Re: OAUTH2 tokeninfo is doing a GET instead of a POST request
Am 2023-10-25 20:54, schrieb Aki Tuomi: Seems your issue is oauth2(email,IP,): oauth2 failed: Local validation failed: client_id not found in aud field This is a recently added thing, as oauth2 spec requires to check this. If you are using local validation, you can opt to leave client_id empty and this should go away. Correct guess. This let's mive it a bit further. Two issues: - local_validation_key_dict is not respected, it tries to lookup "shared/..." instead of my "/path/to/keys" (configured next to introspection_mode=local as in the docs) - when I symlink shared to my configured dict location as a quick check, it finds the a file, but then complains about an unknown key format How is the content of shared/.../alg/id supposed to look like? In my case it contains "MII=". May I suggest to add a comment about client_id and how the content of the key file to look like to the docs? Bye, Alexander. -- http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.orgnetch...@freebsd.org : PGP 0x8F31830F9F2772BF signature.asc Description: OpenPGP digital signature ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: OAUTH2 tokeninfo is doing a GET instead of a POST request
> On 25/10/2023 16:02 EEST Alexander Leidinger via dovecot > wrote: > > > Am 2023-10-25 08:03, schrieb Aki Tuomi: > >> On 24/10/2023 17:25 EEST Alexander Leidinger via dovecot > >> wrote: > >> > >> > >> Am 2023-10-24 15:14, schrieb Aki Tuomi: > >> >> On 24/10/2023 15:49 EEST Alexander Leidinger via dovecot > >> >> wrote: > >> >> > >> >> > >> >> Am 2023-10-23 08:43, schrieb Aki Tuomi: > >> >> > Don't set tokeninfo url if you require POST query. It's not mandatory > >> >> > to set all endpoints. > >> >> > >> >> If I comment out the tokeninfo_url (the rest the same as in the > >> >> qorking > >> >> config below in the quote), I get the error message "oauth2 failed: > >> >> Introspection failed: No username returned" from dovecot. > >> >> > >> >> > Also if you are using jwt, you can also opt to do local validation > >> >> > instead. > >> >> > >> >> How should a config look like for this? From > >> >> https://doc.dovecot.org/configuration_manual/authentication/oauth2/ > >> >> I'm > >> >> not sure what to do. > >> >> > >> >> Would it be: > >> >> - introspection_mode = local > >> >> - local_validation_key_dict = ... > >> >> - switching the oidc provider to jwt > >> >> - downloading the cert from the oidc server and putting it into the > >> >> key-dict > >> >> ? > >> > > >> > Yep. As in the example in docs. > >> > >> Doesn't work. Not even a trace in the debug log. The webmail package > >> (roundcube) didn't finish the sasl auth: > >> ---snip--- > >> imap-login: Disconnected: Connection closed (client didn't finish SASL > >> auth, waited 6 secs): user=<...@...>, method=XOAUTH2,... > >> ---snip--- > >> > >> In the example there is "typ":"JWT" which I don't have: > >> ---snip--- > >> "keys": [ > >> { > >> "kid": "4ED...more...vi7umzYdS4", > >> "kty": "RSA", > >> "alg": "RS256", > >> "use": "sig", > >> "n": "pj0BLB...more...Q", > >> "e": "AQAB", > >> "x5c": [ > >> "MIICoTCCA...much_more...o8M0a6VE=" > >> ], > >> "x5t": "yeW...more...z2mnh4", > >> "x5t#S256": "f37pijf...more...VIF5FHMlYHbBn0" > >> }, > >> ---snip--- > >> > >> The above is from the "jwks_uri" endpoint as per the > >> .well-known/openid-configuration. There is no other URL which lists > >> "kid"s. > >> > >> I created the /path/to/keys/RS256/4ED...more...vi7umzYdS4 with the > >> content MIICoTCCA...much_more...o8M0a6VE= owned and accessible by the > >> dovecot user. > >> > >> There is a second key with: > >> ---snip--- > >> "alg": "RSA-OAEP", > >> "use": "enc", > >> ---snip--- > >> As this is not listed as supported, I didn't create an entry in the > >> dict > >> for this. > >> > >> Bye, > >> Alexander. > >> > >> >> Do I still need the openid_configureation_url and introspection_url? > >> >> client_secret can go in this case I assume. > >> >> > >> > > >> > You should probably leave client_id there. But you do not need the > >> > rest. openid_configuration_url is presented to clients as oidc > >> > discovery url. > >> > > >> > Aki > >> > > >> >> Bye, > >> >> Alexander. > >> >> > >> >> > Aki > >> >> > > >> >> >> On 17/10/2023 