Since version 2.3.16 dovecot has a openid_configuration_url [1] configuration parameter. Here is the documentation about this parameter:

Support for RFC 7628 OpenID Discovery (OIDC) can be achieved with  openid_configuration_url setting. Setting this causes Dovecot to report OIDC configuration URL as openid-configuration element in error JSON.

After reading the RFC I understand this brings some context to the error messages, but at first glance I would have expected more from this parameter.

• Dovecot could read the userinfo_endpoint option [2] in the OIDC discovery endpoint to guess the IDP userinfo endpoint [3], and make the dovecot introspection_url parameter optional.

• Dovecot could read the introspection_endpoint option [4] in the OIDC discovery endpoint to guess the IDP introspection endpoint [5], and make the dovecot tokeninfo_url parameter optional. RFC8414 is still a draft though, but there seems to be a convention about this parameter be called either token_introspection_endpoint or introspection_endpoint. Maybe both could be checked?

• Dovecot could read the jwks_uri [4] option in the OIDC discovery endpoint to guess the IDP public keys, and make the local_validation_key_dict dovecot parameter optional.

I would suggest to keep the values in introspection_url, tokeninfo_url and local_validation_key_dict if defined, but use the values found in the OIDC discovery endpoint by default.

I think this would really help using OAUTH with dovecot. What do you think?

[1] https://doc.dovecot.org/configuration_manual/authentication/oauth2/#openid-d... [2] https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata [3] https://openid.net/specs/openid-connect-core-1_0.html#UserInfo [4] https://datatracker.ietf.org/doc/html/rfc8414#section-2 [5] https://datatracker.ietf.org/doc/html/rfc7662