Dovecot - Xoauth2 - keycloak

Thu Jul 9 01:29:48 EEST 2020

Hello,

Still trying to make roundcube / Dovecot works with Keycloak.

Dovecot can't seem to validate the access_token that Roundcube gave.
-----
Jul 08 20:48:05 auth: Debug: http-client[1]: request [Req1: GET
https://my.keycloak.host/auth/realms/test_saml/protocol/openid-connect/tokeneyJhbGciOiJFUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJEZzR2aWtndzN2MWVpQVgxMU10YkFIaXRaUnM2R2RlVzN3b3hGTTBpd1NnIn0.eyJleHAiOjE1OTQyNDE0NjUsImlhdCI6MTU5NDI0MTI4NSwiYXV0aF90aW1lIjoxNTk0MjM0ODI3LCJqdGkiOiI0NjRlZjc5NS0yZDYzLTQzYjktYjU4My1iYTY2MmFkMWRhYzUiLCJpc3MiOiJodHRwczovL3Nzby5udWJvLmNvb3AvYXV0aC9yZWFsbXMvdGVzdF9zYW1sIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6IjhlZWNiODVjLTZlMDYtNGZhNC1iYTAwLTdlMGRlM2MyMWYxNCIsInR5cCI6IkJlYXJlciIsImF6cCI6InJvdW5kY3ViZSIsInNlc3Npb25fc3RhdGUiOiJmOTYyNWM3OS02OTM5LTRkZjEtOGM2Yi1hYWM5Y2EzYWJkY2YiLCJhY3IiOiIwIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly9yYy5udWJvLmRvbWFpbmVwdWJsaWMubmV0Il0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgbWljcm9wcm9maWxlLWp3dCBwcm9maWxlIGVtYWlsIG9mZmxpbmVfYWNjZXNzIiwidWlkIjoicXVlbmVubmkiLCJ1cG4iOiJxdWVuZW5uaSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6Iktlbm55IExvdXZlYXV4IExvdXZlYXV4IiwiZ3JvdXBzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXSwicHJlZmVycmVkX3VzZXJuYW1lIjoicXVlbmVubmkiLCJnaXZlbl9uYW1lIjoiS2VubnkgTG91dmVhdXgiLCJmYW1pbHlfbmFtZSI6IkxvdXZlYXV4IiwiZW1haWwiOiJrZW5ueUBudWJvLnNpdGUifQ.TsUBiZ5nSTuA9ojr6bao5NQUHeNRmcYQZsC95rrhYca9FsFG4xG8mT53X9eOSNEqzRMJiPHaDuAh-3Bq8Rjdlg]:
Sent header
Jul 08 20:48:05 auth: Debug: http-client[1]: peer 11.22.33.44:443: No
more requests to service for this peer (1 connections exist, 0 pending)
Jul 08 20:48:05 auth: Debug: http-client[1]: conn 11.22.33.44:443 [0]:
Got 404 response for request [Req1: GET
https://my.keycloak.host/auth/realms/test_saml/protocol/openid-connect/tokeneyJhbGciOiJFUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJEZzR2aWtndzN2MWVpQVgxMU10YkFIaXRaUnM2R2RlVzN3b3hGTTBpd1NnIn0.eyJleHAiOjE1OTQyNDE0NjUsImlhdCI6MTU5NDI0MTI4NSwiYXV0aF90aW1lIjoxNTk0MjM0ODI3LCJqdGkiOiI0NjRlZjc5NS0yZDYzLTQzYjktYjU4My1iYTY2MmFkMWRhYzUiLCJpc3MiOiJodHRwczovL3Nzby5udWJvLmNvb3AvYXV0aC9yZWFsbXMvdGVzdF9zYW1sIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6IjhlZWNiODVjLTZlMDYtNGZhNC1iYTAwLTdlMGRlM2MyMWYxNCIsInR5cCI6IkJlYXJlciIsImF6cCI6InJvdW5kY3ViZSIsInNlc3Npb25fc3RhdGUiOiJmOTYyNWM3OS02OTM5LTRkZjEtOGM2Yi1hYWM5Y2EzYWJkY2YiLCJhY3IiOiIwIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly9yYy5udWJvLmRvbWFpbmVwdWJsaWMubmV0Il0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgbWljcm9wcm9maWxlLWp3dCBwcm9maWxlIGVtYWlsIG9mZmxpbmVfYWNjZXNzIiwidWlkIjoicXVlbmVubmkiLCJ1cG4iOiJxdWVuZW5uaSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6Iktlbm55IExvdXZlYXV4IExvdXZlYXV4IiwiZ3JvdXBzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXSwicHJlZmVycmVkX3VzZXJuYW1lIjoicXVlbmVubmkiLCJnaXZlbl9uYW1lIjoiS2VubnkgTG91dmVhdXgiLCJmYW1pbHlfbmFtZSI6IkxvdXZlYXV4IiwiZW1haWwiOiJrZW5ueUBudWJvLnNpdGUifQ.TsUBiZ5nSTuA9ojr6bao5NQUHeNRmcYQZsC95rrhYca9FsFG4xG8mT53X9eOSNEqzRMJiPHaDuAh-3Bq8Rjdlg]
(took 11 ms + 19 ms in queue)
Jul 08 20:48:05 auth: Debug:
oauth2(my.mail at whatever,::1,<Z2mDOfSpJJ8AAAAAAAAAAAAAAAAAAAAB>): oauth2:
callback(0, Invalid token)
----