16:03 EEST Alexander Leidinger via dovecot > >> >> >> wrote: > >> >> [...] > >> >> >> The working but not really up to the OIDC spec dovecot config is: > >> >> >> > >> >> >> auth-oauth2.token.conf.ext: > >> >> >> ---snip--- > >> >> >> openid_configuration_url = > >> >> >> https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration > >> >> >> #tokeninfo_url = > >> >> >> https://oauth2.domain.tld/realms/MyRealm/Leidinger/protocol/openid-connect/token > >> >> >> tokeninfo_url = > >> >> >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash= > >> >> >> introspection_url = > >> >> >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect > >> >> >> introspection_mode = auth > >> >> >> #active_attribute = active > >> >> >> #active_value = true > >> >> >> client_id = myid > >> >> >> client_secret = mysecret > >> >> >> use_grant_password = no > >> >> >> #debug = yes > >> >> >> username_attribute = email > >> >> >> pass_attrs = pass=%{oauth2:access_token} > >> >> >> ---snip--- > >> >> >> > >> >> >> auth-oauth2.plain.conf.ext: > >> >> >> ---snip--- > >> >> >> openid_configuration_url = > >> >> >> https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration > >> >> >> #tokeninfo_url = > >> >> >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token > >> >> >> tokeninfo_url = > >> >> >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash= > >> >> >> introspection_url = > >> >> >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect > >> >> >> introspection_mode = auth > >> >> >> #active_attribute = active > >> >> >> #active_value = true > >> >> >> client_id = myid > >> >> >> clien
Re: OAUTH2 tokeninfo is doing a GET instead of a POST request
Am 2023-10-25 08:03, schrieb Aki Tuomi: On 24/10/2023 17:25 EEST Alexander Leidinger via dovecot wrote: Am 2023-10-24 15:14, schrieb Aki Tuomi: >> On 24/10/2023 15:49 EEST Alexander Leidinger via dovecot >> wrote: >> >> >> Am 2023-10-23 08:43, schrieb Aki Tuomi: >> > Don't set tokeninfo url if you require POST query. It's not mandatory >> > to set all endpoints. >> >> If I comment out the tokeninfo_url (the rest the same as in the >> qorking >> config below in the quote), I get the error message "oauth2 failed: >> Introspection failed: No username returned" from dovecot. >> >> > Also if you are using jwt, you can also opt to do local validation >> > instead. >> >> How should a config look like for this? From >> https://doc.dovecot.org/configuration_manual/authentication/oauth2/ >> I'm >> not sure what to do. >> >> Would it be: >> - introspection_mode = local >> - local_validation_key_dict = ... >> - switching the oidc provider to jwt >> - downloading the cert from the oidc server and putting it into the >> key-dict >> ? > > Yep. As in the example in docs. Doesn't work. Not even a trace in the debug log. The webmail package (roundcube) didn't finish the sasl auth: ---snip--- imap-login: Disconnected: Connection closed (client didn't finish SASL auth, waited 6 secs): user=<...@...>, method=XOAUTH2,... ---snip--- In the example there is "typ":"JWT" which I don't have: ---snip--- "keys": [ { "kid": "4ED...more...vi7umzYdS4", "kty": "RSA", "alg": "RS256", "use": "sig", "n": "pj0BLB...more...Q", "e": "AQAB", "x5c": [ "MIICoTCCA...much_more...o8M0a6VE=" ], "x5t": "yeW...more...z2mnh4", "x5t#S256": "f37pijf...more...VIF5FHMlYHbBn0" }, ---snip--- The above is from the "jwks_uri" endpoint as per the .well-known/openid-configuration. There is no other URL which lists "kid"s. I created the /path/to/keys/RS256/4ED...more...vi7umzYdS4 with the content MIICoTCCA...much_more...o8M0a6VE= owned and accessible by the dovecot user. There is a second key with: ---snip--- "alg": "RSA-OAEP", "use": "enc", ---snip--- As this is not listed as supported, I didn't create an entry in the dict for this. Bye, Alexander. >> Do I still need the openid_configureation_url and introspection_url? >> client_secret can go in this case I assume. >> > > You should probably leave client_id there. But you do not need the > rest. openid_configuration_url is presented to clients as oidc > discovery url. > > Aki > >> Bye, >> Alexander. >> >> > Aki >> > >> >> On 17/10/2023 16:03 EEST Alexander Leidinger via dovecot >> >> wrote: >> [...] >> >> The working but not really up to the OIDC spec dovecot config