Oauth2 introspection mode bug(?)

Scott Q.

1 Jul 2024 1 Jul '24

7:29 p.m.

Here goes another oauth2 question, hoping it won't be ignored like all the others.

I want to use get/auth on tokeninfo_url but post on introspection_url but dovecot doesn't let me. It doesn't add the auth header on tokeninfo_url whenever introspection_mode == post

so, if introspection_mode = post, then dovecot no longer sends auth header to tokeninfo_url . Is this by design, is it a bug ?

as can be seen in

src/lib-oauth2/oauth2-request.c

if (add_auth_bearer && http_client_request_get_origin_url(req->req)->user == NULL && set->introspection_mode == INTROSPECTION_MODE_GET_AUTH) { http_client_request_add_header(req->req, "Authorization", t_strdup_printf("Bearer %s", input->token)); }

Show replies by date

Aki Tuomi

1 Jul 1 Jul

7:38 p.m.

...

On 01/07/2024 19:29 EEST Scott Q. via dovecot dovecot@dovecot.org wrote:

Here goes another oauth2 question, hoping it won't be ignored like all the others.

I want to use get/auth on tokeninfo_url but post on introspection_url but dovecot doesn't let me. It doesn't add the auth header on tokeninfo_url whenever introspection_mode == post

so, if introspection_mode = post, then dovecot no longer sends auth header to tokeninfo_url . Is this by design, is it a bug ?

as can be seen in

src/lib-oauth2/oauth2-request.c

if (add_auth_bearer && http_client_request_get_origin_url(req->req)->user == NULL && set->introspection_mode == INTROSPECTION_MODE_GET_AUTH) { http_client_request_add_header(req->req, "Authorization", t_strdup_printf("Bearer %s", input->token)); }

Not sure what version you are looking at. https://github.com/dovecot/core/blob/release-2.3/src/lib-oauth2/oauth2-reque... adds token into payload.

tokeninfo always adds token to URL, not as header. See https://github.com/dovecot/core/blob/release-2.3/src/lib-oauth2/oauth2-reque...

Aki Aki

Scott Q.

7:49 p.m.

I'm on 2.3.21

setting introspection_mode to auth causes tokeninfo url to have the token in both querystring & header.

I've tried removing the tokeninfo url as you suggested in a previous thread but then authorization fails altogether for me.

