New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Secure authentication (mobile) #207
Comments
Issues:
|
TODO write an ADR for TMail |
See https://github.com/linagora/james-project-private/pull/226 for the ADR |
Flow detailsAuthentication against a TMail server (first connection)
Authentication against a TMail server (later connections)
Authentication against a regular JMAP server (first connection)
Authentication against a regular JMAP server (later connections)
Web authentication against a TMail server
Web authentication against a regular JMAP serverUse of basic authentication. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CF linagora/tmail-flutter#28
TMail backend offers better option
The first call is done with basic authentication to get the session (credential are so far kept in memory on the device side)
If the session contains the
com:linagora:long:lived:token
then the client does a second call (authenticated with basic auth):Will return :
TMail mobile then stores this long lived token. Given that token, TMail will not need user input upon connection.
This long lived token can be used to generate short lived JWT token that can be used for auth.
Example:
Will return:
(if the device id matches, fails otherwise) - (also please note that this token will need to be frequently renewed ;-) frequent renewal enforce security.)
And follow up requests can be done with:
Note that one:
Eg:
Will return :
To revoke access to my IOS device:
And again, if the account do not support this extension, we NEED to support basic authentication.
The text was updated successfully, but these errors were encountered: