felixauringer commented on code in PR #2915: URL: https://github.com/apache/james-project/pull/2915#discussion_r2704008407
########## docs/modules/servers/partials/configure/imap.adoc: ########## @@ -62,6 +62,25 @@ Whether to enable Authentication PLAIN if the connection is not encrypted via SS | auth.oidc.scope | An OAuth scope that is valid to access the service (RF: RFC7628). Only configure this when you want to authenticate IMAP server using a OIDC provider. +| auth.oidc.aud +| An OAuth audience to access the service (RF: RFC7628). Only configure this when you want to authenticate IMAP server using a OIDC provider. + +| auth.oidc.introspection.url +| Optional. An OAuth introspection token URL will be called to validate the token (RF: RFC7662). +Only configure this when you want to validate the revocation token by the OIDC provider. Review Comment: Isn't James validating the access token? ########## docs/modules/servers/partials/configure/imap.adoc: ########## @@ -62,6 +62,25 @@ Whether to enable Authentication PLAIN if the connection is not encrypted via SS | auth.oidc.scope | An OAuth scope that is valid to access the service (RF: RFC7628). Only configure this when you want to authenticate IMAP server using a OIDC provider. +| auth.oidc.aud +| An OAuth audience to access the service (RF: RFC7628). Only configure this when you want to authenticate IMAP server using a OIDC provider. + +| auth.oidc.introspection.url +| Optional. An OAuth introspection token URL will be called to validate the token (RF: RFC7662). +Only configure this when you want to validate the revocation token by the OIDC provider. +Note that James always verifies the signature of the token even whether this configuration is provided or not. +This endpoint is expected to return `aud`. + +| auth.oidc.introspection.auth +| Optional. Provide Authorization in header request when introspecting token. +Eg: `Basic xyz` + +| auth.oidc.userinfo.url +| Optional. An Userinfo URL will be called to validate the token (RF: OpenId.Core https://openid.net/specs/openid-connect-core-1_0.html). Review Comment: ```suggestion | Optional. An Userinfo URL will be called to retrieve additional user information (RF: OpenId.Core https://openid.net/specs/openid-connect-core-1_0.html). ``` As far as I understand the standard, the userinfo endpoint does not perform any validation. ########## docs/modules/servers/partials/configure/imap.adoc: ########## @@ -62,6 +62,25 @@ Whether to enable Authentication PLAIN if the connection is not encrypted via SS | auth.oidc.scope | An OAuth scope that is valid to access the service (RF: RFC7628). Only configure this when you want to authenticate IMAP server using a OIDC provider. +| auth.oidc.aud +| An OAuth audience to access the service (RF: RFC7628). Only configure this when you want to authenticate IMAP server using a OIDC provider. + +| auth.oidc.introspection.url +| Optional. An OAuth introspection token URL will be called to validate the token (RF: RFC7662). +Only configure this when you want to validate the revocation token by the OIDC provider. +Note that James always verifies the signature of the token even whether this configuration is provided or not. +This endpoint is expected to return `aud`. + +| auth.oidc.introspection.auth +| Optional. Provide Authorization in header request when introspecting token. +Eg: `Basic xyz` + +| auth.oidc.userinfo.url +| Optional. An Userinfo URL will be called to validate the token (RF: OpenId.Core https://openid.net/specs/openid-connect-core-1_0.html). +Only configure this when you want to validate the revocation token by the OIDC provider. Review Comment: Access token? ########## docs/modules/servers/partials/configure/imap.adoc: ########## @@ -62,6 +62,25 @@ Whether to enable Authentication PLAIN if the connection is not encrypted via SS | auth.oidc.scope | An OAuth scope that is valid to access the service (RF: RFC7628). Only configure this when you want to authenticate IMAP server using a OIDC provider. +| auth.oidc.aud +| An OAuth audience to access the service (RF: RFC7628). Only configure this when you want to authenticate IMAP server using a OIDC provider. + +| auth.oidc.introspection.url +| Optional. An OAuth introspection token URL will be called to validate the token (RF: RFC7662). +Only configure this when you want to validate the revocation token by the OIDC provider. +Note that James always verifies the signature of the token even whether this configuration is provided or not. +This endpoint is expected to return `aud`. + +| auth.oidc.introspection.auth +| Optional. Provide Authorization in header request when introspecting token. +Eg: `Basic xyz` + +| auth.oidc.userinfo.url +| Optional. An Userinfo URL will be called to validate the token (RF: OpenId.Core https://openid.net/specs/openid-connect-core-1_0.html). +Only configure this when you want to validate the revocation token by the OIDC provider. +Note that James always verifies the signature of the token even whether this configuration is provided or not. +James will ignore check token by userInfo if the `auth.oidc.introspection.url` is already configured Review Comment: The IdP server does not really perform a check. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
