This is an automated email from the ASF dual-hosted git repository. btellier pushed a commit to branch 3.9.x in repository https://gitbox.apache.org/repos/asf/james-project.git
commit 810cb318ab6f549087ce64f0a2dc932c3ddbd903 Author: Benoit TELLIER <[email protected]> AuthorDate: Fri Jan 16 18:00:14 2026 +0100 [ENHANCEMENT] Improve SASL OpenId doc --- docs/modules/servers/partials/configure/imap.adoc | 20 +++++++++++++++++++- docs/modules/servers/partials/configure/smtp.adoc | 13 ++++++++----- 2 files changed, 27 insertions(+), 6 deletions(-) diff --git a/docs/modules/servers/partials/configure/imap.adoc b/docs/modules/servers/partials/configure/imap.adoc index af6911fe43..d09341310e 100644 --- a/docs/modules/servers/partials/configure/imap.adoc +++ b/docs/modules/servers/partials/configure/imap.adoc @@ -62,6 +62,24 @@ Whether to enable Authentication PLAIN if the connection is not encrypted via SS | auth.oidc.scope | An OAuth scope that is valid to access the service (RF: RFC7628). Only configure this when you want to authenticate IMAP server using a OIDC provider. +| auth.oidc.aud +| An OAuth audience to access the service (RF: RFC7628). Only configure this when you want to authenticate IMAP server using a OIDC provider. +Compulsory but can be relaxed with `-Djames.sasl.oidc.validate.aud=false` + +| auth.oidc.introspection.url +| Optional. An OAuth introspection token URL will be called to validate the token (RF: RFC7662). +Required to harden access token validation, but can be relaxed with `-Djames.sasl.oidc.force.introspect=false` +Note that James always verifies the signature of the token even whether this configuration is provided or not. +This endpoint is expected to return `aud`. + +| auth.oidc.introspection.auth +| Optional. Provide Authorization in header request when introspecting token. +Eg: `Basic xyz` + +| auth.oidc.userinfo.url +| Optional. An Userinfo URL will be called to retrieve additional user information +(RF: OpenId.Core https://openid.net/specs/openid-connect-core-1_0.html). + | timeout | Default to 30 minutes. After this time, inactive channels that have not performed read, write, or both operation for a while will be closed. Negative value disable this behaviour. @@ -265,4 +283,4 @@ Example: <partialBodyFetchCacheDuration>2min</partialBodyFetchCacheDuration> <partialBodyFetchCacheSize>500 MiB</partialBodyFetchCacheSize> </imapserver> -.... \ No newline at end of file +.... diff --git a/docs/modules/servers/partials/configure/smtp.adoc b/docs/modules/servers/partials/configure/smtp.adoc index 1a68a0094f..a98af568f8 100644 --- a/docs/modules/servers/partials/configure/smtp.adoc +++ b/docs/modules/servers/partials/configure/smtp.adoc @@ -111,20 +111,23 @@ can be used to enforce strong authentication mechanisms. | auth.oidc.scope | An OAuth scope that is valid to access the service (RF: RFC7628). Only configure this when you want to authenticate SMTP server using a OIDC provider. +| auth.oidc.aud +| An OAuth audience to access the service (RF: RFC7628). Only configure this when you want to authenticate IMAP server using a OIDC provider. +Compulsory but can be relaxed with `-Djames.sasl.oidc.validate.aud=false` + | auth.oidc.introspection.url | Optional. An OAuth introspection token URL will be called to validate the token (RF: RFC7662). -Only configure this when you want to validate the revocation token by the OIDC provider. +Required to harden access token validation, but can be relaxed with `-Djames.sasl.oidc.force.introspect=false` Note that James always verifies the signature of the token even whether this configuration is provided or not. +This endpoint is expected to return `aud`. | auth.oidc.introspection.auth | Optional. Provide Authorization in header request when introspecting token. Eg: `Basic xyz` | auth.oidc.userinfo.url -| Optional. An Userinfo URL will be called to validate the token (RF: OpenId.Core https://openid.net/specs/openid-connect-core-1_0.html). -Only configure this when you want to validate the revocation token by the OIDC provider. -Note that James always verifies the signature of the token even whether this configuration is provided or not. -James will ignore check token by userInfo if the `auth.oidc.introspection.url` is already configured +| Optional. An Userinfo URL will be called to retrieve additional user information +(RF: OpenId.Core https://openid.net/specs/openid-connect-core-1_0.html). | authorizedAddresses | Authorize specific addresses/networks. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
