Re: Oauth2 introspection mode bug(?)

Mon, 01 Jul 2024 10:25:13 -0700 

Thank you once again for the explanation.

A somewhat side question if you don't mind. It seems that Outlook
intentionally doesn't want to do oauth2 for any server/service except
MS365/Gmail - does this sound about right ?



On Monday, 01/07/2024 at 13:14 Aki Tuomi wrote:



It was done slightly wrong before, we made it work more standard in
2.3.21

They were sent as URL parameters before, but it was changed into basic
auth instead.

Aki

> On 01/07/2024 20:06 EEST Scott Q. via dovecot  wrote:
> 
>  
> Ok, thanks, what also works is leaving tokeninfo_url empty and
> entering the introspection_url with the clientid/password in the url
> 
> aka, https://user:pass@keycloak.dev1:8443 ...
> 
> I assume this is a bug as well, I think I saw something about it
> breaking from 2.3.20 to 2.3.21
> 
> Thank you Aki!
> 
> 
> On Monday, 01/07/2024 at 13:00 Aki Tuomi via dovecot wrote:
> 
> 
> 
> I know this is bit different answer but I would suggest you use
> introspection_mode=local and provide dovecot the validation keys.
> 
> Alternatively
> 
> Set tokeninfo_url empty. 
> 
> and
> 
> introspection_mode = post
> introspection_url =
>
https://keycloak.dev1:8443/realms/myrealm/protocol/openid-connect/userinfo
> 
> Aki
> 
> > On 01/07/2024 19:49 EEST Scott Q. via dovecot  wrote:
> > 
> >  
> > I'm on 2.3.21
> > 
> > setting introspection_mode to auth causes tokeninfo url to have
the
> > token in both querystring & header.
> > 
> > I've tried removing the tokeninfo url as you suggested in a
previous
> > thread but then authorization fails altogether for me.
> > 
> > This is the info that dovecot sends in auth mode
> > 
> > 
> > 1719847604.669354 GET
> >
>
/realms/myrealm/protocol/openid-connect/userinfo?trash=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJOdy1zVFFFUEYzWkF4Uks3cl9Da1B2cGl3RVR1eXIyOUJfd09kY0FOX1lzIn0.eyJleHAiOjE3MTk4NDc4ODksImlhdCI6MTcxOTg0NzU4OSwianRpIjoiNzNjOWQ5ODgtYWFlZS00MTlmLWFlNTEtYjJhZTI4ZWExZTRkIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5lbWFpbGFycmF5LmNvbTo4NDQzL3JlYWxtcy9Qb2xhcmlzTWFpbCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI0NzdlM2UyNS04OGE2LTRkNWEtYjk5Ni1hZjk5MzhmY2Y4MDEiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJwb2xhcmlzbWFpbC1iYWNrZW5kIiwic2Vzc2lvbl9zdGF0ZSI6ImFiOTE5NjcxLTlkOWUtNGQwMC1hMWQ4LTY0N2EwZWUzNDBmMCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiLyoiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJkZWZhdWx0LXJvbGVzLXBvbGFyaXNtYWlsIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCIsInNpZCI6ImFiOTE5NjcxLTlkOWUtNGQwMC1hMWQ4LTY0N2EwZWUzNDBmMCIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0dHQxQGFraW5kZXYuY29tIiwiZW1haWwiOiJ0dHQxQGFraW5kZXYuY29tIn0.KOB29-ssutpdLbE8U9yTs6GDXjriW8N1FObrjKUDKRaXYQwU-wk0Oe7kaZr1pqPrCVc9uBIllKDkHVcMWFEm0S5mIiC6J9tvr_UzkrTqKPyXGliM-TU0yjjGB36YGYuBTM2vfyWy93s8qzSJ7MJlnwMrPFaoxv-wYcu_Mvi2elCnkJL_VtpWT4g_yyVbSIzAJpWko4wvz8RBFc5f0ey-M8dLM00eq5h1EuUP02NUbaYzsfLkhejfBzMALGdQAvrEbrQ53RBcuiehVYNsOZ94ge9nhMLeNmMMRNpqYiUePLMYz-lmRqdFLKcx5OlvA3VM5pLctWsoHW7Gm0awckBzdw
> > HTTP/1.1
> > 1719847604.669354 Host: keycloak.dev1:8443
> > 1719847604.669354 Date: Mon, 01 Jul 2024 15:26:44 GMT
> > 1719847604.669354 User-Agent: dovecot-oauth2-passdb/2.3.21
> > 1719847604.669354 Connection: Keep-Alive
> > 1719847604.669385 Authorization: Bearer
> >
>
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJOdy1zVFFFUEYzWkF4Uks3cl9Da1B2cGl3RVR1eXIyOUJfd09kY0FOX1lzIn0.eyJleHAiOjE3MTk4NDc4ODksImlhdCI6MTcxOTg0NzU4OSwianRpIjoiNzNjOWQ5ODgtYWFlZS00MTlmLWFlNTEtYjJhZTI4ZWExZTRkIiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5lbWFpbGFycmF5LmNvbTo4NDQzL3JlYWxtcy9Qb2xhcmlzTWFpbCIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI0NzdlM2UyNS04OGE2LTRkNWEtYjk5Ni1hZjk5MzhmY2Y4MDEiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJwb2xhcmlzbWFpbC1iYWNrZW5kIiwic2Vzc2lvbl9zdGF0ZSI6ImFiOTE5NjcxLTlkOWUtNGQwMC1hMWQ4LTY0N2EwZWUzNDBmMCIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsiLyoiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJkZWZhdWx0LXJvbGVzLXBvbGFyaXNtYWlsIl19LCJyZXNvdXJjZV9hY2Nlc3MiOnsiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcHJvZmlsZSBlbWFpbCIsInNpZCI6ImFiOTE5NjcxLTlkOWUtNGQwMC1hMWQ4LTY0N2EwZWUzNDBmMCIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ0dHQxQGFraW5kZXYuY29tIiwiZW1haWwiOiJ0dHQxQGFraW5kZXYuY29tIn0.KOB29-ssutpdLbE8U9yTs6GDXjriW8N1FObrjKUDKRaXYQwU-wk0Oe7kaZr1pqPrCVc9uBIllKDkHVcMWFEm0S5mIiC6J9tvr_UzkrTqKPyXGliM-TU0yjjGB36YGYuBTM2vfyWy93s8qzSJ7MJlnwMrPFaoxv-wYcu_Mvi2elCnkJL_VtpWT4g_yyVbSIzAJpWko4wvz8RBFc5f0ey-M8dLM00eq5h1EuUP02NUbaYzsfLkhejfBzMALGdQAvrEbrQ53RBcuiehVYNsOZ94ge9nhMLeNmMMRNpqYiUePLMYz-lmRqdFLKcx5OlvA3VM5pLctWsoHW7Gm0awckBzdw
> > 
> > Thanks,
> > Scott
> > On Monday, 01/07/2024 at 12:38 Aki Tuomi via dovecot wrote:
> > 
> > 
> > 
> > > On 01/07/2024 19:29 EEST Scott Q. via dovecot  wrote:
> > > 
> > >  
> > > Here goes another oauth2 question, hoping it won't be ignored
> > > like all the others.
> > > 
> > > I want to use get/auth on tokeninfo_url but post on
> > introspection_url
> > > but dovecot doesn't let me. It doesn't add the auth header on
> > > tokeninfo_url whenever introspection_mode == post
> > > 
> > > so, if introspection_mode = post, then dovecot no longer sends
> auth
> > > header to tokeninfo_url . Is this by design, is it a bug ?
> > > 
> > > as can be seen in
> > > 
> > > src/lib-oauth2/oauth2-request.c
> > > 
> > > 
> > >         if (add_auth_bearer &&
> > >            
> http_client_request_get_origin_url(req->req)->user
> > > == NULL &&
> > >             set->introspection_mode ==
> > > INTROSPECTION_MODE_GET_AUTH) {
> > >                 http_client_request_add_header(req->req,
> > >                                          
 
>  
> > >  "Authorization",
> > >                                          
 
>  
> > >  t_strdup_printf("Bearer %s",
> > >                                          
 
>  
> > >                  input->token));
> > >         }
> > 
> > Not sure what version you are looking at.
> >
>
https://github.com/dovecot/core/blob/release-2.3/src/lib-oauth2/oauth2-request.c#L304
> > adds token into payload.
> > 
> > tokeninfo always adds token to URL, not as header. See
> >
>
https://github.com/dovecot/core/blob/release-2.3/src/lib-oauth2/oauth2-request.c#L331
> > 
> > Aki
> > Aki
> > _______________________________________________
> > dovecot mailing list -- dovecot@dovecot.org
> > To unsubscribe send an email to dovecot-le...@dovecot.org
> > _______________________________________________
> > dovecot mailing list -- dovecot@dovecot.org
> > To unsubscribe send an email to dovecot-le...@dovecot.org
> _______________________________________________
> dovecot mailing list -- dovecot@dovecot.org
> To unsubscribe send an email to dovecot-le...@dovecot.org
> _______________________________________________
> dovecot mailing list -- dovecot@dovecot.org
> To unsubscribe send an email to dovecot-le...@dovecot.org
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Reply via email to