On 16/11/2022 17:31 EET Felix Auringer <felix.auringer@giz.berlin> wrote:Hello,describes how to set up local validation for OAUTH2 with dovecot. Thisworks fine as long as the keys are not rotated. In my experience, it iscommon for a client to try to validate a token with the cached key andupdate the cached keys when the local validation fails (e.g. via the/auth/realms/<realm>/protocol/openid-connect/certs endpoint inKeycloak). This way, the client does not need to fetch new keysperiodically but only when the old ones expired. If I understand itcorrectly, Dovecot reads the keys from a defined path but does not carehow to update them. Did you have a nice way in mind how the keys shouldbe refreshed when deciding not to do that in dovecot? Are you planningto add automatic refreshing of local validation keys to dovecot?I am running dovecot in Docker and one way would be a cron job on thehost that fetches new keys and updates the files inside the containervia docker exec. It would work but it's not really a nice solutionbecause from outside dovecot, the information whether the old keys areno longer valid, is not available and the whole process needs to runperiodically (and thus way more often than actually necessary).Best regards,Felix Auringer---Gesellschaft für interkulturellesZusammenleben gGmbH (GIZ)Felix AuringerITReformationsplatz 213597 BerlinTel: 030/513 0100 00; Fax: 030/513 0100 09www.giz.berlin; felix.auringer@giz.berlinAmtsgericht Charlottenburg HRB 200872 BGeschäftsführerin: Dr. Britta Marschke
You could also mount a key volume and only update that with cron. Alternatively you need a dict protocol based solution.
--- Aki Tuomi
