Yep, that was the point, RFC states typ header as optional so I was looking for
some workaround as the implementation did not put it in the tokens. Fortunately,
I had a great luck as developers were so kind and added it with next minor
release -- so this is sorted and local validation works great.
Next question is related to the key management -- as the key used for validation
is publicly available at JWK endpoint, is there any plan to enhance
dovecot's functionality so that keys can be retrieved from such well-known
endpoint? For the meantime, it is relatively easy task to be scripted, but
don't want to spend much time reinventing the wheel since I have no other
mechanism to prevent outage in case of planned/unplanned/emergency signing key
change...
Thanks!
Tomas
On Mon, Jun 28, 2021 at 08:43:09AM +0300, Aki Tuomi
wrote:>
> > On 24/06/2021 09:19 Tomas Habarta <lists+dovecot at tocc.cz>
wrote:
> >
> >
> > Hello,
> >
> > I have a working setup with Roundcube using OAuth2 -- introspection
works without any problem, unfortunately local validation does not as tokens are
missing "typ" header (seems that one is indeed optional per RFC7519
and therefore not present in the implementation in place).
> > Is there any parameter to assert the token type or any other
workaround to make local validation work as it currently fails with: oauth2
failed: Local validation failed: Cannot find 'typ' field.
> >
> > dovecot v2.3.15
> > Roundcube 1.5beta
> > CentOS 8
> >
> >
> > Thanks, regards
> > Tomas
>
> Hi!
>
> The current dovecot oauth2 code requires that your tokens come with typ:jwt
header. See https://datatracker.ietf.org/doc/html/rfc7519#section-5.1
>
> Aki