from:"Alexander Leidinger via dovecot"

Re: OAUTH2 tokeninfo is doing a GET instead of a POST request

2023-10-26 Thread Alexander Leidinger via dovecot


Am 2023-10-25 20:54, schrieb Aki Tuomi:


Seems your issue is

oauth2(email,IP,): oauth2 failed: Local validation failed:
client_id not found in aud field

This is a recently added thing, as oauth2 spec requires to check this.  
If you are using local validation, you can opt to leave client_id empty 
and this should go away.


Correct guess. This let's mive it a bit further. Two issues:
 - local_validation_key_dict is not respected, it tries to lookup 
"shared/..." instead of my "/path/to/keys" (configured next to 
introspection_mode=local as in the docs)
 - when I symlink shared to my configured dict location as a quick 
check, it finds the a file, but then complains about an unknown key 
format


How is the content of shared/.../alg/id supposed to look like? In my 
case it contains "MII=".


May I suggest to add a comment about client_id and how the content of 
the key file to look like to the docs?


Bye,
Alexander.

--
http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.orgnetch...@freebsd.org  : PGP 0x8F31830F9F2772BF


signature.asc
Description: OpenPGP digital signature
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: OAUTH2 tokeninfo is doing a GET instead of a POST request

2023-10-25 Thread Alexander Leidinger via dovecot


Am 2023-10-25 08:03, schrieb Aki Tuomi:
On 24/10/2023 17:25 EEST Alexander Leidinger via dovecot 
 wrote:



Am 2023-10-24 15:14, schrieb Aki Tuomi:
>> On 24/10/2023 15:49 EEST Alexander Leidinger via dovecot
>>  wrote:
>>
>>
>> Am 2023-10-23 08:43, schrieb Aki Tuomi:
>> > Don't set tokeninfo url if you require POST query. It's not mandatory
>> > to set all endpoints.
>>
>> If I comment out the tokeninfo_url (the rest the same as in the
>> qorking
>> config below in the quote), I get the error message "oauth2 failed:
>> Introspection failed: No username returned" from dovecot.
>>
>> > Also if you are using jwt, you can also opt to do local validation
>> > instead.
>>
>> How should a config look like for this? From
>> https://doc.dovecot.org/configuration_manual/authentication/oauth2/
>> I'm
>> not sure what to do.
>>
>> Would it be:
>> - introspection_mode = local
>> - local_validation_key_dict = ...
>> - switching the oidc provider to jwt
>> - downloading the cert from the oidc server and putting it into the
>> key-dict
>> ?
>
> Yep. As in the example in docs.

Doesn't work. Not even a trace in the debug log. The webmail package
(roundcube) didn't finish the sasl auth:
---snip---
imap-login: Disconnected: Connection closed (client didn't finish SASL
auth, waited 6 secs): user=<...@...>, method=XOAUTH2,...
---snip---

In the example there is "typ":"JWT" which I don't have:
---snip---
 "keys": [
 {
 "kid": "4ED...more...vi7umzYdS4",
 "kty": "RSA",
 "alg": "RS256",
 "use": "sig",
 "n": "pj0BLB...more...Q",
 "e": "AQAB",
 "x5c": [
 "MIICoTCCA...much_more...o8M0a6VE="
 ],
 "x5t": "yeW...more...z2mnh4",
 "x5t#S256": "f37pijf...more...VIF5FHMlYHbBn0"
 },
---snip---

The above is from the "jwks_uri" endpoint as per the
.well-known/openid-configuration. There is no other URL which lists
"kid"s.

I created the /path/to/keys/RS256/4ED...more...vi7umzYdS4 with the
content MIICoTCCA...much_more...o8M0a6VE= owned and accessible by the
dovecot user.

There is a second key with:
---snip---
 "alg": "RSA-OAEP",
 "use": "enc",
---snip---
As this is not listed as supported, I didn't create an entry in the 
dict

for this.

Bye,
Alexander.

