OidcProvider

Configures the OAuth and OpenID Connect provider settings.

This object can be configured from the WebUI under Settings › Authentication › OIDC Provider

Fields

authCodeMaxAttempts

Type: UnsignedInt · default: 3 · min: 1 · max: 1000

Number of failed login attempts before an authorization code is invalidated

anonymousClientRegistration

Type: Boolean · default: false

Whether to allow OAuth clients to register without authentication

requireClientRegistration

Type: Boolean · default: false

Whether to require OAuth client_ids to be registered before they can be used

authCodeExpiry

Type: Duration · default: "10m"

Expiration time of an authorization code issued by the authorization code flow

refreshTokenExpiry

Type: Duration · default: "30d"

Expiration time of an OAuth refresh token

refreshTokenRenewal

Type: Duration · default: "4d"

Remaining time in a refresh token before a new one is issued to the client

accessTokenExpiry

Type: Duration · default: "1h"

Expiration time of an OAuth access token

userCodeExpiry

Type: Duration · default: "30m"

Expiration time of a user code issued by the device authentication flow

idTokenExpiry

Type: Duration · default: "15m"

Expiration time of an OpenID Connect ID token

encryptionKey

Type: SecretKey · required

Encryption key to use for OAuth

signatureAlgorithm

Type: JwtSignatureAlgorithm · default: "hs256"

JWT signature algorithm to use for OpenID Connect.

signatureKey

Type: SecretText · required

Contents of the private key PEM used to sign JWTs for OpenID Connect.

JMAP API

The OidcProvider singleton is available via the urn:stalwart:jmap capability.

x:OidcProvider/get

This is a standard Foo/get method as defined in RFC 8620, Section 5.1.

For singletons, the ids argument should be the literal singleton (or null to return the single instance).

This method requires the sysOidcProviderGet permission.

curl -X POST https://mail.example.com/api \
  -H 'Authorization: Bearer $TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
      "methodCalls": [
        [
          "x:OidcProvider/get",
          {
            "ids": [
              "singleton"
            ]
          },
          "c1"
        ]
      ],
      "using": [
        "urn:ietf:params:jmap:core",
        "urn:stalwart:jmap"
      ]
    }'

x:OidcProvider/set

This is a standard Foo/set method as defined in RFC 8620, Section 5.3.

For singletons, only the update argument with id singleton is accepted; create and destroy arguments are rejected.

This method requires the sysOidcProviderUpdate permission.

curl -X POST https://mail.example.com/api \
  -H 'Authorization: Bearer $TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
      "methodCalls": [
        [
          "x:OidcProvider/set",
          {
            "update": {
              "singleton": {
                "authCodeMaxAttempts": 3
              }
            }
          },
          "c1"
        ]
      ],
      "using": [
        "urn:ietf:params:jmap:core",
        "urn:stalwart:jmap"
      ]
    }'

CLI

stalwart-cli wraps the same JMAP calls. See the CLI reference for installation, authentication, and general usage.

Fetch

stalwart-cli get oidc-provider

Update

stalwart-cli update oidc-provider --field description='Updated'

Nested types

SecretKey

A secret value provided directly, from an environment variable, or from a file.

• Value: Secret value. Carries the fields of SecretKeyValue.
• EnvironmentVariable: Secret read from environment variable. Carries the fields of SecretKeyEnvironmentVariable.
• File: Secret read from file. Carries the fields of SecretKeyFile.

SecretKeyValue

A secret value provided directly.

secret

Type: String · required · secret

Password or secret value

SecretKeyEnvironmentVariable

A secret value read from an environment variable.

variableName

Type: String · required

Environment variable name to read the secret from

SecretKeyFile

A secret value read from a file.

filePath

Type: String · required

File path to read the secret from

SecretText

A secret text value provided directly, from an environment variable, or from a file.

• Text: Secret value. Carries the fields of SecretTextValue.
• EnvironmentVariable: Secret read from environment variable. Carries the fields of SecretKeyEnvironmentVariable.
• File: Secret read from file. Carries the fields of SecretKeyFile.

SecretTextValue

A secret text value provided directly.

secret

Type: Text · required · secret

Password or secret value

Enums

JwtSignatureAlgorithm

Value	Label
es256	ECDSA using P-256 and SHA-256
es384	ECDSA using P-384 and SHA-384
ps256	RSASSA-PSS using SHA-256 and MGF1 with SHA-256
ps384	RSASSA-PSS using SHA-384 and MGF1 with SHA-384
ps512	RSASSA-PSS using SHA-512 and MGF1 with SHA-512
rs256	RSASSA-PKCS1-v1_5 using SHA-256
rs384	RSASSA-PKCS1-v1_5 using SHA-384
rs512	RSASSA-PKCS1-v1_5 using SHA-512
hs256	HMAC using SHA-256
hs384	HMAC using SHA-384
hs512	HMAC using SHA-512