This is the info that dovecot sends in auth mode

1719847604.669354 GET /realms/myrealm/protocol/openid-connect/userinfo?trash=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJOdy1zVFFFUEYzWkF4Uks3cl9Da1B2cGl3RVR1eXIyOUJfd09kY0FOX1lzIn0.eyJleHAiOjE3MTk4NDc4ODksImlhdCI6MTcxOTg0NzU4OSwianRpIjoiNzNjOWQ5ODgtYWFlZS00MTlmLWFlNTEtYjJhZTI4ZWExZTRkIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5lbWFpbGFycmF5LmNvbTo4NDQzL3JlYWxtcy9Qb2xhcmlzTWFpbCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI0NzdlM2UyNS04OGE2LTRkNWEtYjk5Ni1hZjk5MzhmY2Y4MDEiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJwb2xhcmlzbWFpbC1iYWNrZW5kIiwic2Vzc2lvbl9zdGF0ZSI6ImFiOTE5NjcxLTlkOWUtNGQwMC1hMWQ4LTY0N2EwZWUzNDBmMCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiLyoiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJkZWZhdWx0LXJvbGVzLXBvbGFyaXNtYWlsIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCIsInNpZCI6ImFiOTE5NjcxLTlkOWUtNGQwMC1hMWQ4LTY0N2EwZWUzNDBmMCIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0dHQxQGFraW5kZXYuY29tIiwiZW1haWwiOiJ0dHQxQGFraW5kZXYuY29tIn0.KOB29-ssutpdLbE8U9yTs6GDXjriW8N1FObrjKUDKRaXYQwU-wk0Oe7kaZr1pqPrCVc9uBIllKDkHVcMWFEm0S5mIiC6J9tvr_UzkrTqKPyXGliM-TU0yjjGB36YGYuBTM2vfyWy93s8qzSJ7MJlnwMrPFaoxv-wYcu_Mvi2elCnkJL_VtpWT4g_yyVbSIzAJpWko4wvz8RBFc5f0ey-M8dLM00eq5h1EuUP02NUbaYzsfLkhejfBzMALGdQAvrEbrQ53RBcuiehVYNsOZ94ge9nhMLeNmMMRNpqYiUePLMYz-lmRqdFLKcx5OlvA3VM5pLctWsoHW7Gm0awckBzdw HTTP/1.1 1719847604.669354 Host: keycloak.dev1:8443 1719847604.669354 Date: Mon, 01 Jul 2024 15:26:44 GMT 1719847604.669354 User-Agent: dovecot-oauth2-passdb/2.3.21 1719847604.669354 Connection: Keep-Alive 1719847604.669385 Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJOdy1zVFFFUEYzWkF4Uks3cl9Da1B2cGl3RVR1eXIyOUJfd09kY0FOX1lzIn0.eyJleHAiOjE3MTk4NDc4ODksImlhdCI6MTcxOTg0NzU4OSwianRpIjoiNzNjOWQ5ODgtYWFlZS00MTlmLWFlNTEtYjJhZTI4ZWExZTRkIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5lbWFpbGFycmF5LmNvbTo4NDQzL3JlYWxtcy9Qb2xhcmlzTWFpbCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI0NzdlM2UyNS04OGE2LTRkNWEtYjk5Ni1hZjk5MzhmY2Y4MDEiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJwb2xhcmlzbWFpbC1iYWNrZW5kIiwic2Vzc2lvbl9zdGF0ZSI6ImFiOTE5NjcxLTlkOWUtNGQwMC1hMWQ4LTY0N2EwZWUzNDBmMCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiLyoiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJkZWZhdWx0LXJvbGVzLXBvbGFyaXNtYWlsIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCIsInNpZCI6ImFiOTE5NjcxLTlkOWUtNGQwMC1hMWQ4LTY0N2EwZWUzNDBmMCIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0dHQxQGFraW5kZXYuY29tIiwiZW1haWwiOiJ0dHQxQGFraW5kZXYuY29tIn0.KOB29-ssutpdLbE8U9yTs6GDXjriW8N1FObrjKUDKRaXYQwU-wk0Oe7kaZr1pqPrCVc9uBIllKDkHVcMWFEm0S5mIiC6J9tvr_UzkrTqKPyXGliM-TU0yjjGB36YGYuBTM2vfyWy93s8qzSJ7MJlnwMrPFaoxv-wYcu_Mvi2elCnkJL_VtpWT4g_yyVbSIzAJpWko4wvz8RBFc5f0ey-M8dLM00eq5h1EuUP02NUbaYzsfLkhejfBzMALGdQAvrEbrQ53RBcuiehVYNsOZ94ge9nhMLeNmMMRNpqYiUePLMYz-lmRqdFLKcx5OlvA3VM5pLctWsoHW7Gm0awckBzdw

Thanks, Scott On Monday, 01/07/2024 at 12:38 Aki Tuomi via dovecot wrote:

...

On 01/07/2024 19:29 EEST Scott Q. via dovecot wrote:

Here goes another oauth2 question, hoping it won't be ignored like all the others.

I want to use get/auth on tokeninfo_url but post on introspection_url but dovecot doesn't let me. It doesn't add the auth header on tokeninfo_url whenever introspection_mode == post

so, if introspection_mode = post, then dovecot no longer sends auth header to tokeninfo_url . Is this by design, is it a bug ?

as can be seen in

src/lib-oauth2/oauth2-request.c

if (add_auth_bearer && http_client_request_get_origin_url(req->req)->user == NULL && set->introspection_mode == INTROSPECTION_MODE_GET_AUTH) { http_client_request_add_header(req->req, "Authorization", t_strdup_printf("Bearer %s", input->token)); }

Not sure what version you are looking at. https://github.com/dovecot/core/blob/release-2.3/src/lib-oauth2/oauth2-reque... adds token into payload.

tokeninfo always adds token to URL, not as header. See https://github.com/dovecot/core/blob/release-2.3/src/lib-oauth2/oauth2-reque...

