[ https://issues.apache.org/jira/browse/JAMES-3423?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17213538#comment-17213538 ]
René Cordier commented on JAMES-3423: ------------------------------------- [https://github.com/linagora/james-project/pull/3884] allows to specify different JWT keys for JMAP and webadmin > WebAdmin should have it's ownJWT public key > ------------------------------------------- > > Key: JAMES-3423 > URL: https://issues.apache.org/jira/browse/JAMES-3423 > Project: James Server > Issue Type: Improvement > Components: webadmin > Reporter: Benoit Tellier > Priority: Major > Labels: security > Fix For: 3.6.0 > > > Today, webadmin relies on JWT configuration for the JMAP protocol. > This brings concerns, as the tenant are distinct (users vs admins), and the > token issuers are likely distinct. > The compromission of a webmail service would today easily grant access to the > webadmin APIs. > As such it is desirable to be able to specify distinct keys for both > protocols. > In order to avoid breaking changes, if the webadmin JWT public key is > unspecified, we should fallback to the JMAP one. -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For additional commands, e-mail: server-dev-h...@james.apache.org