OAUTH2 tokeninfo is doing a GET instead of a POST request

Thu, 19 Oct 2023 11:31:01 -0700 

Hi,

I try to setup oauth2 authentication with dovecot 2.3.21.
The debug log of dovecot shows that it tries to do a HTTP GET request to the tokeninfo url with the token appended to the end of the URL. This gives a 404 error. The openidconnect server I use (keycloak) tells that this API endpoint conforms to https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint which specifies that the request has to be a HTTP POST request.
So dovecot is trying do to something (GET request) which the OIDC specification does not agree with (shall be POST request). 

Here is the dovecot debug log of it:
---snip---
Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: http-client[1]: request [Req1: GET https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/tokeneyJhbGci<rest_omitted>...: Submitted (requests left=1) 
[...]
Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: SSL: where=0x1001, ret=1: SSLv3/TLS read server session ticket Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: where=0x1002, ret=1: SSL negotiation finished successfully Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: SSL: where=0x1001, ret=1: SSL negotiation finished successfully 
Oct 17 12:11:19 imap syslogd: last message repeated 1 times
Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: SSL: where=0x1001, ret=1: SSLv3/TLS read server session ticket Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: SSL: where=0x1002, ret=1: SSL negotiation finished successfully Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: http-client: conn <IP>:443 [1]: Got 404 response for request [Req1: GET https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/tokeneyJhbGci<rest_omitted> 
---snip---

My passdb config (only showing the oauth part):
---snip---
passdb {
  driver = oauth2
  mechanisms = oauthbearer xoauth2
  args = /usr/local/etc/dovecot/auth-oauth2.token.conf.ext
}

passdb {
  driver = oauth2
  mechanisms = plain
  args = /usr/local/etc/dovecot/auth-oauth2.plain.conf.ext
}
---snip---

auth-oauth2.token.conf.ext:
---snip---
openid_configuration_url = https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token introspection_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect 
introspection_mode = post
active_attribute = active
active_value = true
client_id = myid
client_secret = mysecret
use_grant_password = no
debug = yes
username_attribute = email
pass_attrs = pass=%{oauth2:access_token}
---snip---

auth-oauth2.plain.conf.ext:
---snip---
openid_configuration_url = https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration #tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token introspection_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect 
introspection_mode = post
active_attribute = active
active_value = true
client_id = myid
client_secret = mysecret
use_grant_password = yes
debug = yes
username_attribute = email
pass_attrs = host=<IP of webmail> proxy=y proxy_mech=xoauth2 pass=%{oauth2:access_token} 
---snip---
On https://doc.dovecot.org/configuration_manual/authentication/oauth2/ I can not find any way to tell that the tokeninfo url shall do a POST request instead of a GET request.
I found something on reddit how to make it work with keycloak, but this seems to be a workaround, and not a proper fix... 
The first comment at
https://www.reddit.com/r/selfhosted/comments/omwb2j/any_one_get_dovecot_keycloak_working_for_with/ 
makes this work for me.

The working but not really up to the OIDC spec dovecot config is:

auth-oauth2.token.conf.ext:
---snip---
openid_configuration_url = https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration #tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/Leidinger/protocol/openid-connect/token tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash= introspection_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect 
introspection_mode = auth
#active_attribute = active
#active_value = true
client_id = myid
client_secret = mysecret
use_grant_password = no
#debug = yes
username_attribute = email
pass_attrs = pass=%{oauth2:access_token}
---snip---

auth-oauth2.plain.conf.ext:
---snip---
openid_configuration_url = https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration #tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash= introspection_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect 
introspection_mode = auth
#active_attribute = active
#active_value = true
client_id = myid
client_secret = mysecret
use_grant_password = yes
#debug = yes
username_attribute = email
pass_attrs = host=<IP of webmail> proxy=y proxy_mech=xoauth2 pass=%{oauth2:access_token} 
---snip---

Bye,
Alexander.

--
http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netch...@freebsd.org  : PGP 0x8F31830F9F2772BF

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Reply via email to