is: >> >> >> >> auth-oauth2.token.conf.ext: >> >> ---snip--- >> >> openid_configuration_url = >> >> https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration >> >> #tokeninfo_url = >> >> https://oauth2.domain.tld/realms/MyRealm/Leidinger/protocol/openid-connect/token >> >> tokeninfo_url = >> >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash= >> >> introspection_url = >> >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect >> >> introspection_mode = auth >> >> #active_attribute = active >> >> #active_value = true >> >> client_id = myid >> >> client_secret = mysecret >> >> use_grant_password = no >> >> #debug = yes >> >> username_attribute = email >> >> pass_attrs = pass=%{oauth2:access_token} >> >> ---snip--- >> >> >> >> auth-oauth2.plain.conf.ext: >> >> ---snip--- >> >> openid_configuration_url = >> >> https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration >> >> #tokeninfo_url = >> >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token >> >> tokeninfo_url = >> >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash= >> >> introspection_url = >> >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect >> >> introspection_mode = auth >> >> #active_attribute = active >> >> #active_value = true >> >> client_id = myid >> >> client_secret = mysecret >> >> use_grant_password = yes >> >> #debug = yes >> >> username_attribute = email >> >> pass_attrs = host= proxy=y proxy_mech=xoauth2 >> >> pass=%{oauth2:access_token} >> >> ---snip--- >> You sure there is nothing with auth_debug=yes? This sounds like the client did not want to even try oauth2. Did you enable XOAUTH2 and OAUTHBEARER mechanisms? In jwt mode: ==> /var/log/debug.log <== Oct 25 14:07:53 imap dovecot[79798]: auth: Debug: passwd-file(email,IP,): Finished passdb lookup Oct 25 14:07:53 imap dovecot[79798]: auth: Debug: oauth2(email,IP,): Performing passdb lookup Oct 25 14:07:53 imap dovecot[79798]: auth: Debug: oauth2(email,IP,): cache miss Oct 25 14:07:53 imap dovecot[79798]: auth: Debug: oauth2(email,IP,):
Re: OAUTH2 tokeninfo is doing a GET instead of a POST request
> On 24/10/2023 17:25 EEST Alexander Leidinger via dovecot > wrote: > > > Am 2023-10-24 15:14, schrieb Aki Tuomi: > >> On 24/10/2023 15:49 EEST Alexander Leidinger via dovecot > >> wrote: > >> > >> > >> Am 2023-10-23 08:43, schrieb Aki Tuomi: > >> > Don't set tokeninfo url if you require POST query. It's not mandatory > >> > to set all endpoints. > >> > >> If I comment out the tokeninfo_url (the rest the same as in the > >> qorking > >> config below in the quote), I get the error message "oauth2 failed: > >> Introspection failed: No username returned" from dovecot. > >> > >> > Also if you are using jwt, you can also opt to do local validation > >> > instead. > >> > >> How should a config look like for this? From > >> https://doc.dovecot.org/configuration_manual/authentication/oauth2/ > >> I'm > >> not sure what to do. > >> > >> Would it be: > >> - introspection_mode = local > >> - local_validation_key_dict = ... > >> - switching the oidc provider to jwt > >> - downloading the cert from the oidc server and putting it into the > >> key-dict > >> ? > > > > Yep. As in the example in docs. > > Doesn't work. Not even a trace in the debug log. The webmail package > (roundcube) didn't finish the sasl auth: > ---snip--- > imap-login: Disconnected: Connection closed (client didn't finish SASL > auth, waited 6 secs): user=<...@...>, method=XOAUTH2,... > ---snip--- > > In the example there is "typ":"JWT" which I don't have: > ---snip--- > "keys": [ > { > "kid": "4ED...more...vi7umzYdS4", > "kty": "RSA", > "alg": "RS256", > "use": "sig", > "n": "pj0BLB...more...Q", > "e": "AQAB", > "x5c": [ > "MIICoTCCA...much_more...o8M0a6VE=" > ], > "x5t": "yeW...more...z2mnh4", > "x5t#S256": "f37pijf...more...VIF5FHMlYHbBn0" > }, > ---snip--- > > The above is from the "jwks_uri" endpoint as per the > .well-known/openid-configuration. There is no other URL which lists > "kid"s. > > I created the /path/to/keys/RS256/4ED...more...vi7umzYdS4 with the > content MIICoTCCA...much_more...o8M0a6VE= owned and accessible by the > dovecot user. > > There is a second key with: > ---snip--- > "alg": "RSA-OAEP", > "use": "enc", > ---snip--- > As this is not listed as supported, I didn't create