You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by "Tung TRAN (Jira)" <se...@james.apache.org> on 2022/05/24 09:40:00 UTC
[jira] [Updated] (JAMES-3755) IMAP OIDC: optional configuration of a token_instrospection endpoint
[ https://issues.apache.org/jira/browse/JAMES-3755?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tung TRAN updated JAMES-3755:
-----------------------------
Attachment: IntrospectionToken.mp4
> IMAP OIDC: optional configuration of a token_instrospection endpoint
> --------------------------------------------------------------------
>
> Key: JAMES-3755
> URL: https://issues.apache.org/jira/browse/JAMES-3755
> Project: James Server
> Issue Type: Improvement
> Components: IMAPServer, SMTPServer
> Affects Versions: 3.7.0
> Reporter: Benoit Tellier
> Priority: Major
> Fix For: 3.8.0
>
> Attachments: IntrospectionToken.mp4
>
> Time Spent: 3h 20m
> Remaining Estimate: 0h
>
> Today upon receiving a OIDC auth request James verifies the signature against a configured JWKS endpoint to validate the token.
> This decentralized design do not account for revocation.
> Several solution to this problem exists:
> - Calling the OIDC provider introspection endpoint to validate the token
> - Or having a set of invalidated token maintained by the application, this needs to be updated by a backchannel from the OIDC provider.
> While my favor tend to go to the second one, the first one is rather common to.
> To give an exemple, one of my customers is required to implement the first approach: calling the introspection endpoint.
> h3. Proposed solution
> - Optional configurable endpoint for checking token validity
> - If specified this endpoint will be called to validate OIDC tokens
> The call can be performed using a reactor-netty HTTP client.
> h3. References
> - https://datatracker.ietf.org/doc/html/rfc7662 RFC-7662 OAuth 2.0 Token Introspection
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org