Yep, that was the point, RFC states typ header as optional so I was looking for some workaround as the implementation did not put it in the tokens. Fortunately, I had a great luck as developers were so kind and added it with next minor release -- so this is sorted and local validation works great.
Next question is related to the key management -- as the key used for validation is publicly available at JWK endpoint, is there any plan to enhance dovecot's functionality so that keys can be retrieved from such well-known endpoint? For the meantime, it is relatively easy task to be scripted, but don't want to spend much time reinventing the wheel since I have no other mechanism to prevent outage in case of planned/unplanned/emergency signing key change... Thanks! Tomas On Mon, Jun 28, 2021 at 08:43:09AM +0300, Aki Tuomi wrote: > > > On 24/06/2021 09:19 Tomas Habarta <[email protected]> wrote: > > > > > > Hello, > > > > I have a working setup with Roundcube using OAuth2 -- introspection works > > without any problem, unfortunately local validation does not as tokens are > > missing "typ" header (seems that one is indeed optional per RFC7519 and > > therefore not present in the implementation in place). > > Is there any parameter to assert the token type or any other workaround to > > make local validation work as it currently fails with: oauth2 failed: Local > > validation failed: Cannot find 'typ' field. > > > > dovecot v2.3.15 > > Roundcube 1.5beta > > CentOS 8 > > > > > > Thanks, regards > > Tomas > > Hi! > > The current dovecot oauth2 code requires that your tokens come with typ:jwt > header. See https://datatracker.ietf.org/doc/html/rfc7519#section-5.1 > > Aki