an entry in the dict > for this. > > Bye, > Alexander. > > >> Do I still need the openid_configureation_url and introspection_url? > >> client_secret can go in this case I assume. > >> > > > > You should probably leave client_id there. But you do not need the > > rest. openid_configuration_url is presented to clients as oidc > > discovery url. > > > > Aki > > > >> Bye, > >> Alexander. > >> > >> > Aki > >> > > >> >> On 17/10/2023 16:03 EEST Alexander Leidinger via dovecot > >> >> wrote: > >> [...] > >> >> The working but not really up to the OIDC spec dovecot config is: > >> >> > >> >> auth-oauth2.token.conf.ext: > >> >> ---snip--- > >> >> openid_configuration_url = > >> >> https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration > >> >> #tokeninfo_url = > >> >> https://oauth2.domain.tld/realms/MyRealm/Leidinger/protocol/openid-connect/token > >> >> tokeninfo_url = > >> >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash= > >> >> introspection_url = > >> >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect > >> >> introspection_mode = auth > >> >> #active_attribute = active > >> >> #active_value = true > >> >> client_id = myid > >> >> client_secret = mysecret > >> >> use_grant_password = no > >> >> #debug = yes > >> >> username_attribute = email > >> >> pass_attrs = pass=%{oauth2:access_token} > >> >> ---snip--- > >> >> > >> >> auth-oauth2.plain.conf.ext: > >> >> ---snip--- > >> >> openid_configuration_url = > >> >> https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration > >> >> #tokeninfo_url = > >> >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token > >> >> tokeninfo_url = > >> >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash= > >> >> introspection_url = > >> >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect > >> >> introspection_mode = auth > >> >> #active_attribute = active > >> >> #active_value = true > >> >> client_id = myid > >> >> client_secret = mysecret > >> >> use_grant_password = yes > >> >> #debug = yes > >> >> username_attribute = email > >> >> pass_attrs = host= proxy=y proxy_mech=xoauth2 > >> >> pass=%{oauth2:access_token} > >> >> ---snip--- > >> You sure there is nothing with auth_debug=yes? This sounds like the client did not want to even try oauth2. Did you enable XOAUTH2 and OAUTHBEARER mechanisms? Aki ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an ema
Re: OAUTH2 tokeninfo is doing a GET instead of a POST request
Am 2023-10-24 15:14, schrieb Aki Tuomi: On 24/10/2023 15:49 EEST Alexander Leidinger via dovecot wrote: Am 2023-10-23 08:43, schrieb Aki Tuomi: > Don't set tokeninfo url if you require POST query. It's not mandatory > to set all endpoints. If I comment out the tokeninfo_url (the rest the same as in the qorking config below in the quote), I get the error message "oauth2 failed: Introspection failed: No username returned" from dovecot. > Also if you are using jwt, you can also opt to do local validation > instead. How should a config look like for this? From https://doc.dovecot.org/configuration_manual/authentication/oauth2/ I'm not sure what to do. Would it be: - introspection_mode = local - local_validation_key_dict = ... - switching the oidc provider to jwt - downloading the cert from the oidc server and putting it into the key-dict ? Yep. As in the example in docs. Doesn't work. Not even a trace in the debug log. The webmail package (roundcube) didn't finish the sasl auth: ---snip--- imap-login: Disconnected: Connection closed (client didn't finish SASL auth, waited 6 secs): user=<...@...>, method=XOAUTH2,... ---snip--- In the example there is "typ":"JWT" which I don't have: ---snip--- "keys": [ { "kid": "4ED...more...vi7umzYdS4", "kty": "RSA", "alg": "RS256", "use": "sig", "n": "pj0BLB...more...Q", "e": "AQAB", "x5c": [ "MIICoTCCA...much_more...o8M0a6VE=" ], "x5t": "yeW...more...z2mnh4", "x5t#S256": "f37pijf...more...VIF5FHMlYHbBn0" }, ---snip--- The above is from the "jwks_uri" endpoint as per the .well-known/openid-configuration. There is no other URL which lists "kid"s. I created the /path/to/keys/RS256/4ED...more...vi7umzYdS4 with the content MIICoTCCA...much_more...o8M0a6VE= owned and accessible by the dovecot user. There is a second key with: ---snip--- "alg": "RSA-OAEP", "use": "enc", ---snip--- As this