Aki Aki

dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org

Aki Tuomi

8 p.m.

I know this is bit different answer but I would suggest you use introspection_mode=local and provide dovecot the validation keys.

Alternatively

Set tokeninfo_url empty.

and

introspection_mode = post introspection_url = https://keycloak.dev1:8443/realms/myrealm/protocol/openid-connect/userinfo

Aki

...

On 01/07/2024 19:49 EEST Scott Q. via dovecot dovecot@dovecot.org wrote:

I'm on 2.3.21

setting introspection_mode to auth causes tokeninfo url to have the token in both querystring & header.

I've tried removing the tokeninfo url as you suggested in a previous thread but then authorization fails altogether for me.

This is the info that dovecot sends in auth mode

1719847604.669354 GET /realms/myrealm/protocol/openid-connect/userinfo?trash=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJOdy1zVFFFUEYzWkF4Uks3cl9Da1B2cGl3RVR1eXIyOUJfd09kY0FOX1lzIn0.eyJleHAiOjE3MTk4NDc4ODksImlhdCI6MTcxOTg0NzU4OSwianRpIjoiNzNjOWQ5ODgtYWFlZS00MTlmLWFlNTEtYjJhZTI4ZWExZTRkIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5lbWFpbGFycmF5LmNvbTo4NDQzL3JlYWxtcy9Qb2xhcmlzTWFpbCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI0NzdlM2UyNS04OGE2LTRkNWEtYjk5Ni1hZjk5MzhmY2Y4MDEiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJwb2xhcmlzbWFpbC1iYWNrZW5kIiwic2Vzc2lvbl9zdGF0ZSI6ImFiOTE5NjcxLTlkOWUtNGQwMC1hMWQ4LTY0N2EwZWUzNDBmMCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiLyoiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJkZWZhdWx0LXJvbGVzLXBvbGFyaXNtYWlsIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCIsInNpZCI6ImFiOTE5NjcxLTlkOWUtNGQwMC1hMWQ4LTY0N2EwZWUzNDBmMCIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0dHQxQGFraW5kZXYuY29tIiwiZW1haWwiOiJ0dHQxQGFraW5kZXYuY29tIn0.KOB29-ssutpdLbE8U9yTs6GDXjriW8N1FObrjKUDKRaXYQwU-wk0Oe7kaZr1pqPrCVc9uBIllKDkHVcMWFEm0S5mIiC6J9tvr_UzkrTqKPyXGliM-TU0yjjGB36YGYuBTM2vfyWy93s8qzSJ7MJlnwMrPFaoxv-wYcu_Mvi2elCnkJL_VtpWT4g_yyVbSIzAJpWko4wvz8RBFc5f0ey-M8dLM00eq5h1EuUP02NUbaYzsfLkhejfBzMALGdQAvrEbrQ53RBcuiehVYNsOZ94ge9nhMLeNmMMRNpqYiUePLMYz-lmRqdFLKcx5OlvA3VM5pLctWsoHW7Gm0awckBzdw HTTP/1.1 1719847604.669354 Host: keycloak.dev1:8443 1719847604.669354 Date: Mon, 01 Jul 2024 15:26:44 GMT 1719847604.669354 User-Agent: dovecot-oauth2-passdb/2.3.21 1719847604.669354 Connection: Keep-Alive 1719847604.669385 Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJOdy1zVFFFUEYzWkF4Uks3cl9Da1B2cGl3RVR1eXIyOUJfd09kY0FOX1lzIn0.eyJleHAiOjE3MTk4NDc4ODksImlhdCI6MTcxOTg0NzU4OSwianRpIjoiNzNjOWQ5ODgtYWFlZS00MTlmLWFlNTEtYjJhZTI4ZWExZTRkIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5lbWFpbGFycmF5LmNvbTo4NDQzL3JlYWxtcy9Qb2xhcmlzTWFpbCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI0NzdlM2UyNS04OGE2LTRkNWEtYjk5Ni1hZjk5MzhmY2Y4MDEiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJwb2xhcmlzbWFpbC1iYWNrZW5kIiwic2Vzc2lvbl9zdGF0ZSI6ImFiOTE5NjcxLTlkOWUtNGQwMC1hMWQ4LTY0N2EwZWUzNDBmMCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiLyoiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJkZWZhdWx0LXJvbGVzLXBvbGFyaXNtYWlsIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCIsInNpZCI6ImFiOTE5NjcxLTlkOWUtNGQwMC1hMWQ4LTY0N2EwZWUzNDBmMCIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0dHQxQGFraW5kZXYuY29tIiwiZW1haWwiOiJ0dHQxQGFraW5kZXYuY29tIn0.KOB29-ssutpdLbE8U9yTs6GDXjriW8N1FObrjKUDKRaXYQwU-wk0Oe7kaZr1pqPrCVc9uBIllKDkHVcMWFEm0S5mIiC6J9tvr_UzkrTqKPyXGliM-TU0yjjGB36YGYuBTM2vfyWy93s8qzSJ7MJlnwMrPFaoxv-wYcu_Mvi2elCnkJL_VtpWT4g_yyVbSIzAJpWko4wvz8RBFc5f0ey-M8dLM00eq5h1EuUP02NUbaYzsfLkhejfBzMALGdQAvrEbrQ53RBcuiehVYNsOZ94ge9nhMLeNmMMRNpqYiUePLMYz-lmRqdFLKcx5OlvA3VM5pLctWsoHW7Gm0awckBzdw

