Date: 2022-09-13
Accepted (lazy consensus).
Implemented.
Complements ADR 51.
ADR 51 describes work required for OIDC adoption within James.
This work enables the uses of an OIDC access token to authenticate using IMAP and SMTP. It validates the signature of the token using cryptographic materials exposes by the Identity Provider server through the mean of a JWKS endpoint. Yet no effort is made to see if the access token in question was revoked or not, which can pause a security threat.
OIDC ecosystem can support the following mechanisms to determine if an access token had been revoked:
Also, we need to keep in mind that OIDC validation is only done upon establishing the connection in IMAP/SMTP (as they are connected protocols) which defers from stateless protocols like HTTP. Performance impact of token introspection is thus lower for connected protocols.
Allow opt-in use of an introspection endpoint to further secure IMAP/SMTP OIDC implementation.
Security gains for the IMAP/SMTP OIDC implementation in James.