>> Do I still need the openid_configureation_url and introspection_url?
>> client_secret can go in this case I assume.
>>
>
> You should probably leave client_id there. But you do not need the
> rest. openid_configuration_url is presented to clients as oidc
> discovery url.
>
> Aki
>
>> Bye,
>> Alexander.
>>
>> > Aki
>> >
>> >> On 17/10/2023 16:03 EEST Alexander Leidinger via dovecot
>> >>  wrote:
>> [...]
>> >> The working but not really up to the OIDC spec dovecot config is:
>> >>
>> >> auth-oauth2.token.conf.ext:
>> >> ---snip---
>> >> openid_configuration_url =
>> >> https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration
>> >> #tokeninfo_url =
>> >> 
https://oauth2.domain.tld/realms/MyRealm/Leidinger/protocol/openid-connect/token
>> >> tokeninfo_url =
>> >> 
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash=
>> >> introspection_url =
>> >> 
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect
>> >> introspection_mode = auth
>> >> #active_attribute = active
>> >> #active_value = true
>> >> client_id = myid
>> >> client_secret = mysecret
>> >> use_grant_password = no
>> >> #debug = yes
>> >> username_attribute = email
>> >> pass_attrs = pass=%{oauth2:access_token}
>> >> ---snip---
>> >>
>> >> auth-oauth2.plain.conf.ext:
>> >> ---snip---
>> >> openid_configuration_url =
>> >> https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration
>> >> #tokeninfo_url =
>> >> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token
>> >> tokeninfo_url =
>> >> 
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash=
>> >> introspection_url =
>>

Re: OAUTH2 tokeninfo is doing a GET instead of a POST request

2023-10-24 Thread Alexander Leidinger via dovecot


Am 2023-10-24 15:14, schrieb Aki Tuomi:
On 24/10/2023 15:49 EEST Alexander Leidinger via dovecot 
 wrote:



Am 2023-10-23 08:43, schrieb Aki Tuomi:
> Don't set tokeninfo url if you require POST query. It's not mandatory
> to set all endpoints.

If I comment out the tokeninfo_url (the rest the same as in the 
qorking

config below in the quote), I get the error message "oauth2 failed:
Introspection failed: No username returned" from dovecot.

> Also if you are using jwt, you can also opt to do local validation
> instead.

How should a config look like for this? From
https://doc.dovecot.org/configuration_manual/authentication/oauth2/ 
I'm

not sure what to do.

Would it be:
- introspection_mode = local
- local_validation_key_dict = ...
- switching the oidc provider to jwt
- downloading the cert from the oidc server and putting it into the
key-dict
?


Yep. As in the example in docs.


Doesn't work. Not even a trace in the debug log. The webmail package 
(roundcube) didn't finish the sasl auth:

---snip---
imap-login: Disconnected: Connection closed (client didn't finish SASL 
auth, waited 6 secs): user=<...@...>, method=XOAUTH2,...

---snip---

In the example there is "typ":"JWT" which I don't have:
---snip---
"keys": [
{
"kid": "4ED...more...vi7umzYdS4",
"kty": "RSA",
"alg": "RS256",
"use": "sig",
"n": "pj0BLB...more...Q",
"e": "AQAB",
"x5c": [
"MIICoTCCA...much_more...o8M0a6VE="
],
"x5t": "yeW...more...z2mnh4",
"x5t#S256": "f37pijf...more...VIF5FHMlYHbBn0"
},
---snip---

The above is from the "jwks_uri" endpoint as per the 
.well-known/openid-configuration. There is no other URL which lists 
"kid"s.


I created the /path/to/keys/RS256/4ED...more...vi7umzYdS4 with the 
content MIICoTCCA...much_more...o8M0a6VE= owned and accessible by the 
dovecot user.


There is a second key with:
---snip---
"alg": "RSA-OAEP",
"use": "enc",
---snip---
As this is not listed as supported, I didn't create an entry in the dict 
for this.


Bye,
Alexander.


Do I still need the openid_configureation_url and introspection_url?
client_secret can go in this case I assume.



You should probably leave client_id there. But you do not need the 
rest. openid_configuration_url is presented to clients as oidc 
discovery url.


Aki


Bye,
Alexander.

