SSO URL: https://login.microsoftonline.com/52d....7e/saml2?SAMLRequest=nZJB....%2FkL&RelayState=58393
Initiating login request with your identity provider. A browser window should have opened for you to complete the login. If you can't see it, check existing browser windows, or your OS settings. Press CTRL+C to abort and try again...
2023-01-31T13:12:17.822 ERROR 7067 sf::AuthWebServer::startAccept: Failed to receive SAML token. Could not accept a request. err: Interrupted system call
2023-01-31T13:12:17.822 TRACE 7067 Simba::Snowflake::SFConnection::connect: Simba::Support::ErrorExceptionUnformatted ErrorException: {MessageKey="SFAuthWebBrowserFailed" ComponentID=102' RowNumber=UNKNOWN ColumnNumber=UNKNOWN DiagState=63 MessageParameters=["Permission denied"]}
2023-01-31T13:12:17.823 TRACE 7067 Simba::Snowflake::SFConnection::SetProperty: Setting property (167) with type 2
/home/mwinter/.rvm/gems/ruby-3.1.2/gems/sequel-5.64.0/lib/sequel/adapters/odbc.rb:17:in `drvconnect': ODBC::Error: S1000 (38) [Snowflake][Snowflake] (38) (Sequel::DatabaseConnectionError)
Failed to authenticate a user by external browser: Permission denied.
Is there a way to get Rails to connect to the database using unixODBC the same way isql does?

keycloak authz client - SocketException: Connection reset

15 minutes after login, when trying again to do authorization using keycloack-authz-client, I am receiving an exception: Caused by: java.net.SocketException: Connection reset.
Maybe some settings need to update from keycloak admin console or maybe from the Java configuration, I could not find any solution.
Has anyone encountered such problems?
I am trying to do authorization and expect to receive access and refresh tokens.

KeyCloak: Connection has been refused by the server. Connection timed out

Occasionally I receive a connection timeout when calling the /userinfo endpoint of my KeyCloak-Server.
So far, I have no indication what's wrong and what causes the timeouts. There are no errors in the server.log I configured. Also, I cannot reproduce the issue, I just see the errors in the logs of the application trying to authenticate with keycloak.
Is there some sort of connection limit that my keycloak might use?
List item
What additional logs can I activate to narrow down the problem?
I am currently on version 17.0.1
Try running keycloak in debug mode kc.sh start --log-level=debug If the /userinfo call reached the keycloak then there will be a debug log for that, you can match the time when error occurred to the keycloak log.
Do you have any other components in between your application and keycloak such as proxy, a DNS server etc ? You would need to check their logs as well.
Also check out this document regarding rest api in keycloak -> https://github.com/keycloak/keycloak-community/blob/main/design/rest-api-guideline.md#rate-lmiting

How can I make FreeIPA & FreeRadius work with PEAP authentication

I want to force our office users to enter their LDAP credentials when connecting to the WiFi in our office. So I installed FreeRadius as instructed at:
Using FreeIPA and FreeRadius .
Using radtest, I can successfully authenticate against our FreeIPA server using PAP. Moving on I configured a WiFi connection on my Windows 10 laptop to use EAP-TTLS as the authentication method along with selecting PAP as the non-EAP method. Again I can successfully authenticate against our FreeIPA server when connecting to the WiFi AP. But I realize that is not safe since passwords are sent as clear-text.
So next I configured a WiFi connection on my Windows 10 laptop to use PEAP as the authentication method with EAP method of EAP-MSCHAP v2. But now authentication fails. An excerpt from the FreeRadius debug log shows:
(8) mschap: WARNING: No Cleartext-Password configured. Cannot create NT-Password
(8) mschap: WARNING: No Cleartext-Password configured. Cannot create LM-Password
(8) mschap: Creating challenge hash with username: test55
(8) mschap: Client is using MS-CHAPv2
(8) mschap: ERROR: FAILED: No NT/LM-Password. Cannot perform authentication
(8) mschap: ERROR: MS-CHAP2-Response is incorrect
I’m struggling to figure out a solution. I have found various configurations of eap, mschap & ldap files online but so far I have not solved my issue.
I’m not sure if I’m asking the right question but is the password hash sent by the Windows client incompatible with the password hash used by FreeIPA?
It turns out mschapv2 is a challenge response protocol, and that does not work with an LDAP bind in the basic configuration of FreeRadius.
However I did find a solution where FreeRadius looks up a user by their LDAP DN, then reads (not bind) the NTHash of the user. From there, FreeRADIUS is able to process the challenge response.
First permissions have to be given to service accounts:
https://fy.blackhats.net.au/blog/html/2015/07/06/FreeIPA:_Giving_permissions_to_service_accounts..html
After performing these steps users will need to change their password in order to generate an ipaNTHash.
Then configure FreeRadius to use mschapv2 with FreeIPA:
https://fy.blackhats.net.au/blog/html/2016/01/13/FreeRADIUS:_Using_mschapv2_with_freeipa.html
After completing all the steps described in both links, this radtest cli command should return an Access-Accept response.
radtest -t mschap <ldap-user-uid> <ldap-user-password> 127.0.0.1:1812 0 <FreeRadius-secret>