Thanks, Scott On Monday, 01/07/2024 at 12:38 Aki Tuomi via dovecot wrote:

...
On 01/07/2024 19:29 EEST Scott Q. via dovecot wrote:

Here goes another oauth2 question, hoping it won't be ignored like all the others.

I want to use get/auth on tokeninfo_url but post on introspection_url but dovecot doesn't let me. It doesn't add the auth header on tokeninfo_url whenever introspection_mode == post

so, if introspection_mode = post, then dovecot no longer sends auth header to tokeninfo_url . Is this by design, is it a bug ?

as can be seen in

src/lib-oauth2/oauth2-request.c

if (add_auth_bearer && http_client_request_get_origin_url(req->req)->user == NULL && set->introspection_mode == INTROSPECTION_MODE_GET_AUTH) { http_client_request_add_header(req->req, "Authorization", t_strdup_printf("Bearer %s", input->token)); }

Not sure what version you are looking at. https://github.com/dovecot/core/blob/release-2.3/src/lib-oauth2/oauth2-reque... adds token into payload.

tokeninfo always adds token to URL, not as header. See https://github.com/dovecot/core/blob/release-2.3/src/lib-oauth2/oauth2-reque...

Aki Aki

dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org

dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org

Scott Q.

8:06 p.m.

Ok, thanks, what also works is leaving tokeninfo_url empty and entering the introspection_url with the clientid/password in the url

aka, https://user:pass@keycloak.dev1:8443 ...

I assume this is a bug as well, I think I saw something about it breaking from 2.3.20 to 2.3.21

Thank you Aki!

On Monday, 01/07/2024 at 13:00 Aki Tuomi via dovecot wrote:

I know this is bit different answer but I would suggest you use introspection_mode=local and provide dovecot the validation keys.

Alternatively

Set tokeninfo_url empty.

and

introspection_mode = post introspection_url = https://keycloak.dev1:8443/realms/myrealm/protocol/openid-connect/userinfo

Aki

...

On 01/07/2024 19:49 EEST Scott Q. via dovecot wrote:

I'm on 2.3.21

setting introspection_mode to auth causes tokeninfo url to have the token in both querystring & header.

I've tried removing the tokeninfo url as you suggested in a previous thread but then authorization fails altogether for me.