is not listed as supported, I didn't create an entry in the dict for this. Bye, Alexander. Do I still need the openid_configureation_url and introspection_url? client_secret can go in this case I assume. You should probably leave client_id there. But you do not need the rest. openid_configuration_url is presented to clients as oidc discovery url. Aki Bye, Alexander. > Aki > >> On 17/10/2023 16:03 EEST Alexander Leidinger via dovecot >> wrote: [...] >> The working but not really up to the OIDC spec dovecot config is: >> >> auth-oauth2.token.conf.ext: >> ---snip--- >> openid_configuration_url = >> https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration >> #tokeninfo_url = >> https://oauth2.domain.tld/realms/MyRealm/Leidinger/protocol/openid-connect/token >> tokeninfo_url = >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash= >> introspection_url = >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect >> introspection_mode = auth >> #active_attribute = active >> #active_value = true >> client_id = myid >> client_secret = mysecret >> use_grant_password = no >> #debug = yes >> username_attribute = email >> pass_attrs = pass=%{oauth2:access_token} >> ---snip--- >> >> auth-oauth2.plain.conf.ext: >> ---snip--- >> openid_configuration_url = >> https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration >> #tokeninfo_url = >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token >> tokeninfo_url = >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash= >> introspection_url = >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect >> introspection_mode = auth >> #active_attribute = active >> #active_value = true >> client_id = myid >> client_secret = mysecret >> use_grant_password = yes >> #debug = yes >> username_attribute = email >> pass_attrs = host= proxy=y proxy_mech=xoauth2 >> pass=%{oauth2:access_token} >> ---snip--- -- http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.orgnetch...@freebsd.org : PGP 0x8F31830F9F2772BF ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org -- http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.orgnetch...@freebsd.org : PGP 0x8F31830F9F2772BF signature.asc Description: OpenPGP digital signature ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: OAUTH2 tokeninfo is doing a GET instead of a POST request
> On 24/10/2023 15:49 EEST Alexander Leidinger via dovecot > wrote: > > > Am 2023-10-23 08:43, schrieb Aki Tuomi: > > Don't set tokeninfo url if you require POST query. It's not mandatory > > to set all endpoints. > > If I comment out the tokeninfo_url (the rest the same as in the qorking > config below in the quote), I get the error message "oauth2 failed: > Introspection failed: No username returned" from dovecot. > > > Also if you are using jwt, you can also opt to do local validation > > instead. > > How should a config look like for this? From > https://doc.dovecot.org/configuration_manual/authentication/oauth2/ I'm > not sure what to do. > > Would it be: > - introspection_mode = local > - local_validation_key_dict = ... > - switching the oidc provider to jwt > - downloading the cert from the oidc server and putting it into the > key-dict > ? Yep. As in the example in docs. > > Do I still need the openid_configureation_url and introspection_url? > client_secret can go in this case I assume. > You should probably leave client_id there. But you do not need the rest. openid_configuration_url is presented to clients as oidc discovery url. Aki > Bye, > Alexander. > > > Aki > > > >> On 17/10/2023 16:03 EEST Alexander Leidinger via dovecot > >> wrote: > [...] > >> The working but not really up to the OIDC spec dovecot config is: > >> > >> auth-oauth2.token.conf.ext: > >> ---snip--- > >> openid_configuration_url = > >> https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration > >> #tokeninfo_url = > >> https://oauth2.domain.tld/realms/MyRealm/Leidinger/protocol/openid-connect/token > >> tokeninfo_url = > >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash= > >> introspection_url = > >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect > >> introspection_mode = auth > >> #active_attribute = active > >> #active_value = true > >> client_id = myid > >> client_secret = mysecret > >> use_grant_password = no > >> #debug = yes > >> username_attribute = email > >> pass_attrs = pass=%{oauth2:access_token} > >> ---snip--- > >> > >> auth-oauth2.plain.conf.ext: > >> ---snip--- > >> openid_configuration_url = > >> https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration > >> #tokeninfo_url = > >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token > >> tokeninfo_url = > >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash= > >> introspection_url = > >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect > >> introspection_mode = auth > >> #active_attribute = active > >> #active_value = true > >> client_id = myid > >> client_secret = mysecret > >> use_grant_password = yes > >> #debug = yes > >> username_attribute = email > >> pass_attrs = host= proxy=y proxy_mech=xoauth2 > >> pass=%{oauth2:access_token} > >> ---snip--- > > -- > http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF > http://www.FreeBSD.orgnetch...@freebsd.org : PGP 0x8F31830F9F2772BF > ___ > dovecot mailing list -- dovecot@dovecot.org > To unsubscribe send an email to dovecot-le...@dovecot.org ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: OAUTH2 tokeninfo is doing a GET instead of a POST request
Am 2023-10-23 08:43, schrieb Aki Tuomi: Don't set tokeninfo url if you require POST query. It's not mandatory to set all endpoints. If I comment out the tokeninfo_url (the rest the same as in the qorking config below in the quote), I get the error message "oauth2 failed: Introspection failed: No username returned" from dovecot. Also if you are using jwt, you can also opt to do local validation instead. How should a config look like for this? From https://doc.dovecot.org/configuration_manual/authentication/oauth2/ I'm not sure what to do. Would it be: - introspection_mode = local - local_validation_key_dict = ... - switching the oidc provider to jwt - downloading the cert from the oidc server and putting it into the key-dict ? Do I still need the openid_configureation_url and introspection_url? client_secret can go in this case I assume. Bye, Alexander. Aki On 17/10/2023 16:03 EEST Alexander Leidinger via dovecot wrote: [...] The working but not really up to the OIDC spec dovecot config is: auth-oauth2.token.conf.ext: ---snip--- openid_configuration_url = https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration #tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/Leidinger/protocol/openid-connect/token tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash= introspection_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect introspection_mode = auth #active_attribute = active #active_value = true client_id = myid client_secret = mysecret use_grant_password = no #debug = yes username_attribute = email pass_attrs = pass=%{oauth2:access_token} ---snip--- auth-oauth2.plain.conf.ext: ---snip--- openid_configuration_url = https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration #tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash= introspection_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect introspection_mode = auth #active_attribute = active #active_value = true client_id = myid client_secret = mysecret use_grant_password = yes #debug = yes username_attribute = email pass_attrs = host= proxy=y proxy_mech=xoauth2 pass=%{oauth2:access_token} ---snip--- -- http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.orgnetch...@freebsd.org : PGP 0x8F31830F9F2772BF signature.asc Description: OpenPGP digital signature ___ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
Re: OAUTH2 tokeninfo is doing a GET instead of a POST request
Don't set tokeninfo url if you require POST query. It's not mandatory to set all endpoints. Also if you are using jwt, you can also opt to do local validation instead. Aki > On 17/10/2023 16:03 EEST Alexander Leidinger via dovecot > wrote: > > > Hi, > > I try to setup oauth2 authentication with dovecot 2.3.21. > > The debug log of dovecot shows that it tries to do a HTTP GET request to > the tokeninfo url with the token appended to the end of the URL. This > gives a 404 error. The openidconnect server I use (keycloak) tells that > this API endpoint conforms to > https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint > which specifies that the request has to be a HTTP