This is an automated email from the ASF dual-hosted git repository. btellier pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/james-project.git
commit 677e3edf217bfe227fea3cb347f8f5d362ad487c Author: Benoit TELLIER <[email protected]> AuthorDate: Mon Jan 19 16:53:50 2026 +0100 [ENHANCEMENT] Relax Introspect requirement --- docs/modules/servers/partials/configure/imap.adoc | 2 -- docs/modules/servers/partials/configure/smtp.adoc | 2 -- .../src/main/java/org/apache/james/jwt/OidcSASLConfiguration.java | 8 -------- server/protocols/protocols-imap4/pom.xml | 2 +- server/protocols/protocols-lmtp/pom.xml | 2 +- server/protocols/protocols-smtp/pom.xml | 2 +- 6 files changed, 3 insertions(+), 15 deletions(-) diff --git a/docs/modules/servers/partials/configure/imap.adoc b/docs/modules/servers/partials/configure/imap.adoc index 4c86b5fa3b..5aa9b54465 100644 --- a/docs/modules/servers/partials/configure/imap.adoc +++ b/docs/modules/servers/partials/configure/imap.adoc @@ -68,9 +68,7 @@ Compulsory but can be relaxed with `-Djames.sasl.oidc.validate.aud=false` | auth.oidc.introspection.url | Optional. An OAuth introspection token URL will be called to validate the token (RF: RFC7662). -Required to harden access token validation, but can be relaxed with `-Djames.sasl.oidc.force.introspect=false` Note that James always verifies the signature of the token even whether this configuration is provided or not. -This endpoint is expected to return `aud`. | auth.oidc.introspection.auth | Optional. Provide Authorization in header request when introspecting token. diff --git a/docs/modules/servers/partials/configure/smtp.adoc b/docs/modules/servers/partials/configure/smtp.adoc index a98af568f8..788f205b7b 100644 --- a/docs/modules/servers/partials/configure/smtp.adoc +++ b/docs/modules/servers/partials/configure/smtp.adoc @@ -117,9 +117,7 @@ Compulsory but can be relaxed with `-Djames.sasl.oidc.validate.aud=false` | auth.oidc.introspection.url | Optional. An OAuth introspection token URL will be called to validate the token (RF: RFC7662). -Required to harden access token validation, but can be relaxed with `-Djames.sasl.oidc.force.introspect=false` Note that James always verifies the signature of the token even whether this configuration is provided or not. -This endpoint is expected to return `aud`. | auth.oidc.introspection.auth | Optional. Provide Authorization in header request when introspecting token. diff --git a/server/protocols/jwt/src/main/java/org/apache/james/jwt/OidcSASLConfiguration.java b/server/protocols/jwt/src/main/java/org/apache/james/jwt/OidcSASLConfiguration.java index 0fbc52f46e..09d7df767c 100644 --- a/server/protocols/jwt/src/main/java/org/apache/james/jwt/OidcSASLConfiguration.java +++ b/server/protocols/jwt/src/main/java/org/apache/james/jwt/OidcSASLConfiguration.java @@ -136,14 +136,6 @@ public class OidcSASLConfiguration { String userInfoUrl = configuration.getString("userinfo.url", null); String aud = configuration.getString("aud", null); - if (introspectionUrl == null) { - if (Boolean.parseBoolean(System.getProperty("james.sasl.oidc.force.introspect", "true"))) { - throw new IllegalArgumentException("'introspection.url' is mandatory for secure set up. Disable this check with -Djames.sasl.oidc.force.introspect=false."); - } else { - LOGGER.warn("'introspection.url' is mandatory for secure set up. This check was disabled with -Djames.sasl.oidc.force.introspect=false."); - } - } - if (aud == null) { if (Boolean.parseBoolean(System.getProperty("james.sasl.oidc.validate.aud", "true"))) { throw new IllegalArgumentException("'aud' is mandatory for secure set up. Disable this check with -Djames.sasl.oidc.validate.aud=false."); diff --git a/server/protocols/protocols-imap4/pom.xml b/server/protocols/protocols-imap4/pom.xml index 236dbb519f..dc1b855e2d 100644 --- a/server/protocols/protocols-imap4/pom.xml +++ b/server/protocols/protocols-imap4/pom.xml @@ -188,7 +188,7 @@ </systemPropertyVariables> <argLine>-Djava.library.path= -javaagent:"${settings.localRepository}"/org/jacoco/org.jacoco.agent/${jacoco-maven-plugin.version}/org.jacoco.agent-${jacoco-maven-plugin.version}-runtime.jar=destfile=${basedir}/target/jacoco.exec - -Xms1024m -Xmx2048m -Djames.sasl.oidc.force.introspect=false -Djames.sasl.oidc.validate.aud=false</argLine> + -Xms1024m -Xmx2048m -Djames.sasl.oidc.validate.aud=false</argLine> <reuseForks>true</reuseForks> <!-- Fail tests longer than 30 minutes, prevent form random locking tests --> <forkedProcessTimeoutInSeconds>1800</forkedProcessTimeoutInSeconds> diff --git a/server/protocols/protocols-lmtp/pom.xml b/server/protocols/protocols-lmtp/pom.xml index cf4984acf2..d5bf95b10f 100644 --- a/server/protocols/protocols-lmtp/pom.xml +++ b/server/protocols/protocols-lmtp/pom.xml @@ -195,7 +195,7 @@ </systemPropertyVariables> <argLine>-Djava.library.path= -javaagent:"${settings.localRepository}"/org/jacoco/org.jacoco.agent/${jacoco-maven-plugin.version}/org.jacoco.agent-${jacoco-maven-plugin.version}-runtime.jar=destfile=${basedir}/target/jacoco.exec - -Xms512m -Xmx1024m -Djames.sasl.oidc.force.introspect=false -Djames.sasl.oidc.validate.aud=false</argLine> + -Xms512m -Xmx1024m -Djames.sasl.oidc.validate.aud=false</argLine> <reuseForks>true</reuseForks> <!-- Fail tests longer than 30 minutes, prevent form random locking tests --> <forkedProcessTimeoutInSeconds>1800</forkedProcessTimeoutInSeconds> diff --git a/server/protocols/protocols-smtp/pom.xml b/server/protocols/protocols-smtp/pom.xml index e28a2c45f9..5351f7b5ac 100644 --- a/server/protocols/protocols-smtp/pom.xml +++ b/server/protocols/protocols-smtp/pom.xml @@ -226,7 +226,7 @@ </systemPropertyVariables> <argLine>-Djava.library.path= -javaagent:"${settings.localRepository}"/org/jacoco/org.jacoco.agent/${jacoco-maven-plugin.version}/org.jacoco.agent-${jacoco-maven-plugin.version}-runtime.jar=destfile=${basedir}/target/jacoco.exec - -Xms512m -Xmx1024m -Djames.sasl.oidc.force.introspect=false -Djames.sasl.oidc.validate.aud=false</argLine> + -Xms512m -Xmx1024m -Djames.sasl.oidc.validate.aud=false</argLine> <reuseForks>true</reuseForks> <!-- Fail tests longer than 30 minutes, prevent form random locking tests --> <forkedProcessTimeoutInSeconds>1800</forkedProcessTimeoutInSeconds> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
