> On 24/10/2023 15:49 EEST Alexander Leidinger via dovecot > <dovecot@dovecot.org> wrote: > > > Am 2023-10-23 08:43, schrieb Aki Tuomi: > > Don't set tokeninfo url if you require POST query. It's not mandatory > > to set all endpoints. > > If I comment out the tokeninfo_url (the rest the same as in the qorking > config below in the quote), I get the error message "oauth2 failed: > Introspection failed: No username returned" from dovecot. > > > Also if you are using jwt, you can also opt to do local validation > > instead. > > How should a config look like for this? From > https://doc.dovecot.org/configuration_manual/authentication/oauth2/ I'm > not sure what to do. > > Would it be: > - introspection_mode = local > - local_validation_key_dict = ... > - switching the oidc provider to jwt > - downloading the cert from the oidc server and putting it into the > key-dict > ?
Yep. As in the example in docs. > > Do I still need the openid_configureation_url and introspection_url? > client_secret can go in this case I assume. > You should probably leave client_id there. But you do not need the rest. openid_configuration_url is presented to clients as oidc discovery url. Aki > Bye, > Alexander. > > > Aki > > > >> On 17/10/2023 16:03 EEST Alexander Leidinger via dovecot > >> <dovecot@dovecot.org> wrote: > [...] > >> The working but not really up to the OIDC spec dovecot config is: > >> > >> auth-oauth2.token.conf.ext: > >> ---snip--- > >> openid_configuration_url = > >> https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration > >> #tokeninfo_url = > >> https://oauth2.domain.tld/realms/MyRealm/Leidinger/protocol/openid-connect/token > >> tokeninfo_url = > >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash= > >> introspection_url = > >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect > >> introspection_mode = auth > >> #active_attribute = active > >> #active_value = true > >> client_id = myid > >> client_secret = mysecret > >> use_grant_password = no > >> #debug = yes > >> username_attribute = email > >> pass_attrs = pass=%{oauth2:access_token} > >> ---snip--- > >> > >> auth-oauth2.plain.conf.ext: > >> ---snip--- > >> openid_configuration_url = > >> https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration > >> #tokeninfo_url = > >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token > >> tokeninfo_url = > >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash= > >> introspection_url = > >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect > >> introspection_mode = auth > >> #active_attribute = active > >> #active_value = true > >> client_id = myid > >> client_secret = mysecret > >> use_grant_password = yes > >> #debug = yes > >> username_attribute = email > >> pass_attrs = host=<IP of webmail> proxy=y proxy_mech=xoauth2 > >> pass=%{oauth2:access_token} > >> ---snip--- > > -- > http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF > http://www.FreeBSD.org netch...@freebsd.org : PGP 0x8F31830F9F2772BF > _______________________________________________ > dovecot mailing list -- dovecot@dovecot.org > To unsubscribe send an email to dovecot-le...@dovecot.org _______________________________________________ dovecot mailing list -- dovecot@dovecot.org To unsubscribe send an email to dovecot-le...@dovecot.org
