I know this is bit different answer but I would suggest you use introspection_mode=local and provide dovecot the validation keys.
Alternatively
Set tokeninfo_url empty.
and
introspection_mode = post introspection_url = https://keycloak.dev1:8443/realms/myrealm/protocol/openid-connect/userinfo
Aki
On 01/07/2024 19:49 EEST Scott Q. via dovecot dovecot@dovecot.org wrote:
I'm on 2.3.21
setting introspection_mode to auth causes tokeninfo url to have the token in both querystring & header.
I've tried removing the tokeninfo url as you suggested in a previous thread but then authorization fails altogether for me.
This is the info that dovecot sends in auth mode
1719847604.669354 GET /realms/myrealm/protocol/openid-connect/userinfo?trash=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJOdy1zVFFFUEYzWkF4Uks3cl9Da1B2cGl3RVR1eXIyOUJfd09kY0FOX1lzIn0.eyJleHAiOjE3MTk4NDc4ODksImlhdCI6MTcxOTg0NzU4OSwianRpIjoiNzNjOWQ5ODgtYWFlZS00MTlmLWFlNTEtYjJhZTI4ZWExZTRkIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5lbWFpbGFycmF5LmNvbTo4NDQzL3JlYWxtcy9Qb2xhcmlzTWFpbCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI0NzdlM2UyNS04OGE2LTRkNWEtYjk5Ni1hZjk5MzhmY2Y4MDEiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJwb2xhcmlzbWFpbC1iYWNrZW5kIiwic2Vzc2lvbl9zdGF0ZSI6ImFiOTE5NjcxLTlkOWUtNGQwMC1hMWQ4LTY0N2EwZWUzNDBmMCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiLyoiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJkZWZhdWx0LXJvbGVzLXBvbGFyaXNtYWlsIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCIsInNpZCI6ImFiOTE5NjcxLTlkOWUtNGQwMC1hMWQ4LTY0N2EwZWUzNDBmMCIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0dHQxQGFraW5kZXYuY29tIiwiZW1haWwiOiJ0dHQxQGFraW5kZXYuY29tIn0.KOB29-ssutpdLbE8U9yTs6GDXjriW8N1FObrjKUDKRaXYQwU-wk0Oe7kaZr1pqPrCVc9uBIllKDkHVcMWFEm0S5mIiC6J9tvr_UzkrTqKPyXGliM-TU0yjjGB36YGYuBTM2vfyWy93s8qzSJ7MJlnwMrPFaoxv-wYcu_Mvi2elCnkJL_VtpWT4g_yyVbSIzAJpWko4wvz8RBFc5f0ey-M8dLM00eq5h1EuUP02NUbaYzsfLkhejfBzMALGdQAvrEbrQ53RBcuiehVYNsOZ94ge9nhMLeNmMMRNpqYiUePLMYz-lmRqdFLKcx5OlvA3VM5pLctWsoHW7Gm0awckBzdw HTTP/1.1 1719847604.669354 Host: keycloak.dev1:8443 1719847604.669354 Date: Mon, 01 Jul 2024 15:26:44 GMT 1719847604.669354 User-Agent: dovecot-oauth2-passdb/2.3.21 1719847604.669354 Connection: Keep-Alive 1719847604.669385 Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJOdy1zVFFFUEYzWkF4Uks3cl9Da1B2cGl3RVR1eXIyOUJfd09kY0FOX1lzIn0.eyJleHAiOjE3MTk4NDc4ODksImlhdCI6MTcxOTg0NzU4OSwianRpIjoiNzNjOWQ5ODgtYWFlZS00MTlmLWFlNTEtYjJhZTI4ZWExZTRkIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5lbWFpbGFycmF5LmNvbTo4NDQzL3JlYWxtcy9Qb2xhcmlzTWFpbCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI0NzdlM2UyNS04OGE2LTRkNWEtYjk5Ni1hZjk5MzhmY2Y4MDEiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJwb2xhcmlzbWFpbC1iYWNrZW5kIiwic2Vzc2lvbl9zdGF0ZSI6ImFiOTE5NjcxLTlkOWUtNGQwMC1hMWQ4LTY0N2EwZWUzNDBmMCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiLyoiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJkZWZhdWx0LXJvbGVzLXBvbGFyaXNtYWlsIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCIsInNpZCI6ImFiOTE5NjcxLTlkOWUtNGQwMC1hMWQ4LTY0N2EwZWUzNDBmMCIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0dHQxQGFraW5kZXYuY29tIiwiZW1haWwiOiJ0dHQxQGFraW5kZXYuY29tIn0.KOB29-ssutpdLbE8U9yTs6GDXjriW8N1FObrjKUDKRaXYQwU-wk0Oe7kaZr1pqPrCVc9uBIllKDkHVcMWFEm0S5mIiC6J9tvr_UzkrTqKPyXGliM-TU0yjjGB36YGYuBTM2vfyWy93s8qzSJ7MJlnwMrPFaoxv-wYcu_Mvi2elCnkJL_VtpWT4g_yyVbSIzAJpWko4wvz8RBFc5f0ey-M8dLM00eq5h1EuUP02NUbaYzsfLkhejfBzMALGdQAvrEbrQ53RBcuiehVYNsOZ94ge9nhMLeNmMMRNpqYiUePLMYz-lmRqdFLKcx5OlvA3VM5pLctWsoHW7Gm0awckBzdw
Thanks, Scott On Monday, 01/07/2024 at 12:38 Aki Tuomi via dovecot wrote:
On 01/07/2024 19:29 EEST Scott Q. via dovecot wrote:
Here goes another oauth2 question, hoping it won't be ignored like all the others.
I want to use get/auth on tokeninfo_url but post on introspection_url but dovecot doesn't let me. It doesn't add the auth header on tokeninfo_url whenever introspection_mode == post
so, if introspection_mode = post, then dovecot no longer sends auth header to tokeninfo_url . Is this by design, is it a bug ?
as can be seen in
src/lib-oauth2/oauth2-request.c
if (add_auth_bearer && http_client_request_get_origin_url(req->req)->user == NULL && set->introspection_mode == INTROSPECTION_MODE_GET_AUTH) { http_client_request_add_header(req->req, "Authorization", t_strdup_printf("Bearer %s", input->token)); }
Not sure what version you are looking at. https://github.com/dovecot/core/blob/release-2.3/src/lib-oauth2/oauth2-reque... adds token into payload.
tokeninfo always adds token to URL, not as header. See https://github.com/dovecot/core/blob/release-2.3/src/lib-oauth2/oauth2-reque...
Aki Aki
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org