[
https://issues.apache.org/jira/browse/JAMES-3755?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Benoit Tellier closed JAMES-3755.
---------------------------------
Resolution: Fixed
Contributed
> IMAP OIDC: optional configuration of a token_instrospection endpoint
> --------------------------------------------------------------------
>
> Key: JAMES-3755
> URL: https://issues.apache.org/jira/browse/JAMES-3755
> Project: James Server
> Issue Type: Improvement
> Components: IMAPServer, SMTPServer
> Affects Versions: 3.7.0
> Reporter: Benoit Tellier
> Priority: Major
> Fix For: 3.8.0
>
> Attachments: IntrospectionToken.mp4
>
> Time Spent: 3h 20m
> Remaining Estimate: 0h
>
> Today upon receiving a OIDC auth request James verifies the signature against
> a configured JWKS endpoint to validate the token.
> This decentralized design do not account for revocation.
> Several solution to this problem exists:
> - Calling the OIDC provider introspection endpoint to validate the token
> - Or having a set of invalidated token maintained by the application, this
> needs to be updated by a backchannel from the OIDC provider.
> While my favor tend to go to the second one, the first one is rather common
> to.
> To give an exemple, one of my customers is required to implement the first
> approach: calling the introspection endpoint.
> h3. Proposed solution
> - Optional configurable endpoint for checking token validity
> - If specified this endpoint will be called to validate OIDC tokens
> The call can be performed using a reactor-netty HTTP client.
> h3. References
> - https://datatracker.ietf.org/doc/html/rfc7662 RFC-7662 OAuth 2.0 Token
> Introspection
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org
