Re: Oauth2 introspection mode bug(?)

Mon, 01 Jul 2024 09:54:40 -0700 

I'm on 2.3.21

setting introspection_mode to auth causes tokeninfo url to have the
token in both querystring & header.
I've tried removing the tokeninfo url as you suggested in a previous
thread but then authorization fails altogether for me.

This is the info that dovecot sends in auth mode


1719847604.669354 GET
/realms/myrealm/protocol/openid-connect/userinfo?trash=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJOdy1zVFFFUEYzWkF4Uks3cl9Da1B2cGl3RVR1eXIyOUJfd09kY0FOX1lzIn0.eyJleHAiOjE3MTk4NDc4ODksImlhdCI6MTcxOTg0NzU4OSwianRpIjoiNzNjOWQ5ODgtYWFlZS00MTlmLWFlNTEtYjJhZTI4ZWExZTRkIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5lbWFpbGFycmF5LmNvbTo4NDQzL3JlYWxtcy9Qb2xhcmlzTWFpbCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI0NzdlM2UyNS04OGE2LTRkNWEtYjk5Ni1hZjk5MzhmY2Y4MDEiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJwb2xhcmlzbWFpbC1iYWNrZW5kIiwic2Vzc2lvbl9zdGF0ZSI6ImFiOTE5NjcxLTlkOWUtNGQwMC1hMWQ4LTY0N2EwZWUzNDBmMCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiLyoiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJkZWZhdWx0LXJvbGVzLXBvbGFyaXNtYWlsIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCIsInNpZCI6ImFiOTE5NjcxLTlkOWUtNGQwMC1hMWQ4LTY0N2EwZWUzNDBmMCIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0dHQxQGFraW5kZXYuY29tIiwiZW1haWwiOiJ0dHQxQGFraW5kZXYuY29tIn0.KOB29-ssutpdLbE8U9yTs6GDXjriW8N1FObrjKUDKRaXYQwU-wk0Oe7kaZr1pqPrCVc9uBIllKDkHVcMWFEm0S5mIiC6J9tvr_UzkrTqKPyXGliM-TU0yjjGB36YGYuBTM2vfyWy93s8qzSJ7MJlnwMrPFaoxv-wYcu_Mvi2elCnkJL_VtpWT4g_yyVbSIzAJpWko4wvz8RBFc5f0ey-M8dLM00eq5h1EuUP02NUbaYzsfLkhejfBzMALGdQAvrEbrQ53RBcuiehVYNsOZ94ge9nhMLeNmMMRNpqYiUePLMYz-lmRqdFLKcx5OlvA3VM5pLctWsoHW7Gm0awckBzdw
HTTP/1.1
1719847604.669354 Host: keycloak.dev1:8443
1719847604.669354 Date: Mon, 01 Jul 2024 15:26:44 GMT
1719847604.669354 User-Agent: dovecot-oauth2-passdb/2.3.21
1719847604.669354 Connection: Keep-Alive
1719847604.669385 Authorization: Bearer
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJOdy1zVFFFUEYzWkF4Uks3cl9Da1B2cGl3RVR1eXIyOUJfd09kY0FOX1lzIn0.eyJleHAiOjE3MTk4NDc4ODksImlhdCI6MTcxOTg0NzU4OSwianRpIjoiNzNjOWQ5ODgtYWFlZS00MTlmLWFlNTEtYjJhZTI4ZWExZTRkIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5lbWFpbGFycmF5LmNvbTo4NDQzL3JlYWxtcy9Qb2xhcmlzTWFpbCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI0NzdlM2UyNS04OGE2LTRkNWEtYjk5Ni1hZjk5MzhmY2Y4MDEiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJwb2xhcmlzbWFpbC1iYWNrZW5kIiwic2Vzc2lvbl9zdGF0ZSI6ImFiOTE5NjcxLTlkOWUtNGQwMC1hMWQ4LTY0N2EwZWUzNDBmMCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiLyoiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJkZWZhdWx0LXJvbGVzLXBvbGFyaXNtYWlsIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCIsInNpZCI6ImFiOTE5NjcxLTlkOWUtNGQwMC1hMWQ4LTY0N2EwZWUzNDBmMCIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0dHQxQGFraW5kZXYuY29tIiwiZW1haWwiOiJ0dHQxQGFraW5kZXYuY29tIn0.KOB29-ssutpdLbE8U9yTs6GDXjriW8N1FObrjKUDKRaXYQwU-wk0Oe7kaZr1pqPrCVc9uBIllKDkHVcMWFEm0S5mIiC6J9tvr_UzkrTqKPyXGliM-TU0yjjGB36YGYuBTM2vfyWy93s8qzSJ7MJlnwMrPFaoxv-wYcu_Mvi2elCnkJL_VtpWT4g_yyVbSIzAJpWko4wvz8RBFc5f0ey-M8dLM00eq5h1EuUP02NUbaYzsfLkhejfBzMALGdQAvrEbrQ53RBcuiehVYNsOZ94ge9nhMLeNmMMRNpqYiUePLMYz-lmRqdFLKcx5OlvA3VM5pLctWsoHW7Gm0awckBzdw

Thanks,
Scott
On Monday, 01/07/2024 at 12:38 Aki Tuomi via dovecot wrote:



> On 01/07/2024 19:29 EEST Scott Q. via dovecot  wrote:
> 
>  
> Here goes another oauth2 question, hoping it won't be ignored
> like all the others.
> 
> I want to use get/auth on tokeninfo_url but post on
introspection_url
> but dovecot doesn't let me. It doesn't add the auth header on
> tokeninfo_url whenever introspection_mode == post
> 
> so, if introspection_mode = post, then dovecot no longer sends auth
> header to tokeninfo_url . Is this by design, is it a bug ?
> 
> as can be seen in
> 
> src/lib-oauth2/oauth2-request.c
> 
> 
>         if (add_auth_bearer &&
>             http_client_request_get_origin_url(req->req)->user
> == NULL &&
>             set->introspection_mode ==
> INTROSPECTION_MODE_GET_AUTH) {
>                 http_client_request_add_header(req->req,
>                                              
>  "Authorization",
>                                              
>  t_strdup_printf("Bearer %s",
>                                              
>                  input->token));
>         }

Not sure what version you are looking at.
https://github.com/dovecot/core/blob/release-2.3/src/lib-oauth2/oauth2-request.c#L304
adds token into payload.

tokeninfo always adds token to URL, not as header. See
https://github.com/dovecot/core/blob/release-2.3/src/lib-oauth2/oauth2-request.c#L331

Aki
Aki
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Reply via email to