JMAP authentication in Cyrus

Robert Stepanek rsto at
Fri Mar 10 06:38:50 EST 2017

Hi all,

I've just pushed an initial implementation of JMAP authentication on
Cyrus master. It follows the spec as defined in

This is a pre-release implementation with security impact for JMAP.
Other Cyrus protocols should not be affected.

We plan JMAP Auth to be part of the upcoming 3.0 release and might
further tweak it until release. If I you have any ideas, please let me


- The JMAP HTTP handlers now enforce JMAP Auth. Unauthorised requests
are challenged with the Bearer auth scheme. If you wish to keep allowing
SASL-backed authentication (e.g. Basic Auth), set
`jmapauth_allowsasl=yes` in imapd.conf. Bearer auth is always enabled.
- Sessions are not replicated across servers, so load balancers must
stick requests to the right instance.
- Currently, the time-to-live of loginIds is 5 minutes and access tokens
never expire. This might change before 3.0 and will most probably become
- Please use the newly introduced `ctl_jmapauth` tool to regularly
remove unused access tokens or expired loginIds (`ctl_jmapauth` will get
a man page soon, until then please check the usage message).
- If you use Cassandane for testing, you will need to update both the
Cassandane and Mail-JMAPTalk Perl modules.


More information about the Cyrus-devel mailing list