POST request. > > So dovecot is trying do to something (GET request) which the OIDC > specification does not agree with (shall be POST request). > > Here is the dovecot debug log of it: > ---snip--- > Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: http-client[1]: > request [Req1: GET > https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/tokeneyJhbGci...: > > Submitted (requests left=1) > [...] > Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: > SSL: where=0x1001, ret=1: SSLv3/TLS read server session ticket > Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: > where=0x1002, ret=1: SSL negotiation finished successfully > Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: > SSL: where=0x1001, ret=1: SSL negotiation finished successfully > Oct 17 12:11:19 imap syslogd: last message repeated 1 times > Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: > SSL: where=0x1001, ret=1: SSLv3/TLS read server session ticket > Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: > SSL: where=0x1002, ret=1: SSL negotiation finished successfully > Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: http-client: conn > :443 [1]: Got 404 response for request [Req1: GET > https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/tokeneyJhbGci > ---snip--- > > My passdb config (only showing the oauth part): > ---snip--- > passdb { >driver = oauth2 >mechanisms = oauthbearer xoauth2 >args = /usr/local/etc/dovecot/auth-oauth2.token.conf.ext > } > > passdb { >driver = oauth2 >mechanisms = plain >args = /usr/local/etc/dovecot/auth-oauth2.plain.conf.ext > } > ---snip--- > > auth-oauth2.token.conf.ext: > ---snip--- > openid_configuration_url = > https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration > tokeninfo_url = > https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token > introspection_url = > https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect > introspection_mode = post > active_attribute = active > active_value = true > client_id = myid > client_secret = mysecret > use_grant_password = no > debug = yes > username_attribute = email > pass_attrs = pass=%{oauth2:access_token} > ---snip--- > > auth-oauth2.plain.conf.ext: > ---snip--- > openid_configuration_url = > https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration > #tokeninfo_url = > https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token > introspection_url = > https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect > introspection_mode = post > active_attribute = active > active_value = true > client_id = myid > client_secret = mysecret > use_grant_password = yes > debug = yes > username_attribute = email > pass_attrs = host= proxy=y proxy_mech=xoauth2 > pass=%{oauth2:access_token} > ---snip--- > > On https://doc.dovecot.org/configuration_manual/authentication/oauth2/ I > can not find any way to tell that the tokeninfo url shall do a POST > request instead of a GET request. > > I found something on reddit how to make it work with keycloak, but this > seems to be a workaround, and not a proper fix... > The first comment at > > https://www.reddit.com/r/selfhosted/comments/omwb2j/any_one_get_dovecot_keycloak_working_for_with/ > makes this work for me. > > The working but not really up to the OIDC spec dovecot config is: > > auth-oauth2.token.conf.ext: > ---snip--- > openid_configuration_url = > https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration > #tokeninfo_url = > https://oauth2.domain.tld/realms/MyRealm/Leidinger/protocol/openid-connect/token > tokeninfo_url = > https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash= > introspection_url = > https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect > introspection_mode = auth > #active_attribute = active > #active_value = true > client_id = myid > client_secret = mysecret > use_grant_password = no > #debug = yes > username_attribute = email > pass_attrs = pass=%{oauth2:access_token} > ---snip--- > > auth-oauth2.plain.conf.ext: > ---snip--- > openid_configuration_url
OAUTH2 tokeninfo is doing a GET instead of a POST request
