[JAMES-3423] WebAdmin should have it's ownJWT public key - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Done
Affects Version/s: None
Fix Version/s: 3.6.0
Component/s: webadmin
Labels:
- security

Description

Today, webadmin relies on JWT configuration for the JMAP protocol.

This brings concerns, as the tenant are distinct (users vs admins), and the token issuers are likely distinct.

The compromission of a webmail service would today easily grant access to the webadmin APIs.

As such it is desirable to be able to specify distinct keys for both protocols.

In order to avoid breaking changes, if the webadmin JWT public key is unspecified, we should fallback to the JMAP one.

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Benoit Tellier

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 11/Oct/20 02:20

Updated:: 14/Oct/20 02:42

Resolved:: 14/Oct/20 02:42