On 01/07/2024 19:29 EEST Scott Q. via dovecot dovecot@dovecot.org wrote:
Here goes another oauth2 question, hoping it won't be ignored like all the others.
I want to use get/auth on tokeninfo_url but post on introspection_url but dovecot doesn't let me. It doesn't add the auth header on tokeninfo_url whenever introspection_mode == post
so, if introspection_mode = post, then dovecot no longer sends auth header to tokeninfo_url . Is this by design, is it a bug ?
as can be seen in
src/lib-oauth2/oauth2-request.c
if (add_auth_bearer && http_client_request_get_origin_url(req->req)->user == NULL && set->introspection_mode == INTROSPECTION_MODE_GET_AUTH) { http_client_request_add_header(req->req, "Authorization", t_strdup_printf("Bearer %s", input->token)); }
Not sure what version you are looking at. https://github.com/dovecot/core/blob/release-2.3/src/lib-oauth2/oauth2-reque... adds token into payload.
tokeninfo always adds token to URL, not as header. See https://github.com/dovecot/core/blob/release-2.3/src/lib-oauth2/oauth2-reque...
Aki Aki