> On 01/07/2024 19:29 EEST Scott Q. via dovecot <dovecot@dovecot.org> wrote: > > > Here goes another oauth2 question, hoping it won't be ignored > like all the others. > > I want to use get/auth on tokeninfo_url but post on introspection_url > but dovecot doesn't let me. It doesn't add the auth header on > tokeninfo_url whenever introspection_mode == post > > so, if introspection_mode = post, then dovecot no longer sends auth > header to tokeninfo_url . Is this by design, is it a bug ? > > as can be seen in > > src/lib-oauth2/oauth2-request.c > > > if (add_auth_bearer && > http_client_request_get_origin_url(req->req)->user > == NULL && > set->introspection_mode == > INTROSPECTION_MODE_GET_AUTH) { > http_client_request_add_header(req->req, > > "Authorization", > > t_strdup_printf("Bearer %s", > > input->token)); > }
Not sure what version you are looking at. https://github.com/dovecot/core/blob/release-2.3/src/lib-oauth2/oauth2-request.c#L304 adds token into payload. tokeninfo always adds token to URL, not as header. See https://github.com/dovecot/core/blob/release-2.3/src/lib-oauth2/oauth2-request.c#L331 Aki Aki _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org