Hi, I try to setup oauth2 authentication with dovecot 2.3.21. The debug log of dovecot shows that it tries to do a HTTP GET request to the tokeninfo url with the token appended to the end of the URL. This gives a 404 error. The openidconnect server I use (keycloak) tells that this API endpoint conforms to https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint which specifies that the request has to be a HTTP POST request. So dovecot is trying do to something (GET request) which the OIDC specification does not agree with (shall be POST request). Here is the dovecot debug log of it: ---snip--- Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: http-client[1]: request [Req1: GET https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/tokeneyJhbGci...: Submitted (requests left=1) [...] Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: SSL: where=0x1001, ret=1: SSLv3/TLS read server session ticket Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: where=0x1002, ret=1: SSL negotiation finished successfully Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: SSL: where=0x1001, ret=1: SSL negotiation finished successfully Oct 17 12:11:19 imap syslogd: last message repeated 1 times Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: SSL: where=0x1001, ret=1: SSLv3/TLS read server session ticket Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: SSL: where=0x1002, ret=1: SSL negotiation finished successfully Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: http-client: conn :443 [1]: Got 404 response for request [Req1: GET https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/tokeneyJhbGci ---snip--- My passdb config (only showing the oauth part): ---snip--- passdb { driver = oauth2 mechanisms = oauthbearer xoauth2 args = /usr/local/etc/dovecot/auth-oauth2.token.conf.ext } passdb { driver = oauth2 mechanisms = plain args = /usr/local/etc/dovecot/auth-oauth2.plain.conf.ext } ---snip--- auth-oauth2.token.conf.ext: ---snip--- openid_configuration_url = https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token introspection_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect introspection_mode = post active_attribute = active active_value = true client_id = myid client_secret = mysecret use_grant_password = no debug = yes username_attribute = email pass_attrs = pass=%{oauth2:access_token} ---snip--- auth-oauth2.plain.conf.ext: ---snip--- openid_configuration_url = https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration #tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token introspection_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect introspection_mode = post active_attribute = active active_value = true client_id = myid client_secret = mysecret use_grant_password = yes debug = yes username_attribute = email pass_attrs = host= proxy=y proxy_mech=xoauth2 pass=%{oauth2:access_token} ---snip--- On https://doc.dovecot.org/configuration_manual/authentication/oauth2/ I can not find any way to tell that the tokeninfo url shall do a POST request instead of a GET request. I found something on reddit how to make it work with keycloak, but this seems to be a workaround, and not a proper fix... The first comment at https://www.reddit.com/r/selfhosted/comments/omwb2j/any_one_get_dovecot_keycloak_working_for_with/ makes this work for me. The working but not really up to the OIDC spec dovecot config is: auth-oauth2.token.conf.ext: ---snip--- openid_configuration_url = https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration #tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/Leidinger/protocol/openid-connect/token tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash= introspection_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect introspection_mode = auth #active_attribute = active #active_value = true client_id = myid client_secret = mysecret use_grant_password = no #debug = yes username_attribute = email pass_attrs = pass=%{oauth2:access_token} ---snip--- auth-oauth2.plain.conf.ext: ---snip--- openid_configuration_url = https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration #tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token tokeninfo_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash= introspection_url = https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect introspection_mode = auth #active_attribute = active #active_value = true client_id = myid client_secret = mysecret use_grant_password =