Hello,
Still trying to make roundcube / Dovecot works with Keycloak.
Dovecot can't seem to validate the access_token that Roundcube gave.
Jul 08 20:48:05 auth: Debug: http-client[1]: request [Req1: GET https://my.keycloak.host/auth/realms/test_saml/protocol/openid-connect/token...]: Sent header Jul 08 20:48:05 auth: Debug: http-client[1]: peer 11.22.33.44:443: No more requests to service for this peer (1 connections exist, 0 pending) Jul 08 20:48:05 auth: Debug: http-client[1]: conn 11.22.33.44:443 [0]: Got 404 response for request [Req1: GET https://my.keycloak.host/auth/realms/test_saml/protocol/openid-connect/token...] (took 11 ms + 19 ms in queue) Jul 08 20:48:05 auth: Debug: oauth2(my.mail@whatever,::1,<Z2mDOfSpJJ8AAAAAAAAAAAAAAAAAAAAB>): oauth2: callback(0, Invalid token)
The access_token used by Dovecot is the right one. Dovecot also has the right login (my.mail@whatever)
The Nginx and Keycloak logs show this:
- - [08/Jul/2020:23:25:18 +0200] "POST /auth/realms/test_saml/protocol/openid-connect/token HTTP/1.1" 200 3171 "-" "Guzzle/5.3.1 curl/7.64.0 PHP/7.3.14-1~deb10u1"
- [08/Jul/2020:23:42:05 +0200] "GET /auth/realms/test_saml/protocol/openid-connect/tokeneyJhbGciOiJFUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJEZzR2aWtndzN2MWVpQVgxMU10YkFIaXRaUnM2R2RlVzN3b3hGTTBpd1NnIn0.eyJleHAiOjE1OTQyNDE0NjUsImlhdCI6MTU5NDI0MTI4NSwiYXV0aF90aW1lIjoxNTk0MjM0ODI3LCJqdGkiOiI0NjRlZjc5NS0yZDYzLTQzYjktYjU4My1iYTY2MmFkMWRhYzUiLCJpc3MiOiJodHRwczovL3Nzby5udWJvLmNvb3AvYXV0aC9yZWFsbXMvdGVzdF9zYW1sIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6IjhlZWNiODVjLTZlMDYtNGZhNC1iYTAwLTdlMGRlM2MyMWYxNCIsInR5cCI6IkJlYXJlciIsImF6cCI6InJvdW5kY3ViZSIsInNlc3Npb25fc3RhdGUiOiJmOTYyNWM3OS02OTM5LTRkZjEtOGM2Yi1hYWM5Y2EzYWJkY2YiLCJhY3IiOiIwIiwiYWxsb3dlZC1vcmlnaW5zIjpbImh0dHA6Ly9yYy5udWJvLmRvbWFpbmVwdWJsaWMubmV0Il0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgbWljcm9wcm9maWxlLWp3dCBwcm9maWxlIGVtYWlsIG9mZmxpbmVfYWNjZXNzIiwidWlkIjoicXVlbmVubmkiLCJ1cG4iOiJxdWVuZW5uaSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6Iktlbm55IExvdXZlYXV4IExvdXZlYXV4IiwiZ3JvdXBzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXSwicHJlZmVycmVkX3VzZXJuYW1lIjoicXVlbmVubmkiLCJnaXZlbl9uYW1lIjoiS2VubnkgTG91dmVhdXgiLCJmYW1pbHlfbmFtZSI6IkxvdXZlYXV4IiwiZW1haWwiOiJrZW5ueUBudWJvLnNpdGUifQ.TsUBiZ5nSTuA9ojr6bao5NQUHeNRmcYQZsC95rrhYca9FsFG4xG8mT53X9eOSNEqzRMJiPHaDuAh-3Bq8Rjdlg HTTP/1.1" 404 1465 "-" "dovecot-oauth2-passdb/2.3.4.1"
DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-2) RESTEASY002315: PathInfo: /realms/test_saml/protocol/openid-connect/tokeneyJhbGciOiJFUzI1N iIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJEZzR2aWtndzN2MWVpQVgxMU10YkFIaXRaUnM2R2RlVzN3b3hGTTBpd1NnIn0.eyJleHAiOjE1OTQyNDQ3MDQsImlhdCI6MTU5NDI0NDUyNCwiYXV0aF90aW1lIjoxNTk0MjQ0MzQ3LCJqdGk iOiIyYTg3MjQ3NS0zMGMxLTRmMDctODg5Ny04YmQ4OTJjMGI1MjEiLCJpc3MiOiJodHRwczovL3Nzby5udWJvLmNvb3AvYXV0aC9yZWFsbXMvdGVzdF9zYW1sIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6IjhlZWNiODVjLTZlMDYtNGZhN C1iYTAwLTdlMGRlM2MyMWYxNCIsInR5cCI6IkJlYXJlciIsImF6cCI6InJvdW5kY3ViZSIsInNlc3Npb25fc3RhdGUiOiJmMjY0OTQyMy0xNmZkLTQzMTgtYTVkYy04NWJhNmU3YTQ4MWYiLCJhY3IiOiIwIiwiYWxsb3dlZC1vcmlnaW5 zIjpbImh0dHA6Ly9yYy5udWJvLmRvbWFpbmVwdWJsaWMubmV0Il0sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJvZmZsaW5lX2FjY2VzcyIsInVtYV9hdXRob3JpemF0aW9uIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6e yJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgbWljcm9wcm9maWxlLWp3dCBwcm9maWxlIGVtYWlsIG9mZmxpbmVfYWNjZXNzIiwidWl kIjoicXVlbmVubmkiLCJ1cG4iOiJxdWVuZW5uaSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwibmFtZSI6Iktlbm55IExvdXZlYXV4IExvdXZlYXV4IiwiZ3JvdXBzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iX SwicHJlZmVycmVkX3VzZXJuYW1lIjoicXVlbmVubmkiLCJnaXZlbl9uYW1lIjoiS2VubnkgTG91dmVhdXgiLCJmYW1pbHlfbmFtZSI6IkxvdXZlYXV4IiwiZW1haWwiOiJrZW5ueUBudWJvLnNpdGUifQ.TsUBiZ5nSTuA9ojr6bao5NQUHe NRmcYQZsC95rrhYca9FsFG4xG8mT53X9eOSNEqzRMJiPHaDuAh-3Bq8Rjdlg
Dovecot does a GET request where the access_token is directly attached to the 'tokeninfo_url' option. Is that the correct/normal way? Shouldn't it be a POST with data passed as params?
Or is it Keycloak that should accept that request?
Thanks Kenny
On 09/07/2020 01:29 la.jolie@paquerette <la.jolie@paquerette.org> wrote:
Hello,
Still trying to make roundcube / Dovecot works with Keycloak.
Dovecot can't seem to validate the access_token that Roundcube gave.
Dovecot always does GET request when it does tokeninfo call. If you want to do introspection, you can tell dovecot to do POST into the token endpoint, but then you should leave the tokeninfo URL empty.
See https://doc.dovecot.org/configuration_manual/authentication/oauth2/
Aki
participants (2)
-
Aki Tuomi
-
la.jolie@paquerette