Don't set tokeninfo url if you require POST query. It's not mandatory to set all endpoints.
Also if you are using jwt, you can also opt to do local validation instead. Aki > On 17/10/2023 16:03 EEST Alexander Leidinger via dovecot > <dovecot@dovecot.org> wrote: > > > Hi, > > I try to setup oauth2 authentication with dovecot 2.3.21. > > The debug log of dovecot shows that it tries to do a HTTP GET request to > the tokeninfo url with the token appended to the end of the URL. This > gives a 404 error. The openidconnect server I use (keycloak) tells that > this API endpoint conforms to > https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint > which specifies that the request has to be a HTTP POST request. > > So dovecot is trying do to something (GET request) which the OIDC > specification does not agree with (shall be POST request). > > Here is the dovecot debug log of it: > ---snip--- > Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: http-client[1]: > request [Req1: GET > https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/tokeneyJhbGci<rest_omitted>...: > > Submitted (requests left=1) > [...] > Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: > SSL: where=0x1001, ret=1: SSLv3/TLS read server session ticket > Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: > where=0x1002, ret=1: SSL negotiation finished successfully > Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: > SSL: where=0x1001, ret=1: SSL negotiation finished successfully > Oct 17 12:11:19 imap syslogd: last message repeated 1 times > Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: > SSL: where=0x1001, ret=1: SSLv3/TLS read server session ticket > Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: > SSL: where=0x1002, ret=1: SSL negotiation finished successfully > Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: http-client: conn > <IP>:443 [1]: Got 404 response for request [Req1: GET > https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/tokeneyJhbGci<rest_omitted> > ---snip--- > > My passdb config (only showing the oauth part): > ---snip--- > passdb { > driver = oauth2 > mechanisms = oauthbearer xoauth2 > args = /usr/local/etc/dovecot/auth-oauth2.token.conf.ext > } > > passdb { > driver = oauth2 > mechanisms = plain > args = /usr/local/etc/dovecot/auth-oauth2.plain.conf.ext > } > ---snip--- > > auth-oauth2.token.conf.ext: > ---snip--- > openid_configuration_url = > https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration > tokeninfo_url = > https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token > introspection_url = > https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect > introspection_mode = post > active_attribute = active > active_value = true > client_id = myid > client_secret = mysecret > use_grant_password = no > debug = yes > username_attribute = email > pass_attrs = pass=%{oauth2:access_token} > ---snip--- > > auth-oauth2.plain.conf.ext: > ---snip--- > openid_configuration_url = > https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration > #tokeninfo_url = > https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token > introspection_url = > https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect > introspection_mode = post > active_attribute = active > active_value = true > client_id = myid > client_secret = mysecret > use_grant_password = yes > debug = yes > username_attribute = email > pass_attrs = host=<IP of webmail> proxy=y proxy_mech=xoauth2 > pass=%{oauth2:access_token} > ---snip--- > > On https://doc.dovecot.org/configuration_manual/authentication/oauth2/ I > can not find any way to tell that the tokeninfo url shall do a POST > request instead of a GET request. > > I found something on reddit how to make it work with keycloak, but this > seems to be a workaround, and not a proper fix... > The first comment at > > https://www.reddit.com/r/selfhosted/comments/omwb2j/any_one_get_dovecot_keycloak_working_for_with/ > makes this work for me. > > The working but not really up to the OIDC spec dovecot config is: > > auth-oauth2.token.conf.ext: > ---snip--- > openid_configuration_url = > https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration > #tokeninfo_url = > https://oauth2.domain.tld/realms/MyRealm/Leidinger/protocol/openid-connect/token > tokeninfo_url = > https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash= > introspection_url = > https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect > introspection_mode = auth > #active_attribute = active > #active_value = true > client_id = myid > client_secret = mysecret > use_grant_password = no > #debug = yes > username_attribute = email > pass_attrs = pass=%{oauth2:access_token} > ---snip--- > > auth-oauth2.plain.conf.ext: > ---snip--- > openid_configuration_url = > https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration > #tokeninfo_url = > https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token > tokeninfo_url = > https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash= > introspection_url = > https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect > introspection_mode = auth > #active_attribute = active > #active_value = true > client_id = myid > client_secret = mysecret > use_grant_password = yes > #debug = yes > username_attribute = email > pass_attrs = host=<IP of webmail> proxy=y proxy_mech=xoauth2 > pass=%{oauth2:access_token} > ---snip--- > > Bye, > Alexander. > > -- > http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF > http://www.FreeBSD.org netch...@freebsd.org : PGP 0x8F31830F9F2772BF > _______________________________________________ > dovecot mailing list -- dovecot@dovecot.org > To unsubscribe send an email to dovecot-le...@dovecot.org _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
