> On 01/07/2024 19:29 EEST Scott Q. via dovecot <dovecot@dovecot.org> wrote:
>
>
> Here goes another oauth2 question, hoping it won't be ignored
> like all the others.
>
> I want to use get/auth on tokeninfo_url but post on introspection_url
> but dovecot doesn't let me. It doesn't add the auth header on
> tokeninfo_url whenever introspection_mode == post
>
> so, if introspection_mode = post, then dovecot no longer sends auth
> header to tokeninfo_url . Is this by design, is it a bug ?
>
> as can be seen in
>
> src/lib-oauth2/oauth2-request.c
>
>
> if (add_auth_bearer &&
> http_client_request_get_origin_url(req->req)->user
> == NULL &&
> set->introspection_mode ==
> INTROSPECTION_MODE_GET_AUTH) {
> http_client_request_add_header(req->req,
>
> "Authorization",
>
> t_strdup_printf("Bearer %s",
>
> input->token));
> }
Not sure what version you are looking at.
https://github.com/dovecot/core/blob/release-2.3/src/lib-oauth2/oauth2-request.c#L304
adds token into payload.
tokeninfo always adds token to URL, not as header. See
https://github.com/dovecot/core/blob/release-2.3/src/lib-oauth2/oauth2-request.c#L331
Aki
Aki
_______________________________________________
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org