This is the info that dovecot sends in auth mode

1719847604.669354 GET

/realms/myrealm/protocol/openid-connect/userinfo?trash=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJOdy1zVFFFUEYzWkF4Uks3cl9Da1B2cGl3RVR1eXIyOUJfd09kY0FOX1lzIn0.eyJleHAiOjE3MTk4NDc4ODksImlhdCI6MTcxOTg0NzU4OSwianRpIjoiNzNjOWQ5ODgtYWFlZS00MTlmLWFlNTEtYjJhZTI4ZWExZTRkIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5lbWFpbGFycmF5LmNvbTo4NDQzL3JlYWxtcy9Qb2xhcmlzTWFpbCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI0NzdlM2UyNS04OGE2LTRkNWEtYjk5Ni1hZjk5MzhmY2Y4MDEiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJwb2xhcmlzbWFpbC1iYWNrZW5kIiwic2Vzc2lvbl9zdGF0ZSI6ImFiOTE5NjcxLTlkOWUtNGQwMC1hMWQ4LTY0N2EwZWUzNDBmMCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiLyoiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJkZWZhdWx0LXJvbGVzLXBvbGFyaXNtYWlsIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCIsInNpZCI6ImFiOTE5NjcxLTlkOWUtNGQwMC1hMWQ4LTY0N2EwZWUzNDBmMCIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0dHQxQGFraW5kZXYuY29tIiwiZW1haWwiOiJ0dHQxQGFraW5kZXYuY29tIn0.KOB29-ssutpdLbE8U9yTs6GDXjriW8N1FObrjKUDKRaXYQwU-wk0Oe7kaZr1pqPrCVc9uBIllKDkHVcMWFEm0S5mIiC6J9tvr_UzkrTqKPyXGliM-TU0yjjGB36YGYuBTM2vfyWy93s8qzSJ7MJlnwMrPFaoxv-wYcu_Mvi2elCnkJL_VtpWT4g_yyVbSIzAJpWko4wvz8RBFc5f0ey-M8dLM00eq5h1EuUP02NUbaYzsfLkhejfBzMALGdQAvrEbrQ53RBcuiehVYNsOZ94ge9nhMLeNmMMRNpqYiUePLMYz-lmRqdFLKcx5OlvA3VM5pLctWsoHW7Gm0awckBzdw

...

HTTP/1.1 1719847604.669354 Host: keycloak.dev1:8443 1719847604.669354 Date: Mon, 01 Jul 2024 15:26:44 GMT 1719847604.669354 User-Agent: dovecot-oauth2-passdb/2.3.21 1719847604.669354 Connection: Keep-Alive 1719847604.669385 Authorization: Bearer

eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJOdy1zVFFFUEYzWkF4Uks3cl9Da1B2cGl3RVR1eXIyOUJfd09kY0FOX1lzIn0.eyJleHAiOjE3MTk4NDc4ODksImlhdCI6MTcxOTg0NzU4OSwianRpIjoiNzNjOWQ5ODgtYWFlZS00MTlmLWFlNTEtYjJhZTI4ZWExZTRkIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5lbWFpbGFycmF5LmNvbTo4NDQzL3JlYWxtcy9Qb2xhcmlzTWFpbCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI0NzdlM2UyNS04OGE2LTRkNWEtYjk5Ni1hZjk5MzhmY2Y4MDEiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJwb2xhcmlzbWFpbC1iYWNrZW5kIiwic2Vzc2lvbl9zdGF0ZSI6ImFiOTE5NjcxLTlkOWUtNGQwMC1hMWQ4LTY0N2EwZWUzNDBmMCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiLyoiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJkZWZhdWx0LXJvbGVzLXBvbGFyaXNtYWlsIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCIsInNpZCI6ImFiOTE5NjcxLTlkOWUtNGQwMC1hMWQ4LTY0N2EwZWUzNDBmMCIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0dHQxQGFraW5kZXYuY29tIiwiZW1haWwiOiJ0dHQxQGFraW5kZXYuY29tIn0.KOB29-ssutpdLbE8U9yTs6GDXjriW8N1FObrjKUDKRaXYQwU-wk0Oe7kaZr1pqPrCVc9uBIllKDkHVcMWFEm0S5mIiC6J9tvr_UzkrTqKPyXGliM-TU0yjjGB36YGYuBTM2vfyWy93s8qzSJ7MJlnwMrPFaoxv-wYcu_Mvi2elCnkJL_VtpWT4g_yyVbSIzAJpWko4wvz8RBFc5f0ey-M8dLM00eq5h1EuUP02NUbaYzsfLkhejfBzMALGdQAvrEbrQ53RBcuiehVYNsOZ94ge9nhMLeNmMMRNpqYiUePLMYz-lmRqdFLKcx5OlvA3VM5pLctWsoHW7Gm0awckBzdw

...

