๐๏ธ Overview
OAuth (Open Authorization) is an open standard protocol designed to allow secure, token-based authentication and authorization between applications and services. Its primary objective is to provide a mechanism for third-party applications to access user resources on behalf of the user without requiring the userโs credentials, such as passwords, to be shared. Instead of sending sensitive login information, OAuth utilizes access tokens to grant limited permissions to access specific resources.
๐๏ธ Authorization Flows
OAuth 2.0 defines several authorization flows designed to accommodate different types of clients and use cases. Each flow provides a secure mechanism for obtaining an access token that grants permission to access resources on behalf of a user.
๐๏ธ Tokens
OAuth tokens are at the core of the OAuth 2.0 protocol, serving as the mechanism through which secure access to protected resources is granted. Instead of relying on user credentials such as usernames and passwords, OAuth tokens are issued to clients by the authorization server to allow access to specific resources for a limited period and scope. These tokens provide a more secure, flexible, and efficient way to manage access control across various applications and services.
๐๏ธ Dynamic Registration
The OAuth Dynamic Client Registration Protocol (RFC7591) is an extension of the OAuth 2.0 framework that allows clients to register with an OAuth server dynamically, without the need for manual intervention by an administrator. In a typical OAuth setup, clients are pre-registered with the authorization server, meaning an administrator manually assigns a client ID and secret before the client can interact with the server. However, in environments where many different applications or devices need to connect, such as in cloud-based services or Internet of Things (IoT) environments, manually registering clients can become inefficient and burdensome.
๐๏ธ Interoperability
OAuth is widely used in web-based applications to provide secure, token-based authentication and authorization. In Stalwart Mail Server, OAuth can be used seamlessly to access JMAP as well as its Webadmin or self-service portals, as these are web-based interfaces that natively support OAuth flows. This usage aligns with the typical OAuth implementation where users authenticate through a browser, and the application interacts with the OAuth server to obtain and validate access tokens.
๐๏ธ Endpoints
Stalwart Mail Server provides multiple OAuth endpoints to facilitate secure authentication and authorization processes. These endpoints allow clients to interact with the OAuth server for tasks such as obtaining access tokens, authorizing devices, and validating tokens. Below is a description of the available endpoints and their functions.