> On 21/08/2024 11:53 EEST v--- via dovecot <dovecot@dovecot.org> wrote:
>
>
> Hello! I'm using dovecot with keycloak for oauth authentication. My
> config is:
>
> client_id = dovecot
> client_secret = MY_SECRET
> introspection_url =
> https://MY_KEYCLOAK/realms/master/protocol/openid-connect/token/introspect
> introspection_mode = post
> pass_attrs = pass=%{oauth2:access_token}
>
> Everything worked great on version 2.3.20. After upgrading to version
> 2.3.21.1 oauth stopped working with errors:
>
> auth: Debug: http-client: conn [::1]:443 [1]: Got 401 response for
> request [Req1: POST
> https://MY_KEYCLOAK/realms/master/protocol/openid-connect/token/introspect]:
> Unauthorized (took 5 ms + >Aug 16 00:23:58
> auth: Error: oauth2(MY_EMAIL,127.0.0.1,<HADwdb8f+PN/AAAB>): oauth2
> failed: Introspection failed: No username returned
>
> I tried all combination of configurations, debugging and versions of
> keycloak. Seems something was broken in this version of dovecot.
Hi!
Release notes say
oauth2: Dovecot would send client_id and client_secret as POST parameters
to introspection server. These need to be optionally in Basic auth
instead as required by OIDC specification.
this is a slightly obscure way to say that you need to change your
introspection_url = https://client_id:client_secret@MY_KEYCLOAK/...
(see
https://github.com/dovecot/core/blob/d492236fa077cba1222695ca3267afb767235672/NEWS#L8)
Aki
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
