JMAP authentication in Cyrus
Robert Stepanek
rsto at paranoia.at
Fri Mar 10 06:38:50 EST 2017
Hi all,
I've just pushed an initial implementation of JMAP authentication on
Cyrus master. It follows the spec as defined in
http://jmap.io/spec-core.html#authentication.
This is a pre-release implementation with security impact for JMAP.
Other Cyrus protocols should not be affected.
We plan JMAP Auth to be part of the upcoming 3.0 release and might
further tweak it until release. If I you have any ideas, please let me
know!
Caveats:
- The JMAP HTTP handlers now enforce JMAP Auth. Unauthorised requests
are challenged with the Bearer auth scheme. If you wish to keep allowing
SASL-backed authentication (e.g. Basic Auth), set
`jmapauth_allowsasl=yes` in imapd.conf. Bearer auth is always enabled.
- Sessions are not replicated across servers, so load balancers must
stick requests to the right instance.
- Currently, the time-to-live of loginIds is 5 minutes and access tokens
never expire. This might change before 3.0 and will most probably become
configurable.
- Please use the newly introduced `ctl_jmapauth` tool to regularly
remove unused access tokens or expired loginIds (`ctl_jmapauth` will get
a man page soon, until then please check the usage message).
- If you use Cassandane for testing, you will need to update both the
Cassandane and Mail-JMAPTalk Perl modules.
Cheers,
Robert
More information about the Cyrus-devel
mailing list