Don't set tokeninfo url if you require POST query. It's not mandatory to set all endpoints.
Also if you are using jwt, you can also opt to do local validation instead.
Aki
On 17/10/2023 16:03 EEST Alexander Leidinger via dovecot <dovecot@dovecot.org> wrote:
Hi,
I try to setup oauth2 authentication with dovecot 2.3.21.
The debug log of dovecot shows that it tries to do a HTTP GET request to the tokeninfo url with the token appended to the end of the URL. This gives a 404 error. The openidconnect server I use (keycloak) tells that this API endpoint conforms to https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint which specifies that the request has to be a HTTP POST request.
So dovecot is trying do to something (GET request) which the OIDC specification does not agree with (shall be POST request).
Here is the dovecot debug log of it: ---snip--- Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: http-client[1]: request [Req1: GET https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/tokeneyJhbGci<rest_omitted>...: Submitted (requests left=1) [...] Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: SSL: where=0x1001, ret=1: SSLv3/TLS read server session ticket Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: where=0x1002, ret=1: SSL negotiation finished successfully Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: SSL: where=0x1001, ret=1: SSL negotiation finished successfully Oct 17 12:11:19 imap syslogd: last message repeated 1 times Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: SSL: where=0x1001, ret=1: SSLv3/TLS read server session ticket Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: SSL: where=0x1002, ret=1: SSL negotiation finished successfully Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: http-client: conn <IP>:443 [1]: Got 404 response for request [Req1: GET https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/tokeneyJhbGci<rest_omitted> ---snip---
My passdb config (only showing the oauth part): ---snip--- passdb { driver = oauth2 mechanisms = oauthbearer xoauth2 args = /usr/local/etc/dovecot/auth-oauth2.token.conf.ext }
passdb { driver = oauth2 mechanisms = plain args = /usr/local/etc/dovecot/auth-oauth2.plain.conf.ext } ---snip---
auth-oauth2.token.conf.ext: ---snip--- openid_configuration_url = https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token introspection_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/intro... introspection_mode = post active_attribute = active active_value = true client_id = myid client_secret = mysecret use_grant_password = no debug = yes username_attribute = email pass_attrs = pass=%{oauth2:access_token} ---snip---
auth-oauth2.plain.conf.ext: ---snip--- openid_configuration_url = https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration #tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token introspection_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/intro... introspection_mode = post active_attribute = active active_value = true client_id = myid client_secret = mysecret use_grant_password = yes debug = yes username_attribute = email pass_attrs = host=<IP of webmail> proxy=y proxy_mech=xoauth2 pass=%{oauth2:access_token} ---snip---
On https://doc.dovecot.org/configuration_manual/authentication/oauth2/ I can not find any way to tell that the tokeninfo url shall do a POST request instead of a GET request.
I found something on reddit how to make it work with keycloak, but this seems to be a workaround, and not a proper fix... The first comment at https://www.reddit.com/r/selfhosted/comments/omwb2j/any_one_get_dovecot_keyc... makes this work for me.
The working but not really up to the OIDC spec dovecot config is:
auth-oauth2.token.conf.ext: ---snip--- openid_configuration_url = https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration #tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/Leidinger/protocol/openid-connect/t... tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?tr... introspection_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/intro... introspection_mode = auth #active_attribute = active #active_value = true client_id = myid client_secret = mysecret use_grant_password = no #debug = yes username_attribute = email pass_attrs = pass=%{oauth2:access_token} ---snip---
auth-oauth2.plain.conf.ext: ---snip--- openid_configuration_url = https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration #tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?tr... introspection_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/intro... introspection_mode = auth #active_attribute = active #active_value = true client_id = myid client_secret = mysecret use_grant_password = yes #debug = yes username_attribute = email pass_attrs = host=<IP of webmail> proxy=y proxy_mech=xoauth2 pass=%{oauth2:access_token} ---snip---
Bye, Alexander.
-- http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org