It was done slightly wrong before, we made it work more standard in 2.3.21
They were sent as URL parameters before, but it was changed into basic auth instead.
Aki
On 01/07/2024 20:06 EEST Scott Q. via dovecot <dovecot@dovecot.org> wrote:
Ok, thanks, what also works is leaving tokeninfo_url empty and entering the introspection_url with the clientid/password in the url
aka, https://user:pass@keycloak.dev1:8443 ...
I assume this is a bug as well, I think I saw something about it breaking from 2.3.20 to 2.3.21
Thank you Aki!
On Monday, 01/07/2024 at 13:00 Aki Tuomi via dovecot wrote:
I know this is bit different answer but I would suggest you use introspection_mode=local and provide dovecot the validation keys.
Alternatively
Set tokeninfo_url empty.
and
introspection_mode = post introspection_url = https://keycloak.dev1:8443/realms/myrealm/protocol/openid-connect/userinfo
Aki
On 01/07/2024 19:49 EEST Scott Q. via dovecot wrote:
I'm on 2.3.21
setting introspection_mode to auth causes tokeninfo url to have the token in both querystring & header.
I've tried removing the tokeninfo url as you suggested in a previous thread but then authorization fails altogether for me.
This is the info that dovecot sends in auth mode
1719847604.669354 GET
/realms/myrealm/protocol/openid-connect/userinfo?trash=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJOdy1zVFFFUEYzWkF4Uks3cl9Da1B2cGl3RVR1eXIyOUJfd09kY0FOX1lzIn0.eyJleHAiOjE3MTk4NDc4ODksImlhdCI6MTcxOTg0NzU4OSwianRpIjoiNzNjOWQ5ODgtYWFlZS00MTlmLWFlNTEtYjJhZTI4ZWExZTRkIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5lbWFpbGFycmF5LmNvbTo4NDQzL3JlYWxtcy9Qb2xhcmlzTWFpbCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI0NzdlM2UyNS04OGE2LTRkNWEtYjk5Ni1hZjk5MzhmY2Y4MDEiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJwb2xhcmlzbWFpbC1iYWNrZW5kIiwic2Vzc2lvbl9zdGF0ZSI6ImFiOTE5NjcxLTlkOWUtNGQwMC1hMWQ4LTY0N2EwZWUzNDBmMCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiLyoiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJkZWZhdWx0LXJvbGVzLXBvbGFyaXNtYWlsIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCIsInNpZCI6ImFiOTE5NjcxLTlkOWUtNGQwMC1hMWQ4LTY0N2EwZWUzNDBmMCIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0dHQxQGFraW5kZXYuY29tIiwiZW1haWwiOiJ0dHQxQGFraW5kZXYuY29tIn0.KOB29-ssutpdLbE8U9yTs6GDXjriW8N1FObrjKUDKRaXYQwU-wk0Oe7kaZr1pqPrCVc9uBIllKDkHVcMWFEm0S5mIiC6J9tvr_UzkrTqKPyXGliM-TU0yjjGB36YGYuBTM2vfyWy93s8qzSJ7MJlnwMrPFaoxv-wYcu_Mvi2elCnkJL_VtpWT4g_yyVbSIzAJpWko4wvz8RBFc5f0ey-M8dLM00eq5h1EuUP02NUbaYzsfLkhejfBzMALGdQAvrEbrQ53RBcuiehVYNsOZ94ge9nhMLeNmMMRNpqYiUePLMYz-lmRqdFLKcx5OlvA3VM5pLctWsoHW7Gm0awckBzdw
HTTP/1.1 1719847604.669354 Host: keycloak.dev1:8443 1719847604.669354 Date: Mon, 01 Jul 2024 15:26:44 GMT 1719847604.669354 User-Agent: dovecot-oauth2-passdb/2.3.21 1719847604.669354 Connection: Keep-Alive 1719847604.669385 Authorization: Bearer
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJOdy1zVFFFUEYzWkF4Uks3cl9Da1B2cGl3RVR1eXIyOUJfd09kY0FOX1lzIn0.eyJleHAiOjE3MTk4NDc4ODksImlhdCI6MTcxOTg0NzU4OSwianRpIjoiNzNjOWQ5ODgtYWFlZS00MTlmLWFlNTEtYjJhZTI4ZWExZTRkIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5lbWFpbGFycmF5LmNvbTo4NDQzL3JlYWxtcy9Qb2xhcmlzTWFpbCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI0NzdlM2UyNS04OGE2LTRkNWEtYjk5Ni1hZjk5MzhmY2Y4MDEiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJwb2xhcmlzbWFpbC1iYWNrZW5kIiwic2Vzc2lvbl9zdGF0ZSI6ImFiOTE5NjcxLTlkOWUtNGQwMC1hMWQ4LTY0N2EwZWUzNDBmMCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiLyoiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJkZWZhdWx0LXJvbGVzLXBvbGFyaXNtYWlsIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCIsInNpZCI6ImFiOTE5NjcxLTlkOWUtNGQwMC1hMWQ4LTY0N2EwZWUzNDBmMCIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0dHQxQGFraW5kZXYuY29tIiwiZW1haWwiOiJ0dHQxQGFraW5kZXYuY29tIn0.KOB29-ssutpdLbE8U9yTs6GDXjriW8N1FObrjKUDKRaXYQwU-wk0Oe7kaZr1pqPrCVc9uBIllKDkHVcMWFEm0S5mIiC6J9tvr_UzkrTqKPyXGliM-TU0yjjGB36YGYuBTM2vfyWy93s8qzSJ7MJlnwMrPFaoxv-wYcu_Mvi2elCnkJL_VtpWT4g_yyVbSIzAJpWko4wvz8RBFc5f0ey-M8dLM00eq5h1EuUP02NUbaYzsfLkhejfBzMALGdQAvrEbrQ53RBcuiehVYNsOZ94ge9nhMLeNmMMRNpqYiUePLMYz-lmRqdFLKcx5OlvA3VM5pLctWsoHW7Gm0awckBzdw
Thanks, Scott On Monday, 01/07/2024 at 12:38 Aki Tuomi via dovecot wrote:
On 01/07/2024 19:29 EEST Scott Q. via dovecot wrote:
Here goes another oauth2 question, hoping it won't be ignored like all the others.
I want to use get/auth on tokeninfo_url but post on introspection_url but dovecot doesn't let me. It doesn't add the auth header on tokeninfo_url whenever introspection_mode == post
so, if introspection_mode = post, then dovecot no longer sends
auth
header to tokeninfo_url . Is this by design, is it a bug ?
as can be seen in
src/lib-oauth2/oauth2-request.c
if (add_auth_bearer && http_client_request_get_origin_url(req->req)->user == NULL && set->introspection_mode == INTROSPECTION_MODE_GET_AUTH) { http_client_request_add_header(req->req, "Authorization", t_strdup_printf("Bearer %s", input->token)); }
Not sure what version you are looking at.
https://github.com/dovecot/core/blob/release-2.3/src/lib-oauth2/oauth2-reque...
adds token into payload.
tokeninfo always adds token to URL, not as header. See
https://github.com/dovecot/core/blob/release-2.3/src/lib-oauth2/oauth2-reque...
Aki Aki
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org