Feature request: use`openid_configuration_url` to guess OIDC endpoints and keys
Éloi Rivard
eloi at yaal.coop
Fri Feb 4 14:34:04 UTC 2022
Since version 2.3.16 dovecot has a openid_configuration_url [1] configuration
parameter. Here is the documentation about this parameter:
> Support for RFC 7628 OpenID Discovery (OIDC) can be achieved with
> openid_configuration_url setting. Setting this causes Dovecot to report OIDC
> configuration URL as openid-configuration element in error JSON.
After reading the RFC I understand this brings some context to the error
messages, but at first glance I would have expected more from this parameter.
- Dovecot could read the userinfo_endpoint option [2] in the OIDC discovery
endpoint to guess the IDP userinfo endpoint [3], and make the dovecot
introspection_url parameter optional.
- Dovecot could read the introspection_endpoint option [4] in the OIDC discovery
endpoint to guess the IDP introspection endpoint [5], and make the dovecot
tokeninfo_url parameter optional. RFC8414 is still a draft though, but there
seems to be a convention about this parameter be called either
token_introspection_endpoint or introspection_endpoint. Maybe both could be
checked?
- Dovecot could read the jwks_uri [4] option in the OIDC discovery endpoint to
guess the IDP public keys, and make the local_validation_key_dict dovecot
parameter optional.
I would suggest to keep the values in introspection_url, tokeninfo_url and
local_validation_key_dict if defined, but use the values found in the OIDC
discovery endpoint by default.
I think this would really help using OAUTH with dovecot.
What do you think?
[1]
https://doc.dovecot.org/configuration_manual/authentication/oauth2/#openid-discovery
[2] https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata
[3] https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
[4] https://datatracker.ietf.org/doc/html/rfc8414#section-2
[5] https://datatracker.ietf.org/doc/html/rfc7662
More information about the dovecot
mailing list