Document authentication discovery on top of JMAP #353
Comments
|
https://jmap.io/server.html#401-unauthorized I still believe this deserves more visibility... By the way the scope of this best practice is not limited to |
|
I'm not sure this is the best place to bring this up, but a way to discover an OAuth server (IIRC there are already specifications for dynamic registration for client-based software) to authenticate to the server could also be really useful. |
|
While more discussion of this in the client and server guides is worthwhile, I do not think there is anything we need or really can do with specs here. JMAP uses HTTP, therefore uses HTTP authentication. Earlier versions of the draft tried to introduce an authentication protocol as well, but this was too contentious to get through the IETF standardisation process so was dropped. In practice, Basic and OAuth are the two authentication mechanisms that are likely to be commonly implemented. We can't mandate one or the other (for example Google would be unlikely to allow Basic auth, as they are generally moving to OAuth only, while others are unlikely to want to add that complexity). It's not an ideal situation, but it's no different to the current IMAP/SMTP situation, where we have exactly the same situation OAuth itself has many different extensions, including dynamic client registration; again it's unfortunately out of scope of the JMAP spec to require particular extensions to be implemented. |
|
I am fine with detailing this in the client / server guides. |
Issue
Authentication discovery is a major interoperability concern on top of JMAP, thus defeating the inter-operability goal of JMAP, turning this standard merely into the webMail industry best practice.
As a third-party client, I have no prior knowledge of the authentication schemes supported by the JMAP server. As a third-party client, I need a way to discover supported authentication scheme (to ease end user configuration options).
Standards that solves this issue
Luckily, RFC-2617 (https://tools.ietf.org/html/rfc2617#section-3.2.1) about HTTP authentication introduce such a mechanism through
WWW-Authenticateheader. A failed 401 authentication would result in this header being positioned, allowing discovery for the client of the supported authentication mechanisms. The client can then set up the authentication mechanism it supports and prefer, without requiring user input.https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/WWW-Authenticate further
RFC-7235 updates RFC-2617 (https://tools.ietf.org/html/rfc7235#section-4.1)
So far JMAP implementation do not emntionWWW-Authenticate header field.
Here is an example of multi-challenge WWW-Authenticate header (RFC-7235):
Please note that this header also can be used, if desired, to give hints toward why auth failed... Example (https://tools.ietf.org/html/rfc6750#section-3):
A full list of standard auth shemes is available here: http://www.iana.org/assignments/http-authschemes/http-authschemes.xhtml
Sadly, RFC-8620 do not mention the existence of RFC-7235 nor the existence of WWW-Authenticate header.
Proposal
My true feeling is that the above mentioned best practices needs at least to be documented, at most mandated.
Also, connecting James with LTT.RS I got lucky that we had an authentication mechanism in common... Maybe some common ground needs to be find here too?
Related links
Hypertext Transfer Protocol (HTTP/1.1): AuthenticationWWW-Authenticate web docThe text was updated successfully, but these errors were encountered: