OidcProvider
OidcProvider
Section titled “OidcProvider”Configures the OAuth and OpenID Connect provider settings.
This object can be configured from the WebUI under Settings › Authentication › OIDC Provider
Fields
Section titled “Fields”authCodeMaxAttempts
Section titled “authCodeMaxAttempts”Type:
UnsignedInt· default:3· min: 1 · max: 1000Number of failed login attempts before an authorization code is invalidated
anonymousClientRegistration
Section titled “anonymousClientRegistration”Type:
Boolean· default:falseWhether to allow OAuth clients to register without authentication
requireClientRegistration
Section titled “requireClientRegistration”Type:
Boolean· default:falseWhether to require OAuth client_ids to be registered before they can be used
authCodeExpiry
Section titled “authCodeExpiry”Type:
Duration· default:"10m"Expiration time of an authorization code issued by the authorization code flow
refreshTokenExpiry
Section titled “refreshTokenExpiry”Type:
Duration· default:"30d"Expiration time of an OAuth refresh token
refreshTokenRenewal
Section titled “refreshTokenRenewal”Type:
Duration· default:"4d"Remaining time in a refresh token before a new one is issued to the client
accessTokenExpiry
Section titled “accessTokenExpiry”Type:
Duration· default:"1h"Expiration time of an OAuth access token
userCodeExpiry
Section titled “userCodeExpiry”Type:
Duration· default:"30m"Expiration time of a user code issued by the device authentication flow
idTokenExpiry
Section titled “idTokenExpiry”Type:
Duration· default:"15m"Expiration time of an OpenID Connect ID token
encryptionKey
Section titled “encryptionKey”Type:
SecretKey· requiredEncryption key to use for OAuth
signatureAlgorithm
Section titled “signatureAlgorithm”Type:
JwtSignatureAlgorithm· default:"hs256"JWT signature algorithm to use for OpenID Connect.
signatureKey
Section titled “signatureKey”Type:
SecretText· requiredContents of the private key PEM used to sign JWTs for OpenID Connect.
JMAP API
Section titled “JMAP API”The OidcProvider singleton is available via the urn:stalwart:jmap capability.
x:OidcProvider/get
Section titled “x:OidcProvider/get”This is a standard Foo/get method as defined in RFC 8620, Section 5.1.
For singletons, the ids argument should be the literal singleton (or null to return the single instance).
This method requires the sysOidcProviderGet permission.
curl -X POST https://mail.example.com/api \ -H 'Authorization: Bearer $TOKEN' \ -H 'Content-Type: application/json' \ -d '{ "methodCalls": [ [ "x:OidcProvider/get", { "ids": [ "singleton" ] }, "c1" ] ], "using": [ "urn:ietf:params:jmap:core", "urn:stalwart:jmap" ] }'x:OidcProvider/set
Section titled “x:OidcProvider/set”This is a standard Foo/set method as defined in RFC 8620, Section 5.3.
For singletons, only the update argument with id singleton is accepted; create and destroy arguments are rejected.
This method requires the sysOidcProviderUpdate permission.
curl -X POST https://mail.example.com/api \ -H 'Authorization: Bearer $TOKEN' \ -H 'Content-Type: application/json' \ -d '{ "methodCalls": [ [ "x:OidcProvider/set", { "update": { "singleton": { "authCodeMaxAttempts": 3 } } }, "c1" ] ], "using": [ "urn:ietf:params:jmap:core", "urn:stalwart:jmap" ] }'stalwart-cli wraps the same JMAP calls. See the CLI reference for installation, authentication, and general usage.
stalwart-cli get OidcProviderUpdate
Section titled “Update”stalwart-cli update OidcProvider --field authCodeMaxAttempts=3Nested types
Section titled “Nested types”SecretKey
Section titled “SecretKey”A secret value provided directly, from an environment variable, or from a file.
Value: Secret value. Carries the fields ofSecretKeyValue.EnvironmentVariable: Secret read from environment variable. Carries the fields ofSecretKeyEnvironmentVariable.File: Secret read from file. Carries the fields ofSecretKeyFile.
SecretKeyValue
Section titled “SecretKeyValue”A secret value provided directly.
secret
Section titled “secret”Type:
String· required · secretPassword or secret value
SecretKeyEnvironmentVariable
Section titled “SecretKeyEnvironmentVariable”A secret value read from an environment variable.
variableName
Section titled “variableName”Type:
String· requiredEnvironment variable name to read the secret from
SecretKeyFile
Section titled “SecretKeyFile”A secret value read from a file.
filePath
Section titled “filePath”Type:
String· requiredFile path to read the secret from
SecretText
Section titled “SecretText”A secret text value provided directly, from an environment variable, or from a file.
Text: Secret value. Carries the fields ofSecretTextValue.EnvironmentVariable: Secret read from environment variable. Carries the fields ofSecretKeyEnvironmentVariable.File: Secret read from file. Carries the fields ofSecretKeyFile.
SecretTextValue
Section titled “SecretTextValue”A secret text value provided directly.
secret
Section titled “secret”Type:
Text· required · secretPassword or secret value
JwtSignatureAlgorithm
Section titled “JwtSignatureAlgorithm”| Value | Label |
|---|---|
es256 | ECDSA using P-256 and SHA-256 |
es384 | ECDSA using P-384 and SHA-384 |
ps256 | RSASSA-PSS using SHA-256 and MGF1 with SHA-256 |
ps384 | RSASSA-PSS using SHA-384 and MGF1 with SHA-384 |
ps512 | RSASSA-PSS using SHA-512 and MGF1 with SHA-512 |
rs256 | RSASSA-PKCS1-v1_5 using SHA-256 |
rs384 | RSASSA-PKCS1-v1_5 using SHA-384 |
rs512 | RSASSA-PKCS1-v1_5 using SHA-512 |
hs256 | HMAC using SHA-256 |
hs384 | HMAC using SHA-384 |
hs512 | HMAC using SHA-512 |