Hi all, I've just pushed an initial implementation of JMAP authentication on Cyrus master. It follows the spec as defined in http://jmap.io/spec-core.html#authentication.
This is a pre-release implementation with security impact for JMAP. Other Cyrus protocols should not be affected. We plan JMAP Auth to be part of the upcoming 3.0 release and might further tweak it until release. If I you have any ideas, please let me know! Caveats: - The JMAP HTTP handlers now enforce JMAP Auth. Unauthorised requests are challenged with the Bearer auth scheme. If you wish to keep allowing SASL-backed authentication (e.g. Basic Auth), set `jmapauth_allowsasl=yes` in imapd.conf. Bearer auth is always enabled. - Sessions are not replicated across servers, so load balancers must stick requests to the right instance. - Currently, the time-to-live of loginIds is 5 minutes and access tokens never expire. This might change before 3.0 and will most probably become configurable. - Please use the newly introduced `ctl_jmapauth` tool to regularly remove unused access tokens or expired loginIds (`ctl_jmapauth` will get a man page soon, until then please check the usage message). - If you use Cassandane for testing, you will need to update both the Cassandane and Mail-JMAPTalk Perl modules. Cheers, Robert
