Jean-Baptiste created JAMES-4195:
------------------------------------
Summary: JMAP - Allow configurable OIDC user identifier field
Key: JAMES-4195
URL: https://issues.apache.org/jira/browse/JAMES-4195
Project: James Server
Issue Type: Improvement
Components: JMAP
Reporter: Jean-Baptiste
Assignee: Antoine Duprat
*Current Context:* In the current implementation of
{{JWTAuthenticationStrategy}} (notably used by the *JMAP* endpoint), the user
identity is strictly extracted from the {{sub}} claim of the JSON Web Token.
Additionally, the public keys used for signature verification are typically
loaded from local files or static configurations.
*Problem 1: Hardcoded "sub" claim* In many modern Identity Providers (IdP) like
Keycloak, Auth0, or Okta, the {{sub}} claim is an immutable internal UUID
(e.g., {{{}f:836c-22...{}}}). Apache James, however, often requires a
human-readable username (like {{{}[email protected]{}}}) to match its internal
mailbox structure. Currently, there is no way to tell James to use another
claim (e.g., {{{}preferred_username{}}}, {{{}email{}}}, or {{{}uid{}}}) as the
source of truth for the user identity.
*Problem 2: Static Public Key Management* Modern OIDC/OAuth2 architectures use
*JWKS (JSON Web Key Set)* endpoints to expose public keys. These keys are
subject to rotation for security reasons. Relying on a local static file for
the public key makes rotation complex and prone to service interruption.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