The access_token used by Dovecot is the right one.
Dovecot also has the right login (my.mail at whatever)

The Nginx and Keycloak logs show this:
----
 - - [08/Jul/2020:23:25:18 +0200] "POST
/auth/realms/test_saml/protocol/openid-connect/token HTTP/1.1" 200 3171
"-" "Guzzle/5.3.1 curl/7.64.0 PHP/7.3.14-1~deb10u1"
- - [08/Jul/2020:23:42:05 +0200] "GET
/auth/realms/test_saml/protocol/openid-connect/tokeneyJhbGciOiJFUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJEZzR2aWtndzN2MWVpQVgxMU10YkFIaXRaUnM2R2RlVzN3b3hGTTBpd1NnIn0.eyJleHAiOjE1OTQyNDE0NjUsImlhdCI6MTU5NDI0MTI4NSwiYXV0aF90aW1lIjoxNTk0MjM0ODI3LCJqdGkiOiI0NjRlZjc5NS0yZDYzLTQzYjktYjU4My1iYTY2MmFkMWRhYzUiLCJpc3MiOiJodHRwczovL3Nzby5udWJvLmNvb3AvYXV0aC9yZWFsbXMvdGVzdF9zYW1sIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6IjhlZWNiODVjLTZlMDYtNGZhNC1iYTAwLTdlMGRlM2MyMWYxNCIsInR5cCI6IkJlYXJlciIsImF6cCI6InJvdW5kY3ViZSIsInNlc3Npb25fc3RhdGUiOiJmOTYyNWM3OS02OTM5LTRkZjEtOGM2Yi1hYWM5Y2EzYWJkY2YiLCJhY3IiOiIwIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly9yYy5udWJvLmRvbWFpbmVwdWJsaWMubmV0Il0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgbWljcm9wcm9maWxlLWp3dCBwcm9maWxlIGVtYWlsIG9mZmxpbmVfYWNjZXNzIiwidWlkIjoicXVlbmVubmkiLCJ1cG4iOiJxdWVuZW5uaSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6Iktlbm55IExvdXZlYXV4IExvdXZlYXV4IiwiZ3JvdXBzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXSwicHJlZmVycmVkX3VzZXJuYW1lIjoicXVlbmVubmkiLCJnaXZlbl9uYW1lIjoiS2VubnkgTG91dmVhdXgiLCJmYW1pbHlfbmFtZSI6IkxvdXZlYXV4IiwiZW1haWwiOiJrZW5ueUBudWJvLnNpdGUifQ.TsUBiZ5nSTuA9ojr6bao5NQUHeNRmcYQZsC95rrhYca9FsFG4xG8mT53X9eOSNEqzRMJiPHaDuAh-3Bq8Rjdlg
HTTP/1.1" 404 1465 "-" "dovecot-oauth2-passdb/2.3.4.1"

DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-2)
RESTEASY002315: PathInfo:
/realms/test_saml/protocol/openid-connect/tokeneyJhbGciOiJFUzI1N
iIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJEZzR2aWtndzN2MWVpQVgxMU10YkFIaXRaUnM2R2RlVzN3b3hGTTBpd1NnIn0.eyJleHAiOjE1OTQyNDQ3MDQsImlhdCI6MTU5NDI0NDUyNCwiYXV0aF90aW1lIjoxNTk0MjQ0MzQ3LCJqdGk
iOiIyYTg3MjQ3NS0zMGMxLTRmMDctODg5Ny04YmQ4OTJjMGI1MjEiLCJpc3MiOiJodHRwczovL3Nzby5udWJvLmNvb3AvYXV0aC9yZWFsbXMvdGVzdF9zYW1sIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6IjhlZWNiODVjLTZlMDYtNGZhN
C1iYTAwLTdlMGRlM2MyMWYxNCIsInR5cCI6IkJlYXJlciIsImF6cCI6InJvdW5kY3ViZSIsInNlc3Npb25fc3RhdGUiOiJmMjY0OTQyMy0xNmZkLTQzMTgtYTVkYy04NWJhNmU3YTQ4MWYiLCJhY3IiOiIwIiwiYWxsb3dlZC1vcmlnaW5
zIjpbImh0dHA6Ly9yYy5udWJvLmRvbWFpbmVwdWJsaWMubmV0Il0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6e
yJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgbWljcm9wcm9maWxlLWp3dCBwcm9maWxlIGVtYWlsIG9mZmxpbmVfYWNjZXNzIiwidWl
kIjoicXVlbmVubmkiLCJ1cG4iOiJxdWVuZW5uaSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6Iktlbm55IExvdXZlYXV4IExvdXZlYXV4IiwiZ3JvdXBzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iX
SwicHJlZmVycmVkX3VzZXJuYW1lIjoicXVlbmVubmkiLCJnaXZlbl9uYW1lIjoiS2VubnkgTG91dmVhdXgiLCJmYW1pbHlfbmFtZSI6IkxvdXZlYXV4IiwiZW1haWwiOiJrZW5ueUBudWJvLnNpdGUifQ.TsUBiZ5nSTuA9ojr6bao5NQUHe
NRmcYQZsC95rrhYca9FsFG4xG8mT53X9eOSNEqzRMJiPHaDuAh-3Bq8Rjdlg
---

Dovecot does a GET request where the access_token is directly attached
to the 'tokeninfo_url' option.
Is that the correct/normal way?
Shouldn't it be a POST with data passed as params?

Or is it Keycloak that should accept that request?

Thanks
Kenny