Thanks, Scott On Monday, 01/07/2024 at 12:38 Aki Tuomi via dovecot wrote:

...
On 01/07/2024 19:29 EEST Scott Q. via dovecot wrote:

Here goes another oauth2 question, hoping it won't be ignored like all the others.

I want to use get/auth on tokeninfo_url but post on introspection_url but dovecot doesn't let me. It doesn't add the auth header on tokeninfo_url whenever introspection_mode == post

so, if introspection_mode = post, then dovecot no longer sends

auth

...

...
header to tokeninfo_url . Is this by design, is it a bug ?

as can be seen in

src/lib-oauth2/oauth2-request.c

if (add_auth_bearer && http_client_request_get_origin_url(req->req)->user == NULL && set->introspection_mode == INTROSPECTION_MODE_GET_AUTH) { http_client_request_add_header(req->req, "Authorization", t_strdup_printf("Bearer %s", input->token)); }

Not sure what version you are looking at.

https://github.com/dovecot/core/blob/release-2.3/src/lib-oauth2/oauth2-reque...

...

adds token into payload.

tokeninfo always adds token to URL, not as header. See

https://github.com/dovecot/core/blob/release-2.3/src/lib-oauth2/oauth2-reque...

...

Aki Aki

dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org

dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org

dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org

Aki Tuomi

8:14 p.m.

It was done slightly wrong before, we made it work more standard in 2.3.21

They were sent as URL parameters before, but it was changed into basic auth instead.

Aki

...

On 01/07/2024 20:06 EEST Scott Q. via dovecot dovecot@dovecot.org wrote:

Ok, thanks, what also works is leaving tokeninfo_url empty and entering the introspection_url with the clientid/password in the url

aka, https://user:pass@keycloak.dev1:8443 ...

I assume this is a bug as well, I think I saw something about it breaking from 2.3.20 to 2.3.21

Thank you Aki!

On Monday, 01/07/2024 at 13:00 Aki Tuomi via dovecot wrote:

I know this is bit different answer but I would suggest you use introspection_mode=local and provide dovecot the validation keys.

Alternatively

Set tokeninfo_url empty.

and

introspection_mode = post introspection_url = https://keycloak.dev1:8443/realms/myrealm/protocol/openid-connect/userinfo

Aki

...
On 01/07/2024 19:49 EEST Scott Q. via dovecot wrote:

   I'm on 2.3.21

setting introspection_mode to auth causes tokeninfo url to have the token in both querystring & header.

I've tried removing the tokeninfo url as you suggested in a previous thread but then authorization fails altogether for me.

This is the info that dovecot sends in auth mode

1719847604.669354 GET

/realms/myrealm/protocol/openid-connect/userinfo?trash=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJOdy1zVFFFUEYzWkF4Uks3cl9Da1B2cGl3RVR1eXIyOUJfd09kY0FOX1lzIn0.eyJleHAiOjE3MTk4NDc4ODksImlhdCI6MTcxOTg0NzU4OSwianRpIjoiNzNjOWQ5ODgtYWFlZS00MTlmLWFlNTEtYjJhZTI4ZWExZTRkIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5lbWFpbGFycmF5LmNvbTo4NDQzL3JlYWxtcy9Qb2xhcmlzTWFpbCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI0NzdlM2UyNS04OGE2LTRkNWEtYjk5Ni1hZjk5MzhmY2Y4MDEiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJwb2xhcmlzbWFpbC1iYWNrZW5kIiwic2Vzc2lvbl9zdGF0ZSI6ImFiOTE5NjcxLTlkOWUtNGQwMC1hMWQ4LTY0N2EwZWUzNDBmMCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiLyoiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJkZWZhdWx0LXJvbGVzLXBvbGFyaXNtYWlsIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCIsInNpZCI6ImFiOTE5NjcxLTlkOWUtNGQwMC1hMWQ4LTY0N2EwZWUzNDBmMCIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0dHQxQGFraW5kZXYuY29tIiwiZW1haWwiOiJ0dHQxQGFraW5kZXYuY29tIn0.KOB29-ssutpdLbE8U9yTs6GDXjriW8N1FObrjKUDKRaXYQwU-wk0Oe7kaZr1pqPrCVc9uBIllKDkHVcMWFEm0S5mIiC6J9tvr_UzkrTqKPyXGliM-TU0yjjGB36YGYuBTM2vfyWy93s8qzSJ7MJlnwMrPFaoxv-wYcu_Mvi2elCnkJL_VtpWT4g_yyVbSIzAJpWko4wvz8RBFc5f0ey-M8dLM00eq5h1EuUP02NUbaYzsfLkhejfBzMALGdQAvrEbrQ53RBcuiehVYNsOZ94ge9nhMLeNmMMRNpqYiUePLMYz-lmRqdFLKcx5OlvA3VM5pLctWsoHW7Gm0awckBzdw

