This is an automated email from the ASF dual-hosted git repository. chibenwa pushed a commit to branch 3.8.x in repository https://gitbox.apache.org/repos/asf/james-project.git
commit c8f079a0bda130eb9409c5ac3629a04a2f96ac3b Author: Benoit TELLIER <[email protected]> AuthorDate: Mon Jan 19 16:53:50 2026 +0100 [ENHANCEMENT] Relax Introspect requirement --- .../distributed-app/docs/modules/ROOT/pages/configure/imap.adoc | 2 -- .../distributed-app/docs/modules/ROOT/pages/configure/smtp.adoc | 2 -- .../main/java/org/apache/james/jwt/OidcSASLConfiguration.java | 9 +-------- server/protocols/protocols-imap4/pom.xml | 2 +- server/protocols/protocols-lmtp/pom.xml | 2 +- server/protocols/protocols-smtp/pom.xml | 2 +- 6 files changed, 4 insertions(+), 15 deletions(-) diff --git a/server/apps/distributed-app/docs/modules/ROOT/pages/configure/imap.adoc b/server/apps/distributed-app/docs/modules/ROOT/pages/configure/imap.adoc index bb1da25807..d98fc3648c 100644 --- a/server/apps/distributed-app/docs/modules/ROOT/pages/configure/imap.adoc +++ b/server/apps/distributed-app/docs/modules/ROOT/pages/configure/imap.adoc @@ -71,9 +71,7 @@ Compulsory but can be relaxed with `-Djames.sasl.oidc.validate.aud=false` | auth.oidc.introspection.url | Optional. An OAuth introspection token URL will be called to validate the token (RF: RFC7662). -Required to harden access token validation, but can be relaxed with `-Djames.sasl.oidc.force.introspect=false` Note that James always verifies the signature of the token even whether this configuration is provided or not. -This endpoint is expected to return `aud`. | auth.oidc.introspection.auth | Optional. Provide Authorization in header request when introspecting token. diff --git a/server/apps/distributed-app/docs/modules/ROOT/pages/configure/smtp.adoc b/server/apps/distributed-app/docs/modules/ROOT/pages/configure/smtp.adoc index 0b648b054a..ed3afb6e20 100644 --- a/server/apps/distributed-app/docs/modules/ROOT/pages/configure/smtp.adoc +++ b/server/apps/distributed-app/docs/modules/ROOT/pages/configure/smtp.adoc @@ -115,9 +115,7 @@ Compulsory but can be relaxed with `-Djames.sasl.oidc.validate.aud=false` | auth.oidc.introspection.url | Optional. An OAuth introspection token URL will be called to validate the token (RF: RFC7662). -Required to harden access token validation, but can be relaxed with `-Djames.sasl.oidc.force.introspect=false` Note that James always verifies the signature of the token even whether this configuration is provided or not. -This endpoint is expected to return `aud`. | auth.oidc.introspection.auth | Optional. Provide Authorization in header request when introspecting token. diff --git a/server/protocols/jwt/src/main/java/org/apache/james/jwt/OidcSASLConfiguration.java b/server/protocols/jwt/src/main/java/org/apache/james/jwt/OidcSASLConfiguration.java index 4a0db876cd..8f17de4bbb 100644 --- a/server/protocols/jwt/src/main/java/org/apache/james/jwt/OidcSASLConfiguration.java +++ b/server/protocols/jwt/src/main/java/org/apache/james/jwt/OidcSASLConfiguration.java @@ -136,14 +136,7 @@ public class OidcSASLConfiguration { String introspectionUrl = configuration.getString("introspection.url", null); String userInfoUrl = configuration.getString("userinfo.url", null); String aud = configuration.getString("aud", null); - - if (introspectionUrl == null) { - if (FORCE_INTROSPECT) { - throw new IllegalArgumentException("'introspection.url' is mandatory for secure set up. Disable this check with -Djames.sasl.oidc.force.introspect=false."); - } else { - LOGGER.warn("'introspection.url' is mandatory for secure set up. This check was disabled with -Djames.sasl.oidc.force.introspect=false."); - } - } + if (aud == null) { if (VALIDATE_AUD) { throw new IllegalArgumentException("'aud' is mandatory for secure set up. Disable this check with -Djames.sasl.oidc.validate.aud=false."); diff --git a/server/protocols/protocols-imap4/pom.xml b/server/protocols/protocols-imap4/pom.xml index 69ea06b187..06dfb8c69d 100644 --- a/server/protocols/protocols-imap4/pom.xml +++ b/server/protocols/protocols-imap4/pom.xml @@ -192,7 +192,7 @@ </systemPropertyVariables> <argLine>-Djava.library.path= -javaagent:"${settings.localRepository}"/org/jacoco/org.jacoco.agent/${jacoco-maven-plugin.version}/org.jacoco.agent-${jacoco-maven-plugin.version}-runtime.jar=destfile=${basedir}/target/jacoco.exec - -Xms512m -Xmx1024m -Djames.sasl.oidc.force.introspect=false -Djames.sasl.oidc.validate.aud=false</argLine> + -Xms1024m -Xmx2048m -Djames.sasl.oidc.validate.aud=false</argLine> <reuseForks>true</reuseForks> <!-- Fail tests longer than 20 minutes, prevent form random locking tests --> <forkedProcessTimeoutInSeconds>1200</forkedProcessTimeoutInSeconds> diff --git a/server/protocols/protocols-lmtp/pom.xml b/server/protocols/protocols-lmtp/pom.xml index 0368fa6302..e1ffab357e 100644 --- a/server/protocols/protocols-lmtp/pom.xml +++ b/server/protocols/protocols-lmtp/pom.xml @@ -190,7 +190,7 @@ </systemPropertyVariables> <argLine>-Djava.library.path= -javaagent:"${settings.localRepository}"/org/jacoco/org.jacoco.agent/${jacoco-maven-plugin.version}/org.jacoco.agent-${jacoco-maven-plugin.version}-runtime.jar=destfile=${basedir}/target/jacoco.exec - -Xms512m -Xmx1024m -Djames.sasl.oidc.force.introspect=false -Djames.sasl.oidc.validate.aud=false</argLine> + -Xms512m -Xmx1024m -Djames.sasl.oidc.validate.aud=false</argLine> <reuseForks>true</reuseForks> <!-- Fail tests longer than 20 minutes, prevent form random locking tests --> <forkedProcessTimeoutInSeconds>1200</forkedProcessTimeoutInSeconds> diff --git a/server/protocols/protocols-smtp/pom.xml b/server/protocols/protocols-smtp/pom.xml index 2c6f13f3e7..8721d252a9 100644 --- a/server/protocols/protocols-smtp/pom.xml +++ b/server/protocols/protocols-smtp/pom.xml @@ -226,7 +226,7 @@ </systemPropertyVariables> <argLine>-Djava.library.path= -javaagent:"${settings.localRepository}"/org/jacoco/org.jacoco.agent/${jacoco-maven-plugin.version}/org.jacoco.agent-${jacoco-maven-plugin.version}-runtime.jar=destfile=${basedir}/target/jacoco.exec - -Xms512m -Xmx1024m -Djames.sasl.oidc.force.introspect=false -Djames.sasl.oidc.validate.aud=false</argLine> + -Xms512m -Xmx1024m -Djames.sasl.oidc.validate.aud=false</argLine> <reuseForks>true</reuseForks> <!-- Fail tests longer than 20 minutes, prevent form random locking tests --> <forkedProcessTimeoutInSeconds>1200</forkedProcessTimeoutInSeconds> --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
