From: Aki Tuomi Date: Tue, 26 May 2020 09:46:29 +0000 (+0300) Subject: auth, lib-oauth2: Add local introspection mode X-Git-Tag: 2.3.11.2~35 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3051a5efac52f5bd51adc9ca6a1ca92fda8a1814;p=thirdparty%2Fdovecot%2Fcore.git auth, lib-oauth2: Add local introspection mode Local introspection attempts to decode token always. This will also happen with password grant, saving an extra roundtrip to oauth2 server. --- diff --git a/src/auth/db-oauth2.c b/src/auth/db-oauth2.c index 2c449315cc..fea53bd8e5 100644 --- a/src/auth/db-oauth2.c +++ b/src/auth/db-oauth2.c @@ -261,12 +261,17 @@ struct db_oauth2 *db_oauth2_init(const char *config_path) db->oauth2_set.introspection_mode = INTROSPECTION_MODE_GET; } else if (strcmp(db->set.introspection_mode, "post") == 0) { db->oauth2_set.introspection_mode = INTROSPECTION_MODE_POST; + } else if (strcmp(db->set.introspection_mode, "local") == 0) { + if (*db->set.local_validation_key_dict == '\0') + i_fatal("oauth2: local_validation_key_dict is required " + "for local introspection."); + db->oauth2_set.introspection_mode = INTROSPECTION_MODE_LOCAL; } else { - i_fatal("Invalid value '%s' for introspection mode, must be on auth, get or post", + i_fatal("oauth2: Invalid value '%s' for introspection mode, must be on auth, get, post or local", db->set.introspection_mode); } - if (*db->set.local_validation_key_dict != '\0') { + if (db->oauth2_set.introspection_mode == INTROSPECTION_MODE_LOCAL) { struct dict_settings dict_set = { .username = "", .base_dir = global_auth_settings->base_dir, @@ -674,6 +679,9 @@ db_oauth2_lookup_continue(struct oauth2_request_result *result, } else if (db_oauth2_have_all_fields(req) && !req->db->set.force_introspection) { /* pass */ + } else if (req->db->oauth2_set.introspection_mode == INTROSPECTION_MODE_LOCAL) { + db_oauth2_local_validation(req, req->token); + return; } else if (*req->db->set.introspection_url != '\0') { db_oauth2_lookup_introspect(req); return; @@ -747,7 +755,8 @@ void db_oauth2_lookup(struct db_oauth2 *db, struct db_oauth2_request *req, input.real_remote_port = req->auth_request->real_remote_port; input.service = req->auth_request->service; - if (db->oauth2_set.key_dict != NULL) { + if (db->oauth2_set.introspection_mode == INTROSPECTION_MODE_LOCAL && + !db_oauth2_uses_password_grant(db)) { /* try to validate token locally */ e_debug(authdb_event(req->auth_request), "oauth2: Attempting to locally validate token"); diff --git a/src/lib-oauth2/oauth2.h b/src/lib-oauth2/oauth2.h index d651528284..7896fdf0e4 100644 --- a/src/lib-oauth2/oauth2.h +++ b/src/lib-oauth2/oauth2.h @@ -40,7 +40,8 @@ struct oauth2_settings { enum { INTROSPECTION_MODE_GET_AUTH, INTROSPECTION_MODE_GET, - INTROSPECTION_MODE_POST + INTROSPECTION_MODE_POST, + INTROSPECTION_MODE_LOCAL, } introspection_mode; unsigned int timeout_msecs; /* Should X-Dovecot-Auth-* headers be sent */