[
https://issues.apache.org/jira/browse/JAMES-4195?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18069928#comment-18069928
]
Benoit Tellier commented on JAMES-4195:
---------------------------------------
LINAGORA implemented an OpenID connect integration for Twake Mail.
Given consensus in the James community, I agree donating this code base to the
James community.
It adresses issue 1 and 2.
Key design point:
- Resolve against OIDC server (introspect + userinfo)
- Uses a cache to limit OIDC calls
- No JWT validation done locally we fully rely on OIDC server (which is viable
thanks to the cache)
Would this fit your need?
> JMAP - Allow configurable OIDC user identifier field
> ----------------------------------------------------
>
> Key: JAMES-4195
> URL: https://issues.apache.org/jira/browse/JAMES-4195
> Project: James Server
> Issue Type: Improvement
> Components: JMAP
> Reporter: Jean-Baptiste
> Assignee: Antoine Duprat
> Priority: Major
>
> *Current Context:* In the current implementation of
> {{JWTAuthenticationStrategy}} (notably used by the *JMAP* endpoint), the user
> identity is strictly extracted from the {{sub}} claim of the JSON Web Token.
> Additionally, the public keys used for signature verification are typically
> loaded from local files or static configurations.
> *Problem 1: Hardcoded "sub" claim* In many modern Identity Providers (IdP)
> like Keycloak, Auth0, or Okta, the {{sub}} claim is an immutable internal
> UUID (e.g., {{{}f:836c-22...{}}}). Apache James, however, requires a email
> format username (like {{{}[email protected]{}}}). Currently, there is no way
> to tell James to use another claim (e.g., {{{}preferred_username{}}},
> {{{}email{}}}, or {{{}uid{}}}) as the source of truth for the user identity.
> *Problem 2: Static Public Key Management* Modern OIDC/OAuth2 architectures
> use *JWKS (JSON Web Key Set)* endpoints to expose public keys. These keys are
> subject to rotation for security reasons. Relying on a local static file for
> the public key makes rotation complex and prone to service interruption.
>
> *Proposed Changes:*
> # *Configurable Username Claim:* Introduce a configuration parameter to
> define which JWT claim should be mapped to the James Username.
> # *JWKS Endpoint Support:* Allow James to fetch and cache public keys
> directly from a standard OIDC/JWKS URL instead of a local file.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
