You are viewing a plain text version of this content. The canonical link for it is here.

Posted to server-dev@james.apache.org by "Tung TRAN (Jira)" <se...@james.apache.org> on 2022/05/24 09:40:00 UTC

[jira] [Updated] (JAMES-3755) IMAP OIDC: optional configuration of a token_instrospection endpoint

     [ https://issues.apache.org/jira/browse/JAMES-3755?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Tung TRAN updated JAMES-3755:
-----------------------------
    Attachment: IntrospectionToken.mp4

> IMAP OIDC: optional configuration of a token_instrospection endpoint
> --------------------------------------------------------------------
>
>                 Key: JAMES-3755
>                 URL: https://issues.apache.org/jira/browse/JAMES-3755
>             Project: James Server
>          Issue Type: Improvement
>          Components: IMAPServer, SMTPServer
>    Affects Versions: 3.7.0
>            Reporter: Benoit Tellier
>            Priority: Major
>             Fix For: 3.8.0
>
>         Attachments: IntrospectionToken.mp4
>
>          Time Spent: 3h 20m
>  Remaining Estimate: 0h
>
> Today upon receiving a OIDC auth request James verifies the signature against a configured JWKS endpoint to validate the token.
> This decentralized design do not account for revocation.
> Several solution to this problem exists:
>  - Calling the OIDC provider introspection endpoint to validate the token
>  - Or having a set of invalidated token maintained by the application, this needs to be updated by a backchannel from the OIDC provider.
> While my favor tend to go to the second one, the first one is rather common to.
> To give an exemple, one of my customers is required to implement the first approach: calling the introspection endpoint.
> h3. Proposed solution
>  - Optional configurable endpoint for checking token validity
>  - If specified this endpoint will be called to validate OIDC tokens
> The call can be performed using a reactor-netty HTTP client.
> h3. References
>  - https://datatracker.ietf.org/doc/html/rfc7662 RFC-7662 OAuth 2.0 Token Introspection



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org