...
HTTP/1.1 1719847604.669354 Host: keycloak.dev1:8443 1719847604.669354 Date: Mon, 01 Jul 2024 15:26:44 GMT 1719847604.669354 User-Agent: dovecot-oauth2-passdb/2.3.21 1719847604.669354 Connection: Keep-Alive 1719847604.669385 Authorization: Bearer

eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJOdy1zVFFFUEYzWkF4Uks3cl9Da1B2cGl3RVR1eXIyOUJfd09kY0FOX1lzIn0.eyJleHAiOjE3MTk4NDc4ODksImlhdCI6MTcxOTg0NzU4OSwianRpIjoiNzNjOWQ5ODgtYWFlZS00MTlmLWFlNTEtYjJhZTI4ZWExZTRkIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5lbWFpbGFycmF5LmNvbTo4NDQzL3JlYWxtcy9Qb2xhcmlzTWFpbCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI0NzdlM2UyNS04OGE2LTRkNWEtYjk5Ni1hZjk5MzhmY2Y4MDEiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJwb2xhcmlzbWFpbC1iYWNrZW5kIiwic2Vzc2lvbl9zdGF0ZSI6ImFiOTE5NjcxLTlkOWUtNGQwMC1hMWQ4LTY0N2EwZWUzNDBmMCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiLyoiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJkZWZhdWx0LXJvbGVzLXBvbGFyaXNtYWlsIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCIsInNpZCI6ImFiOTE5NjcxLTlkOWUtNGQwMC1hMWQ4LTY0N2EwZWUzNDBmMCIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0dHQxQGFraW5kZXYuY29tIiwiZW1haWwiOiJ0dHQxQGFraW5kZXYuY29tIn0.KOB29-ssutpdLbE8U9yTs6GDXjriW8N1FObrjKUDKRaXYQwU-wk0Oe7kaZr1pqPrCVc9uBIllKDkHVcMWFEm0S5mIiC6J9tvr_UzkrTqKPyXGliM-TU0yjjGB36YGYuBTM2vfyWy93s8qzSJ7MJlnwMrPFaoxv-wYcu_Mvi2elCnkJL_VtpWT4g_yyVbSIzAJpWko4wvz8RBFc5f0ey-M8dLM00eq5h1EuUP02NUbaYzsfLkhejfBzMALGdQAvrEbrQ53RBcuiehVYNsOZ94ge9nhMLeNmMMRNpqYiUePLMYz-lmRqdFLKcx5OlvA3VM5pLctWsoHW7Gm0awckBzdw

...
Thanks, Scott On Monday, 01/07/2024 at 12:38 Aki Tuomi via dovecot wrote:

...
On 01/07/2024 19:29 EEST Scott Q. via dovecot  wrote:

   Here goes another oauth2 question, hoping it won't be ignored like all the others.

