Am 2023-10-23 08:43, schrieb Aki Tuomi:
Don't set tokeninfo url if you require POST query. It's not mandatory to set all endpoints.
If I comment out the tokeninfo_url (the rest the same as in the qorking config below in the quote), I get the error message "oauth2 failed: Introspection failed: No username returned" from dovecot.
Also if you are using jwt, you can also opt to do local validation instead.
How should a config look like for this? From https://doc.dovecot.org/configuration_manual/authentication/oauth2/ I'm not sure what to do.
Would it be: - introspection_mode = local - local_validation_key_dict = ... - switching the oidc provider to jwt- downloading the cert from the oidc server and putting it into the key-dict
?Do I still need the openid_configureation_url and introspection_url? client_secret can go in this case I assume.
Bye, Alexander.
AkiOn 17/10/2023 16:03 EEST Alexander Leidinger via dovecot <dovecot@dovecot.org> wrote:
[...]
The working but not really up to the OIDC spec dovecot config is: auth-oauth2.token.conf.ext: ---snip--- openid_configuration_url = https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration #tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/Leidinger/protocol/openid-connect/token tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash= introspection_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect introspection_mode = auth #active_attribute = active #active_value = true client_id = myid client_secret = mysecret use_grant_password = no #debug = yes username_attribute = email pass_attrs = pass=%{oauth2:access_token} ---snip--- auth-oauth2.plain.conf.ext: ---snip--- openid_configuration_url = https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration #tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash= introspection_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect introspection_mode = auth #active_attribute = active #active_value = true client_id = myid client_secret = mysecret use_grant_password = yes #debug = yes username_attribute = email pass_attrs = host=<IP of webmail> proxy=y proxy_mech=xoauth2 pass=%{oauth2:access_token} ---snip---
-- http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netch...@freebsd.org : PGP 0x8F31830F9F2772BF
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org