OAUTH2 local validation

Felix Auringer felix.auringer at giz.berlin
Wed Nov 16 15:31:02 UTC 2022


Hello,

<https://doc.dovecot.org/configuration_manual/authentication/oauth2/#local-validation> 
describes how to set up local validation for OAUTH2 with dovecot. This 
works fine as long as the keys are not rotated. In my experience, it is 
common for a client to try to validate a token with the cached key and 
update the cached keys when the local validation fails (e.g. via the 
/auth/realms/<realm>/protocol/openid-connect/certs endpoint in 
Keycloak). This way, the client does not need to fetch new keys 
periodically but only when the old ones expired. If I understand it 
correctly, Dovecot reads the keys from a defined path but does not care 
how to update them. Did you have a nice way in mind how the keys should 
be refreshed when deciding not to do that in dovecot? Are you planning 
to add automatic refreshing of local validation keys to dovecot?
I am running dovecot in Docker and one way would be a cron job on the 
host that fetches new keys and updates the files inside the container 
via docker exec. It would work but it's not really a nice solution 
because from outside dovecot, the information whether the old keys are 
no longer valid, is not available and the whole process needs to run 
periodically (and thus way more often than actually necessary).

Best regards,
Felix Auringer
---
Gesellschaft für interkulturelles
Zusammenleben gGmbH (GIZ)
Felix Auringer
IT
Reformationsplatz 2
13597 Berlin

Tel: 030/513 0100 00; Fax: 030/513 0100 09 
www.giz.berlin; felix.auringer at giz.berlin

Amtsgericht Charlottenburg HRB 200872 B
Geschäftsführerin: Dr. Britta Marschke


More information about the dovecot mailing list