You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@james.apache.org by GitBox <gi...@apache.org> on 2022/09/19 11:09:44 UTC

[GitHub] [james-project] quantranhong1999 commented on a diff in pull request #1196: [BOYSCOUT] Write some missing ADRs regarding recent work

quantranhong1999 commented on code in PR #1196:
URL: https://github.com/apache/james-project/pull/1196#discussion_r974128452


##########
src/adr/0062-oidc-token-introspection.md:
##########
@@ -0,0 +1,50 @@
+# 62. OIDC token introspection
+
+Date: 2022-09-13
+
+## Status
+
+Accepted (lazy consensus).
+
+Implemented. 
+
+Complements [ADR 51](0051-oidc.md).
+
+## Context
+
+[ADR 51](0051-oidc.md) describes work required for OIDC adoption within James.
+
+This work enables the uses of an OIDC access token to authenticate using IMAP and SMTP.
+It validates the signature of the token using cryptographic materials exposes by the 
+Identity Provider server through the mean of a JWKS endpoint. Yet no effort is made to
+see if the access token in question was revoked or not, which can pause a security threat.
+
+OIDC ecosystem can support the following mechanisms to determine if an access token had been 
+revoked:
+
+ - Use of an introspection endpoint: the application asks the OIDC server to validate the token
+ through an HTTP call. This result in load on the identity provider, which becomes central to the
+ authentication process. This can be assimilated to a 'synchronous' mode.
+ - use of back-channel upon token revocation. The OIDC provider is then responsible to call an 

Review Comment:
   ```suggestion
    - Use of back-channel upon token revocation. The OIDC provider is then responsible to call an 
   ```



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: notifications-unsubscribe@james.apache.org
For additional commands, e-mail: notifications-help@james.apache.org