JWT local validation

Tomas Habarta lists+dovecot at tocc.cz
Wed Aug 11 10:06:20 EEST 2021


Yep, that was the point, RFC states typ header as optional so I was looking for some workaround as the implementation did not put it in the tokens. Fortunately, I had a great luck as developers were so kind and added it with next minor release -- so this is sorted and local validation works great.

Next question is related to the key management -- as the key used for validation is publicly available at JWK endpoint, is there any plan to enhance dovecot's functionality so that keys can be retrieved from such well-known endpoint? For the meantime, it is relatively easy task to be scripted, but don't want to spend much time reinventing the wheel since I have no other mechanism to prevent outage in case of planned/unplanned/emergency signing key change...


Thanks!
Tomas

On Mon, Jun 28, 2021 at 08:43:09AM +0300, Aki Tuomi wrote:
> 
> > On 24/06/2021 09:19 Tomas Habarta <lists+dovecot at tocc.cz> wrote:
> > 
> >  
> > Hello,
> > 
> > I have a working setup with Roundcube using OAuth2 -- introspection works without any problem, unfortunately local validation does not as tokens are missing "typ" header (seems that one is indeed optional per RFC7519 and therefore not present in the implementation in place).
> > Is there any parameter to assert the token type or any other workaround to make local validation work as it currently fails with: oauth2 failed: Local validation failed: Cannot find 'typ' field.
> > 
> > dovecot v2.3.15
> > Roundcube 1.5beta
> > CentOS 8
> > 
> > 
> > Thanks, regards
> > Tomas
> 
> Hi!
> 
> The current dovecot oauth2 code requires that your tokens come with typ:jwt header. See https://datatracker.ietf.org/doc/html/rfc7519#section-5.1
> 
> Aki


More information about the dovecot mailing list