Re: OAUTH2 tokeninfo is doing a GET instead of a POST request

Tue, 24 Oct 2023 09:31:34 -0700 

Am 2023-10-24 15:14, schrieb Aki Tuomi:
On 24/10/2023 15:49 EEST Alexander Leidinger via dovecot <dovecot@dovecot.org> wrote: 


Am 2023-10-23 08:43, schrieb Aki Tuomi:
> Don't set tokeninfo url if you require POST query. It's not mandatory
> to set all endpoints.


If I comment out the tokeninfo_url (the rest the same as in the 
qorking

config below in the quote), I get the error message "oauth2 failed:
Introspection failed: No username returned" from dovecot.

> Also if you are using jwt, you can also opt to do local validation
> instead.

How should a config look like for this? From

https://doc.dovecot.org/configuration_manual/authentication/oauth2/ 
I'm

not sure what to do.

Would it be:
- introspection_mode = local
- local_validation_key_dict = ...
- switching the oidc provider to jwt
- downloading the cert from the oidc server and putting it into the
key-dict
?


Yep. As in the example in docs.



Doesn't work. Not even a trace in the debug log. The webmail package 
(roundcube) didn't finish the sasl auth:

---snip---

imap-login: Disconnected: Connection closed (client didn't finish SASL 
auth, waited 6 secs): user=<...@...>, method=XOAUTH2,...

---snip---

In the example there is "typ":"JWT" which I don't have:
---snip---
    "keys": [
        {
            "kid": "4ED...more...vi7umzYdS4",
            "kty": "RSA",
            "alg": "RS256",
            "use": "sig",
            "n": "pj0BLB...more...Q",
            "e": "AQAB",
            "x5c": [
                "MIICoTCCA...much_more...o8M0a6VE="
            ],
            "x5t": "yeW...more...z2mnh4",
            "x5t#S256": "f37pijf...more...VIF5FHMlYHbBn0"
        },
---snip---


The above is from the "jwks_uri" endpoint as per the 
.well-known/openid-configuration. There is no other URL which lists 
"kid"s.



I created the /path/to/keys/RS256/4ED...more...vi7umzYdS4 with the 
content MIICoTCCA...much_more...o8M0a6VE= owned and accessible by the 
dovecot user.


There is a second key with:
---snip---
            "alg": "RSA-OAEP",
            "use": "enc",
---snip---

As this is not listed as supported, I didn't create an entry in the dict 
for this.


Bye,
Alexander.


Do I still need the openid_configureation_url and introspection_url?
client_secret can go in this case I assume.




You should probably leave client_id there. But you do not need the 
rest. openid_configuration_url is presented to clients as oidc 
discovery url.


Aki


Bye,
Alexander.

> Aki
>
>> On 17/10/2023 16:03 EEST Alexander Leidinger via dovecot
>> <dovecot@dovecot.org> wrote:
[...]
>> The working but not really up to the OIDC spec dovecot config is:
>>
>> auth-oauth2.token.conf.ext:
>> ---snip---
>> openid_configuration_url =
>> https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration
>> #tokeninfo_url =
>> 
https://oauth2.domain.tld/realms/MyRealm/Leidinger/protocol/openid-connect/token
>> tokeninfo_url =
>> 
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash=
>> introspection_url =
>> 
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect
>> introspection_mode = auth
>> #active_attribute = active
>> #active_value = true
>> client_id = myid
>> client_secret = mysecret
>> use_grant_password = no
>> #debug = yes
>> username_attribute = email
>> pass_attrs = pass=%{oauth2:access_token}
>> ---snip---
>>
>> auth-oauth2.plain.conf.ext:
>> ---snip---
>> openid_configuration_url =
>> https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration
>> #tokeninfo_url =
>> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token
>> tokeninfo_url =
>> 
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash=
>> introspection_url =
>> 
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect
>> introspection_mode = auth
>> #active_attribute = active
>> #active_value = true
>> client_id = myid
>> client_secret = mysecret
>> use_grant_password = yes
>> #debug = yes
>> username_attribute = email
>> pass_attrs = host=<IP of webmail> proxy=y proxy_mech=xoauth2
>> pass=%{oauth2:access_token}
>> ---snip---

--

http://www.Leidinger.net alexan...@leidinger.net: PGP 
0x8F31830F9F2772BF
http://www.FreeBSD.org    netch...@freebsd.org  : PGP 
0x8F31830F9F2772BF

_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org


--
http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netch...@freebsd.org  : PGP 0x8F31830F9F2772BF



Attachment:
signature.asc

Description: OpenPGP digital signature


_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org






















					Reply via email to