This is an automated email from the ASF dual-hosted git repository.

chibenwa pushed a commit to branch 3.8.x
in repository https://gitbox.apache.org/repos/asf/james-project.git

commit 29dd481527fe39d875b50ee0280674d733c278a9
Author: Benoit TELLIER <[email protected]>
AuthorDate: Fri Jan 16 18:00:14 2026 +0100

    [ENHANCEMENT] Improve SASL OpenId doc
---
 .../docs/modules/ROOT/pages/configure/imap.adoc        | 18 ++++++++++++++++++
 .../docs/modules/ROOT/pages/configure/smtp.adoc        | 13 ++++++++-----
 2 files changed, 26 insertions(+), 5 deletions(-)

diff --git 
a/server/apps/distributed-app/docs/modules/ROOT/pages/configure/imap.adoc 
b/server/apps/distributed-app/docs/modules/ROOT/pages/configure/imap.adoc
index 6b8f6d68a1..bb1da25807 100644
--- a/server/apps/distributed-app/docs/modules/ROOT/pages/configure/imap.adoc
+++ b/server/apps/distributed-app/docs/modules/ROOT/pages/configure/imap.adoc
@@ -65,6 +65,24 @@ Whether to enable Authentication PLAIN if the connection is 
not encrypted via SS
 | auth.oidc.scope
 | An OAuth scope that is valid to access the service (RF: RFC7628). Only 
configure this when you want to authenticate IMAP server using a OIDC provider.
 
+| auth.oidc.aud
+| An OAuth audience to access the service (RF: RFC7628). Only configure this 
when you want to authenticate IMAP server using a OIDC provider.
+Compulsory but can be relaxed with `-Djames.sasl.oidc.validate.aud=false`
+
+| auth.oidc.introspection.url
+| Optional. An OAuth introspection token URL will be called to validate the 
token (RF: RFC7662).
+Required to harden access token validation, but can be relaxed with 
`-Djames.sasl.oidc.force.introspect=false`
+Note that James always verifies the signature of the token even whether this 
configuration is provided or not.
+This endpoint is expected to return `aud`.
+
+| auth.oidc.introspection.auth
+| Optional. Provide Authorization in header request when introspecting token.
+Eg: `Basic xyz`
+
+| auth.oidc.userinfo.url
+| Optional. An Userinfo URL will be called to retrieve additional user 
information
+(RF: OpenId.Core https://openid.net/specs/openid-connect-core-1_0.html).
+
 | timeout
 | Default to 30 minutes. After this time, inactive channels that have not 
performed read, write, or both operation for a while
 will be closed. Negative value disable this behaviour.
diff --git 
a/server/apps/distributed-app/docs/modules/ROOT/pages/configure/smtp.adoc 
b/server/apps/distributed-app/docs/modules/ROOT/pages/configure/smtp.adoc
index e5d9abb955..0b648b054a 100644
--- a/server/apps/distributed-app/docs/modules/ROOT/pages/configure/smtp.adoc
+++ b/server/apps/distributed-app/docs/modules/ROOT/pages/configure/smtp.adoc
@@ -109,20 +109,23 @@ can be used to enforce strong authentication mechanisms.
 | auth.oidc.scope
 | An OAuth scope that is valid to access the service (RF: RFC7628). Only 
configure this when you want to authenticate SMTP server using a OIDC provider.
 
+| auth.oidc.aud
+| An OAuth audience to access the service (RF: RFC7628). Only configure this 
when you want to authenticate IMAP server using a OIDC provider.
+Compulsory but can be relaxed with `-Djames.sasl.oidc.validate.aud=false`
+
 | auth.oidc.introspection.url
 | Optional. An OAuth introspection token URL will be called to validate the 
token (RF: RFC7662).
-Only configure this when you want to validate the revocation token by the OIDC 
provider.
+Required to harden access token validation, but can be relaxed with 
`-Djames.sasl.oidc.force.introspect=false`
 Note that James always verifies the signature of the token even whether this 
configuration is provided or not.
+This endpoint is expected to return `aud`.
 
 | auth.oidc.introspection.auth
 | Optional. Provide Authorization in header request when introspecting token.
 Eg: `Basic xyz`
 
 | auth.oidc.userinfo.url
-| Optional. An Userinfo URL will be called to validate the token (RF: 
OpenId.Core https://openid.net/specs/openid-connect-core-1_0.html).
-Only configure this when you want to validate the revocation token by the OIDC 
provider.
-Note that James always verifies the signature of the token even whether this 
configuration is provided or not.
-James will ignore check token by userInfo if the `auth.oidc.introspection.url` 
is already configured
+| Optional. An Userinfo URL will be called to retrieve additional user 
information
+(RF: OpenId.Core https://openid.net/specs/openid-connect-core-1_0.html).
 
 | authorizedAddresses
 | Authorize specific addresses/networks.


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to