Oauth2 gmail SMTP Authentication Error with phpmailer

It's really a night mare. I don't know why I'm getting this for last 24 hours. Any help much appreciated please.
SERVER -> CLIENT: 220 smtp.gmail.com ESMTP w23sm28778307wmd.1 - gsmtp
CLIENT -> SERVER: EHLO cslexicon.tk
SERVER -> CLIENT: 250-smtp.gmail.com at your service, [31.170.164.33]250-SIZE 35882577250-8BITMIME250-STARTTLS250-ENHANCEDSTATUSCODES250-PIPELINING250-CHUNKING250 SMTPUTF8
CLIENT -> SERVER: STARTTLS
SERVER -> CLIENT: 220 2.0.0 Ready to start TLS
CLIENT -> SERVER: EHLO cslexicon.tk
SERVER -> CLIENT: 250-smtp.gmail.com at your service, [31.170.164.33]250-SIZE 35882577250-8BITMIME250-AUTH LOGIN PLAIN XOAUTH2 PLAIN-CLIENTTOKEN OAUTHBEARER XOAUTH250-ENHANCEDSTATUSCODES250-PIPELINING250-CHUNKING250 SMTPUTF8
CLIENT -> SERVER: AUTH XOAUTH2 dXNlcj1zc3Nzc2F0aHlhYTY3QGdtYWlsLmNvbQFhdXRoPUJlYXJlciB5YTI5LmFRS2E2OC1qUmZsenhhYnE1YmkxNWlYcUtOa1VmTjdJZ3NBT2dLYU1uekhpR2I0NVV4dm9GNWozcDZoZGp3LXZtTjEyVEEBAQ==
SERVER -> CLIENT: 334 eyJzdGF0dXMiOiI0MDAiLCJzY2hlbWVzIjoiQmVhcmVyIiwic2NvcGUiOiJodHRwczovL21haWwuZ29vZ2xlLmNvbS8ifQ==
SMTP ERROR: AUTH command failed: 334 eyJzdGF0dXMiOiI0MDAiLCJzY2hlbWVzIjoiQmVhcmVyIiwic2NvcGUiOiJodHRwczovL21haWwuZ29vZ2xlLmNvbS8ifQ==
SMTP Error: Could not authenticate.
CLIENT -> SERVER: QUIT
SERVER -> CLIENT: 535-5.7.8 Username and Password not accepted. Learn more at535 5.7.8 https://support.google.com/mail/answer/14257 w23sm28778307wmd.1 - gsmtp
SMTP ERROR: QUIT command failed: 535-5.7.8 Username and Password not accepted. Learn more at535 5.7.8 https://support.google.com/mail/answer/14257 w23sm28778307wmd.1 - gsmtp
SMTP connect() failed. https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting
Mailer Error: SMTP connect() failed. https://github.com/PHPMailer/PHPMailer/wiki/Troubleshooting
I used league/oauth2-client, league/oauth2-google and got refresh token.
ClientID, Secret Code and Refresh code everything seems fine in my phpmailer code.
Followed everything at https://support.google.com/mail/answer/14257
Still, stuck here for very long time.
If you are using league/oauth2-client and league/oauth2-google,
you will get the following prompt by default on getting refresh token.
But, these permissions do not allow you to send emails.
So you apply a simple quick fix.
At this stage, move your eyes towards the url in the address bar.
Analyze it closely and somewhere you find this,
&scope=email+openid+profile&response_type
Change the scope to the following and don't touch the remaining part,
&scope=https://mail.google.com/&response_type
Now, go to this new modified url. You will get a prompt like this,
Click Allow and you are Good to go.
i faced the same problem. however it can be solved by go to Account Settings and remove permission and then grant permission again.
hope it will work with you too
Please go and check your scopes if you are dealing with SMTP
please add this in the scope https://mail.google.com/

Resources