> Aki
>
>> On 17/10/2023 16:03 EEST Alexander Leidinger via dovecot
>>  wrote:
[...]
>> The working but not really up to the OIDC spec dovecot config is:
>>
>> auth-oauth2.token.conf.ext:
>> ---snip---
>> openid_configuration_url =
>> https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration
>> #tokeninfo_url =
>> 
https://oauth2.domain.tld/realms/MyRealm/Leidinger/protocol/openid-connect/token
>> tokeninfo_url =
>> 
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash=
>> introspection_url =
>> 
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect
>> introspection_mode = auth
>> #active_attribute = active
>> #active_value = true
>> client_id = myid
>> client_secret = mysecret
>> use_grant_password = no
>> #debug = yes
>> username_attribute = email
>> pass_attrs = pass=%{oauth2:access_token}
>> ---snip---
>>
>> auth-oauth2.plain.conf.ext:
>> ---snip---
>> openid_configuration_url =
>> https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration
>> #tokeninfo_url =
>> https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token
>> tokeninfo_url =
>> 
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash=
>> introspection_url =
>> 
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect
>> introspection_mode = auth
>> #active_attribute = active
>> #active_value = true
>> client_id = myid
>> client_secret = mysecret
>> use_grant_password = yes
>> #debug = yes
>> username_attribute = email
>> pass_attrs = host= proxy=y proxy_mech=xoauth2
>> pass=%{oauth2:access_token}
>> ---snip---

--
http://www.Leidinger.net alexan...@leidinger.net: PGP 
0x8F31830F9F2772BF
http://www.FreeBSD.orgnetch...@freebsd.org  : PGP 
0x8F31830F9F2772BF

___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org


--
http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.orgnetch...@freebsd.org  : PGP 0x8F31830F9F2772BF


signature.asc
Description: OpenPGP digital signature
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

Re: OAUTH2 tokeninfo is doing a GET instead of a POST request

2023-10-24 Thread Alexander Leidinger via dovecot


Am 2023-10-23 08:43, schrieb Aki Tuomi:
Don't set tokeninfo url if you require POST query. It's not mandatory 
to set all endpoints.


If I comment out the tokeninfo_url (the rest the same as in the qorking 
config below in the quote), I get the error message "oauth2 failed: 
Introspection failed: No username returned" from dovecot.


Also if you are using jwt, you can also opt to do local validation 
instead.


How should a config look like for this? From 
https://doc.dovecot.org/configuration_manual/authentication/oauth2/ I'm 
not sure what to do.


Would it be:
- introspection_mode = local
- local_validation_key_dict = ...
- switching the oidc provider to jwt
- downloading the cert from the oidc server and putting it into the 
key-dict

?

Do I still need the openid_configureation_url and introspection_url? 
client_secret can go in this case I assume.


Bye,
Alexander.


Aki

On 17/10/2023 16:03 EEST Alexander Leidinger via dovecot 
 wrote:

[...]

The working but not really up to the OIDC spec dovecot config is:

auth-oauth2.token.conf.ext:
---snip---
openid_configuration_url =
https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration
#tokeninfo_url =
https://oauth2.domain.tld/realms/MyRealm/Leidinger/protocol/openid-connect/token
tokeninfo_url =
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash=
introspection_url =
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect
introspection_mode = auth
#active_attribute = active
#active_value = true
client_id = myid
client_secret = mysecret
use_grant_password = no
#debug = yes
username_attribute = email
pass_attrs = pass=%{oauth2:access_token}
---snip---

auth-oauth2.plain.conf.ext:
---snip---
openid_configuration_url =
https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration
#tokeninfo_url =
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token
tokeninfo_url =
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash=
introspection_url =
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect
introspection_mode = auth
#active_attribute = active
#active_value = true
client_id = myid
client_secret = mysecret
use_grant_password = yes
#debug = yes
username_attribute = email
pass_attrs = host= proxy=y proxy_mech=xoauth2
pass=%{oauth2:access_token}
---snip---


--
http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.orgnetch...@freebsd.org  : PGP 0x8F31830F9F2772BF


signature.asc
Description: OpenPGP digital signature
___
dovecot mailing list -- dovecot@dovecot.org
To unsubscribe send an email to dovecot-le...@dovecot.org

OAUTH2 tokeninfo is doing a GET instead of a POST request

2023-10-19 Thread Alexander Leidinger via dovecot


Hi,

I try to setup oauth2 authentication with dovecot 2.3.21.

The debug log of dovecot shows that it tries to do a HTTP GET request to 
the tokeninfo url with the token appended to the end of the URL. This 
gives a 404 error. The openidconnect server I use (keycloak) tells that 
this API endpoint conforms to 
https://openid.net/specs/openid-connect-core-1_0.html#TokenEndpoint 
which specifies that the request has to be a HTTP POST request.


