[jira] [Commented] (JAMES-4195) JMAP - Allow configurable OIDC user identifier field

Thu, 18 Jun 2026 07:48:09 -0700 


    [ 
https://issues.apache.org/jira/browse/JAMES-4195?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18089933#comment-18089933
 ] 

Jean-Baptiste commented on JAMES-4195:
--------------------------------------

Hi Benoit,

This approach fits our needs perfectly and addresses both issues. Thanks for 
donating this implementation to the James community — please go ahead and keep 
me informed with release.
Best regards

> JMAP - Allow configurable OIDC user identifier field
> ----------------------------------------------------
>
>                 Key: JAMES-4195
>                 URL: https://issues.apache.org/jira/browse/JAMES-4195
>             Project: James Server
>          Issue Type: Improvement
>          Components: JMAP
>            Reporter: Jean-Baptiste
>            Assignee: Antoine Duprat
>            Priority: Major
>
> *Current Context:* In the current implementation of 
> {{JWTAuthenticationStrategy}} (notably used by the *JMAP* endpoint), the user 
> identity is strictly extracted from the {{sub}} claim of the JSON Web Token. 
> Additionally, the public keys used for signature verification are typically 
> loaded from local files or static configurations.
> *Problem 1: Hardcoded "sub" claim* In many modern Identity Providers (IdP) 
> like Keycloak, Auth0, or Okta, the {{sub}} claim is an immutable internal 
> UUID (e.g., {{{}f:836c-22...{}}}). Apache James, however, requires a email 
> format username  (like {{{}[email protected]{}}}). Currently, there is no way 
> to tell James to use another claim (e.g., {{{}preferred_username{}}}, 
> {{{}email{}}}, or {{{}uid{}}}) as the source of truth for the user identity.
> *Problem 2: Static Public Key Management* Modern OIDC/OAuth2 architectures 
> use *JWKS (JSON Web Key Set)* endpoints to expose public keys. These keys are 
> subject to rotation for security reasons. Relying on a local static file for 
> the public key makes rotation complex and prone to service interruption.
>  
> *Proposed Changes:*
>  # *Configurable Username Claim:* Introduce a configuration parameter to 
> define which JWT claim should be mapped to the James Username.
>  # *JWKS Endpoint Support:* Allow James to fetch and cache public keys 
> directly from a standard OIDC/JWKS URL instead of a local file.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to