OAuth2: local validation with RFC9068 tokens
Hello, my IdP is kind of progressive and implemented RFC9068, where all access tokens now come with typ "at+JWT". Since the setup has used local validation, I had to switch and currently use introspection endpoint. Looked around at the src and there seems to be relatively simple check of the token typ checking the only fixed value of "JWT" -- do you think you could consider tuning it a little bit so that local validation works also with such tokens? I am not an expert on OAuth2 so have no idea whether this is a valid request, but think that such a token is still JWT but has the required structure per RFC, which should not anyhow be in collision with a simple "JWT" typ. Saying that, I would not wonder if the statement is not correct :) Many thanks, Tomas
Re: OAUTH2 local validation
On 16/11/2022 17:31 EET Felix Auringer <felix.auringer@giz.berlin> wrote: Hello, <https://doc.dovecot.org/configuration_manual/authentication/oauth2/#local-validation> describes how to set up local validation for OAUTH2 with dovecot. This works fine as long as the keys are not rotated. In my experience, it is common for a client to try to validate a token with the cached key and update the cached keys when the local validation fails (e.g. via the /auth/realms//protocol/openid-connect/certs endpoint in Keycloak). This way, the client does not need to fetch new keys periodically but only when the old ones expired. If I understand it correctly, Dovecot reads the keys from a defined path but does not care how to update them. Did you have a nice way in mind how the keys should be refreshed when deciding not to do that in dovecot? Are you planning to add automatic refreshing of local validation keys to dovecot? I am running dovecot in Docker and one way would be a cron job on the host that fetches new keys and updates the files inside the container via docker exec. It would work but it's not really a nice solution because from outside dovecot, the information whether the old keys are no longer valid, is not available and the whole process needs to run periodically (and thus way more often than actually necessary). Best regards, Felix Auringer --- Gesellschaft für interkulturelles Zusammenleben gGmbH (GIZ) Felix Auringer IT Reformationsplatz 2 13597 Berlin Tel: 030/513 0100 00; Fax: 030/513 0100 09 www.giz.berlin; felix.auringer@giz.berlin Amtsgericht Charlottenburg HRB 200872 B Geschäftsführerin: Dr. Britta Marschke You could also mount a key volume and only update that with cron. Alternatively you need a dict protocol based solution. --- Aki Tuomi
OAUTH2 local validation
Hello, <https://doc.dovecot.org/configuration_manual/authentication/oauth2/#local-validation> describes how to set up local validation for OAUTH2 with dovecot. This works fine as long as the keys are not rotated. In my experience, it is common for a client to try to validate a token with the cached key and update the cached keys when the local validation fails (e.g. via the /auth/realms//protocol/openid-connect/certs endpoint in Keycloak). This way, the client does not need to fetch new keys periodically but only when the old ones expired. If I understand it correctly, Dovecot reads the keys from a defined path but does not care how to update them. Did you have a nice way in mind how the keys should be refreshed when deciding not to do that in dovecot? Are you planning to add automatic refreshing of local validation keys to dovecot? I am running dovecot in Docker and one way would be a cron job on the host that fetches new keys and updates the files inside the container via docker exec. It would work but it's not really a nice solution because from outside dovecot, the information whether the old keys are no longer valid, is not available and the whole process needs to run periodically (and thus way more often than actually necessary). Best regards, Felix Auringer --- Gesellschaft für interkulturelles Zusammenleben gGmbH (GIZ) Felix Auringer IT Reformationsplatz 2 13597 Berlin Tel: 030/513 0100 00; Fax: 030/513 0100 09 www.giz.berlin; felix.auringer@giz.berlin Amtsgericht Charlottenburg HRB 200872 B Geschäftsführerin: Dr. Britta Marschke