So dovecot is trying do to something (GET request) which the OIDC 
specification does not agree with (shall be POST request).


Here is the dovecot debug log of it:
---snip---
Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: http-client[1]: 
request [Req1: GET 
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/tokeneyJhbGci...: 
Submitted (requests left=1)

[...]
Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: 
SSL: where=0x1001, ret=1: SSLv3/TLS read server session ticket
Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: 
where=0x1002, ret=1: SSL negotiation finished successfully
Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: 
SSL: where=0x1001, ret=1: SSL negotiation finished successfully

Oct 17 12:11:19 imap syslogd: last message repeated 1 times
Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: 
SSL: where=0x1001, ret=1: SSLv3/TLS read server session ticket
Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: oauth2.domain.tld: 
SSL: where=0x1002, ret=1: SSL negotiation finished successfully
Oct 17 12:11:19 imap dovecot[81589]: auth: Debug: http-client: conn 
:443 [1]: Got 404 response for request [Req1: GET 
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/tokeneyJhbGci

---snip---

My passdb config (only showing the oauth part):
---snip---
passdb {
  driver = oauth2
  mechanisms = oauthbearer xoauth2
  args = /usr/local/etc/dovecot/auth-oauth2.token.conf.ext
}

passdb {
  driver = oauth2
  mechanisms = plain
  args = /usr/local/etc/dovecot/auth-oauth2.plain.conf.ext
}
---snip---

auth-oauth2.token.conf.ext:
---snip---
openid_configuration_url = 
https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration
tokeninfo_url = 
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token
introspection_url = 
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect

introspection_mode = post
active_attribute = active
active_value = true
client_id = myid
client_secret = mysecret
use_grant_password = no
debug = yes
username_attribute = email
pass_attrs = pass=%{oauth2:access_token}
---snip---

auth-oauth2.plain.conf.ext:
---snip---
openid_configuration_url = 
https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration
#tokeninfo_url = 
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token
introspection_url = 
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect

introspection_mode = post
active_attribute = active
active_value = true
client_id = myid
client_secret = mysecret
use_grant_password = yes
debug = yes
username_attribute = email
pass_attrs = host= proxy=y proxy_mech=xoauth2 
pass=%{oauth2:access_token}

---snip---

On https://doc.dovecot.org/configuration_manual/authentication/oauth2/ I 
can not find any way to tell that the tokeninfo url shall do a POST 
request instead of a GET request.


I found something on reddit how to make it work with keycloak, but this 
seems to be a workaround, and not a proper fix...

The first comment at

https://www.reddit.com/r/selfhosted/comments/omwb2j/any_one_get_dovecot_keycloak_working_for_with/

makes this work for me.

The working but not really up to the OIDC spec dovecot config is:

auth-oauth2.token.conf.ext:
---snip---
openid_configuration_url = 
https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration
#tokeninfo_url = 
https://oauth2.domain.tld/realms/MyRealm/Leidinger/protocol/openid-connect/token
tokeninfo_url = 
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash=
introspection_url = 
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect

introspection_mode = auth
#active_attribute = active
#active_value = true
client_id = myid
client_secret = mysecret
use_grant_password = no
#debug = yes
username_attribute = email
pass_attrs = pass=%{oauth2:access_token}
---snip---

auth-oauth2.plain.conf.ext:
---snip---
openid_configuration_url = 
https://oauth2.domain.tld/realms/MyRealm/.well-known/openid-configuration
#tokeninfo_url = 
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token
tokeninfo_url = 
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/userinfo?trash=
introspection_url = 
https://oauth2.domain.tld/realms/MyRealm/protocol/openid-connect/token/introspect

introspection_mode = auth
#active_attribute = active
#active_value = true
client_id = myid
client_secret = mysecret
use_grant_password =

Re: OAUTH2 tokeninfo is doing a GET instead of a POST request

Re: OAUTH2 tokeninfo is doing a GET instead of a POST request

Re: OAUTH2 tokeninfo is doing a GET instead of a POST request

Re: OAUTH2 tokeninfo is doing a GET instead of a POST request

OAUTH2 tokeninfo is doing a GET instead of a POST request

5 matches

Site Navigation

Mail list logo

Footer information