I want to use get/auth on tokeninfo_url but post on introspection_url but dovecot doesn't let me. It doesn't add the auth header on tokeninfo_url whenever introspection_mode == post

so, if introspection_mode = post, then dovecot no longer sends

auth

...
...
header to tokeninfo_url . Is this by design, is it a bug ?

as can be seen in

src/lib-oauth2/oauth2-request.c

if (add_auth_bearer && http_client_request_get_origin_url(req->req)->user == NULL && set->introspection_mode == INTROSPECTION_MODE_GET_AUTH) { http_client_request_add_header(req->req, "Authorization", t_strdup_printf("Bearer %s", input->token)); }

Not sure what version you are looking at.

https://github.com/dovecot/core/blob/release-2.3/src/lib-oauth2/oauth2-reque...

...
adds token into payload.

tokeninfo always adds token to URL, not as header. See

https://github.com/dovecot/core/blob/release-2.3/src/lib-oauth2/oauth2-reque...

...
Aki Aki

dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org

dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org

dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org

dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org

Scott Q.

8:19 p.m.

Thank you once again for the explanation.

A somewhat side question if you don't mind. It seems that Outlook intentionally doesn't want to do oauth2 for any server/service except MS365/Gmail - does this sound about right ?

On Monday, 01/07/2024 at 13:14 Aki Tuomi wrote:

It was done slightly wrong before, we made it work more standard in 2.3.21

They were sent as URL parameters before, but it was changed into basic auth instead.

Aki

...

On 01/07/2024 20:06 EEST Scott Q. via dovecot wrote:

Ok, thanks, what also works is leaving tokeninfo_url empty and entering the introspection_url with the clientid/password in the url

aka, https://user:pass@keycloak.dev1:8443 ...

I assume this is a bug as well, I think I saw something about it breaking from 2.3.20 to 2.3.21

Thank you Aki!

On Monday, 01/07/2024 at 13:00 Aki Tuomi via dovecot wrote:

I know this is bit different answer but I would suggest you use introspection_mode=local and provide dovecot the validation keys.

Alternatively

Set tokeninfo_url empty.

and

introspection_mode = post introspection_url =

https://keycloak.dev1:8443/realms/myrealm/protocol/openid-connect/userinfo

...

Aki

...
On 01/07/2024 19:49 EEST Scott Q. via dovecot wrote:

I'm on 2.3.21

setting introspection_mode to auth causes tokeninfo url to have

...

...
token in both querystring & header.

I've tried removing the tokeninfo url as you suggested in a

the previous

...

...
thread but then authorization fails altogether for me.

This is the info that dovecot sends in auth mode

1719847604.669354 GET

...

...
HTTP/1.1 1719847604.669354 Host: keycloak.dev1:8443 1719847604.669354 Date: Mon, 01 Jul 2024 15:26:44 GMT 1719847604.669354 User-Agent: dovecot-oauth2-passdb/2.3.21 1719847604.669354 Connection: Keep-Alive 1719847604.669385 Authorization: Bearer

...

...
Thanks, Scott On Monday, 01/07/2024 at 12:38 Aki Tuomi via dovecot wrote:

...
On 01/07/2024 19:29 EEST Scott Q. via dovecot wrote:

Here goes another oauth2 question, hoping it won't be ignored like all the others.

I want to use get/auth on tokeninfo_url but post on introspection_url but dovecot doesn't let me. It doesn't add the auth header on tokeninfo_url whenever introspection_mode == post

so, if introspection_mode = post, then dovecot no longer sends

auth

...
...
header to tokeninfo_url . Is this by design, is it a bug ?

as can be seen in

src/lib-oauth2/oauth2-request.c

if (add_auth_bearer && http_client_request_get_origin_url(req->req)->user == NULL && set->introspection_mode == INTROSPECTION_MODE_GET_AUTH) { http_client_request_add_header(req->req, "Authorization", t_strdup_printf("Bearer %s", input->token)); }

Not sure what version you are looking at.

https://github.com/dovecot/core/blob/release-2.3/src/lib-oauth2/oauth2-reque...

...

...
adds token into payload.

tokeninfo always adds token to URL, not as header. See

https://github.com/dovecot/core/blob/release-2.3/src/lib-oauth2/oauth2-reque...

...

...
Aki Aki

dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org

dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org

dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org

dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org

Age (days ago)

Last active (days ago)

List overview

6 comments

2 participants

participants (2)

Aki Tuomi
Scott Q.