[
https://issues.apache.org/jira/browse/JAMES-4195?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jean-Baptiste updated JAMES-4195:
---------------------------------
Description:
*Current Context:* In the current implementation of
{{JWTAuthenticationStrategy}} (notably used by the *JMAP* endpoint), the user
identity is strictly extracted from the {{sub}} claim of the JSON Web Token.
Additionally, the public keys used for signature verification are typically
loaded from local files or static configurations.
*Problem 1: Hardcoded "sub" claim* In many modern Identity Providers (IdP) like
Keycloak, Auth0, or Okta, the {{sub}} claim is an immutable internal UUID
(e.g., {{{}f:836c-22...{}}}). Apache James, however, requires a email format
username (like {{{}[email protected]{}}}). Currently, there is no way to tell
James to use another claim (e.g., {{{}preferred_username{}}}, {{{}email{}}}, or
{{{}uid{}}}) as the source of truth for the user identity.
*Problem 2: Static Public Key Management* Modern OIDC/OAuth2 architectures use
*JWKS (JSON Web Key Set)* endpoints to expose public keys. These keys are
subject to rotation for security reasons. Relying on a local static file for
the public key makes rotation complex and prone to service interruption.
*Proposed Changes:*
# *Configurable Username Claim:* Introduce a configuration parameter to define
which JWT claim should be mapped to the James Username.
# *JWKS Endpoint Support:* Allow James to fetch and cache public keys directly
from a standard OIDC/JWKS URL instead of a local file.
was:
*Current Context:* In the current implementation of
{{JWTAuthenticationStrategy}} (notably used by the *JMAP* endpoint), the user
identity is strictly extracted from the {{sub}} claim of the JSON Web Token.
Additionally, the public keys used for signature verification are typically
loaded from local files or static configurations.
*Problem 1: Hardcoded "sub" claim* In many modern Identity Providers (IdP) like
Keycloak, Auth0, or Okta, the {{sub}} claim is an immutable internal UUID
(e.g., {{{}f:836c-22...{}}}). Apache James, however, requires a email format
username (like {{{}[email protected]{}}}). Currently, there is no way to tell
James to use another claim (e.g., {{{}preferred_username{}}}, {{{}email{}}}, or
{{{}uid{}}}) as the source of truth for the user identity.
*Problem 2: Static Public Key Management* Modern OIDC/OAuth2 architectures use
*JWKS (JSON Web Key Set)* endpoints to expose public keys. These keys are
subject to rotation for security reasons. Relying on a local static file for
the public key makes rotation complex and prone to service interruption.
> JMAP - Allow configurable OIDC user identifier field
> ----------------------------------------------------
>
> Key: JAMES-4195
> URL: https://issues.apache.org/jira/browse/JAMES-4195
> Project: James Server
> Issue Type: Improvement
> Components: JMAP
> Reporter: Jean-Baptiste
> Assignee: Antoine Duprat
> Priority: Major
>
> *Current Context:* In the current implementation of
> {{JWTAuthenticationStrategy}} (notably used by the *JMAP* endpoint), the user
> identity is strictly extracted from the {{sub}} claim of the JSON Web Token.
> Additionally, the public keys used for signature verification are typically
> loaded from local files or static configurations.
> *Problem 1: Hardcoded "sub" claim* In many modern Identity Providers (IdP)
> like Keycloak, Auth0, or Okta, the {{sub}} claim is an immutable internal
> UUID (e.g., {{{}f:836c-22...{}}}). Apache James, however, requires a email
> format username (like {{{}[email protected]{}}}). Currently, there is no way
> to tell James to use another claim (e.g., {{{}preferred_username{}}},
> {{{}email{}}}, or {{{}uid{}}}) as the source of truth for the user identity.
> *Problem 2: Static Public Key Management* Modern OIDC/OAuth2 architectures
> use *JWKS (JSON Web Key Set)* endpoints to expose public keys. These keys are
> subject to rotation for security reasons. Relying on a local static file for
> the public key makes rotation complex and prone to service interruption.
>
> *Proposed Changes:*
> # *Configurable Username Claim:* Introduce a configuration parameter to
> define which JWT claim should be mapped to the James Username.
> # *JWKS Endpoint Support:* Allow James to fetch and cache public keys
> directly from a standard OIDC/JWKS URL instead of a local file.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
