Hello! I'm using dovecot with keycloak for oauth authentication. My config is:
client_id = dovecot client_secret = MY_SECRET introspection_url = https://MY_KEYCLOAK/realms/master/protocol/openid-connect/token/introspect introspection_mode = post pass_attrs = pass=%{oauth2:access_token}
Everything worked great on version 2.3.20. After upgrading to version 2.3.21.1 oauth stopped working with errors:
auth: Debug: http-client: conn [::1]:443 [1]: Got 401 response for request [Req1: POST https://MY_KEYCLOAK/realms/master/protocol/openid-connect/token/introspect]: Unauthorized (took 5 ms + >Aug 16 00:23:58 auth: Error: oauth2(MY_EMAIL,127.0.0.1,<HADwdb8f+PN/AAAB>): oauth2 failed: Introspection failed: No username returned
I tried all combination of configurations, debugging and versions of keycloak. Seems something was broken in this version of dovecot.
On 21/08/2024 11:53 EEST v--- via dovecot <dovecot@dovecot.org> wrote:
Hello! I'm using dovecot with keycloak for oauth authentication. My config is:
client_id = dovecot client_secret = MY_SECRET introspection_url = https://MY_KEYCLOAK/realms/master/protocol/openid-connect/token/introspect introspection_mode = post pass_attrs = pass=%{oauth2:access_token}
Everything worked great on version 2.3.20. After upgrading to version 2.3.21.1 oauth stopped working with errors:
auth: Debug: http-client: conn [::1]:443 [1]: Got 401 response for request [Req1: POST https://MY_KEYCLOAK/realms/master/protocol/openid-connect/token/introspect]: Unauthorized (took 5 ms + >Aug 16 00:23:58 auth: Error: oauth2(MY_EMAIL,127.0.0.1,<HADwdb8f+PN/AAAB>): oauth2 failed: Introspection failed: No username returned
I tried all combination of configurations, debugging and versions of keycloak. Seems something was broken in this version of dovecot.
Hi!
Release notes say
oauth2: Dovecot would send client_id and client_secret as POST parameters to introspection server. These need to be optionally in Basic auth instead as required by OIDC specification.
this is a slightly obscure way to say that you need to change your
introspection_url = https://client_id:client_secret@MY_KEYCLOAK/...
(see https://github.com/dovecot/core/blob/d492236fa077cba1222695ca3267afb76723567...)
Aki
Hi,
Don't you use grant_url?
As far as I can see, both versions use client's id/secret for grant_url and receive an access_token. Both use the token for introspection_url, but 2.3.20 sends id/secret with it and 2.3.21 does not.
Tested with plain auth and the following settings grant_url = http://localhost:8080/realms/test/protocol/openid-connect/token use_grant_password = yes introspection_url = http://localhost:8080/realms/test/protocol/openid-connect/token/introspect introspection_mode = post username_attribute = username client_id = dovecot client_secret = secret
Regards, Piotr
This was intetionally changed in 2.3.21, you need to use
http://clientid:clientsecret@localhost:8080/
Aki
On 14/11/2024 15:17 EET piotr-l--- via dovecot <dovecot@dovecot.org> wrote:
Hi,
Don't you use grant_url?
As far as I can see, both versions use client's id/secret for grant_url and receive an access_token. Both use the token for introspection_url, but 2.3.20 sends id/secret with it and 2.3.21 does not.
Tested with plain auth and the following settings grant_url = http://localhost:8080/realms/test/protocol/openid-connect/token use_grant_password = yes introspection_url = http://localhost:8080/realms/test/protocol/openid-connect/token/introspect introspection_mode = post username_attribute = username client_id = dovecot client_secret = secret
Regards, Piotr
dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-leave@dovecot.org
participants (3)
-
Aki Tuomi
-
piotr-l@netexpert.pl
-
v@minakov.pro