9 Jul
2020
9 Jul
'20
1:29 a.m.
Hello,
Still trying to make roundcube / Dovecot works with Keycloak.
Dovecot can't seem to validate the access_token that Roundcube gave.
Jul 08 20:48:05 auth: Debug: http-client[1]: request [Req1: GET https://my.keycloak.host/auth/realms/test_saml/protocol/openid-connect/token...]: Sent header Jul 08 20:48:05 auth: Debug: http-client[1]: peer 11.22.33.44:443: No more requests to service for this peer (1 connections exist, 0 pending) Jul 08 20:48:05 auth: Debug: http-client[1]: conn 11.22.33.44:443 [0]: Got 404 response for request [Req1: GET https://my.keycloak.host/auth/realms/test_saml/protocol/openid-connect/token...] (took 11 ms + 19 ms in queue) Jul 08 20:48:05 auth: Debug: oauth2(my.mail@whatever,::1,<Z2mDOfSpJJ8AAAAAAAAAAAAAAAAAAAAB>): oauth2: callback(0, Invalid token)
The access_token used by Dovecot is the right one. Dovecot also has the right login (my.mail@whatever)
The Nginx and Keycloak logs show this:
- - [08/Jul/2020:23:25:18 +0200] "POST /auth/realms/test_saml/protocol/openid-connect/token HTTP/1.1" 200 3171 "-" "Guzzle/5.3.1 curl/7.64.0 PHP/7.3.14-1~deb10u1"
- [08/Jul/2020:23:42:05 +0200] "GET /auth/realms/test_saml/protocol/openid-connect/tokeneyJhbGciOiJFUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJEZzR2aWtndzN2MWVpQVgxMU10YkFIaXRaUnM2R2RlVzN3b3hGTTBpd1NnIn0.eyJleHAiOjE1OTQyNDE0NjUsImlhdCI6MTU5NDI0MTI4NSwiYXV0aF90aW1lIjoxNTk0MjM0ODI3LCJqdGkiOiI0NjRlZjc5NS0yZDYzLTQzYjktYjU4My1iYTY2MmFkMWRhYzUiLCJpc3MiOiJodHRwczovL3Nzby5udWJvLmNvb3AvYXV0aC9yZWFsbXMvdGVzdF9zYW1sIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6IjhlZWNiODVjLTZlMDYtNGZhNC1iYTAwLTdlMGRlM2MyMWYxNCIsInR5cCI6IkJlYXJlciIsImF6cCI6InJvdW5kY3ViZSIsInNlc3Npb25fc3RhdGUiOiJmOTYyNWM3OS02OTM5LTRkZjEtOGM2Yi1hYWM5Y2EzYWJkY2YiLCJhY3IiOiIwIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly9yYy5udWJvLmRvbWFpbmVwdWJsaWMubmV0Il0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgbWljcm9wcm9maWxlLWp3dCBwcm9maWxlIGVtYWlsIG9mZmxpbmVfYWNjZXNzIiwidWlkIjoicXVlbmVubmkiLCJ1cG4iOiJxdWVuZW5uaSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6Iktlbm55IExvdXZlYXV4IExvdXZlYXV4IiwiZ3JvdXBzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXSwicHJlZmVycmVkX3VzZXJuYW1lIjoicXVlbmVubmkiLCJnaXZlbl9uYW1lIjoiS2VubnkgTG91dmVhdXgiLCJmYW1pbHlfbmFtZSI6IkxvdXZlYXV4IiwiZW1haWwiOiJrZW5ueUBudWJvLnNpdGUifQ.TsUBiZ5nSTuA9ojr6bao5NQUHeNRmcYQZsC95rrhYca9FsFG4xG8mT53X9eOSNEqzRMJiPHaDuAh-3Bq8Rjdlg HTTP/1.1" 404 1465 "-" "dovecot-oauth2-passdb/2.3.4.1"
DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-2) RESTEASY002315: PathInfo: /realms/test_saml/protocol/openid-connect/tokeneyJhbGciOiJFUzI1N iIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJEZzR2aWtndzN2MWVpQVgxMU10YkFIaXRaUnM2R2RlVzN3b3hGTTBpd1NnIn0.eyJleHAiOjE1OTQyNDQ3MDQsImlhdCI6MTU5NDI0NDUyNCwiYXV0aF90aW1lIjoxNTk0MjQ0MzQ3LCJqdGk iOiIyYTg3MjQ3NS0zMGMxLTRmMDctODg5Ny04YmQ4OTJjMGI1MjEiLCJpc3MiOiJodHRwczovL3Nzby5udWJvLmNvb3AvYXV0aC9yZWFsbXMvdGVzdF9zYW1sIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6IjhlZWNiODVjLTZlMDYtNGZhN C1iYTAwLTdlMGRlM2MyMWYxNCIsInR5cCI6IkJlYXJlciIsImF6cCI6InJvdW5kY3ViZSIsInNlc3Npb25fc3RhdGUiOiJmMjY0OTQyMy0xNmZkLTQzMTgtYTVkYy04NWJhNmU3YTQ4MWYiLCJhY3IiOiIwIiwiYWxsb3dlZC1vcmlnaW5 zIjpbImh0dHA6Ly9yYy5udWJvLmRvbWFpbmVwdWJsaWMubmV0Il0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6e yJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgbWljcm9wcm9maWxlLWp3dCBwcm9maWxlIGVtYWlsIG9mZmxpbmVfYWNjZXNzIiwidWl kIjoicXVlbmVubmkiLCJ1cG4iOiJxdWVuZW5uaSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6Iktlbm55IExvdXZlYXV4IExvdXZlYXV4IiwiZ3JvdXBzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iX SwicHJlZmVycmVkX3VzZXJuYW1lIjoicXVlbmVubmkiLCJnaXZlbl9uYW1lIjoiS2VubnkgTG91dmVhdXgiLCJmYW1pbHlfbmFtZSI6IkxvdXZlYXV4IiwiZW1haWwiOiJrZW5ueUBudWJvLnNpdGUifQ.TsUBiZ5nSTuA9ojr6bao5NQUHe NRmcYQZsC95rrhYca9FsFG4xG8mT53X9eOSNEqzRMJiPHaDuAh-3Bq8Rjdlg
Dovecot does a GET request where the access_token is directly attached to the 'tokeninfo_url' option. Is that the correct/normal way? Shouldn't it be a POST with data passed as params?
Or is it Keycloak that should accept that request?
Thanks Kenny