Benoit Tellier created JAMES-3755:
-------------------------------------
Summary: IMAP OIDC: optional configuration of a
token_instrospection endpoint
Key: JAMES-3755
URL: https://issues.apache.org/jira/browse/JAMES-3755
Project: James Server
Issue Type: Improvement
Components: IMAPServer, SMTPServer
Affects Versions: 3.7.0
Reporter: Benoit Tellier
Fix For: 3.8.0
Today upon receiving a OIDC auth request James verifies the signature against a
configured JWKS endpoint to validate the token.
This decentralized design do not account for revocation.
Several solution to this problem exists:
- Calling the OIDC provider introspection endpoint to validate the token
- Or having a set of invalidated token maintained by the application, this
needs to be updated by a backchannel from the OIDC provider.
While my favor tend to go to the second one, the first one is rather common to.
To give an exemple, one of my customers is required to implement the first
approach: calling the introspection endpoint.
h3. Proposed solution
- Optional configurable endpoint for checking token validity
- If specified this endpoint will be called to validate OIDC tokens
The call can be performed using a reactor-netty HTTP client.
h3. References
- https://datatracker.ietf.org/doc/html/rfc7662 RFC-7662 OAuth 2.0 Token
Introspection
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org
