james-project feat(managesieve): add XOAUTH2 authentication mechanism

As the managesieve server only supports plain authentication, here is a first implementation of XOAUTH2 as an additional authentication mechanism for managesieve.

I would be happy about feedback :)

Jul 23 '25 07:07 felixauringer

I added OAUTHBEARER authentication and some tests.

The authentication logic I wrote is very similar to james-project/server/protocols/protocols-smtp/src/main/java/org/apache/james/smtpserver/UsersRepositoryAuthHook.java or james-project/protocols/imap/src/main/java/org/apache/james/imap/processor/AuthenticateProcessor.java, I assume that those implement correct SASL XOAUTH2, but still decided to test many cases here.

I was not sure about using MPT and decided to implement a ManageSieveTestSystem like already existing for SMTP. As there is no managesieve client by Apache, I also had to write a small client.

I added tests for the whole authentication logic and found some bugs / non-standard-conforming behavior and tried to fix them. There is one test I did not get working so far: After sending the logout command, I would like to check that the server really closes the connection. This happens asynchronously but even when waiting multiple seconds, isConnected still returns true. The RFC says the server MUST close the connection and in my understanding of the code, it also does so (channel.writeAndFlush(Unpooled.EMPTY_BUFFER).addListener(ChannelFutureListener.CLOSE)).

Also, out of curiosity do we have a managedSive compatible client>

Roundcube supports using managesieve with XOAUTH2/OAUTHBEARER.

I am working on the example and documentation, but if you have feedback to the tests before that, I would appreciate it :slightly_smiling_face:

Aug 15 '25 11:08 felixauringer

I have updated documentation and the oidc example. I added some CLI commands to test oidc authentication and made test.sh succeed. I did not test with thunderbird but my changes should not break the existing documentation on that.

Sep 08 '25 13:09 felixauringer

Failing tests seems to be related. Can we investigate this?

Sep 14 '25 20:09 chibenwa

The MPT tests are working again now.

The two logout tests which I added are still failing. As described above, I would like to keep those tests but do not know how to fix them.

There is also one test which I marked as disabled. It checks for malformed authentication data and currently fails but would also have failed with the original implementation. The current code is definitive too lenient when looking at the RFC but I didn't know whether there was a specific reason to allow this case (You also allow spaces as separators in the authentication data instead of null bytes. This is also not correct, but I left it as is and didn't write a test for it.) Are there any clients that rely on these non-RFC-compliant behaviors?

Oct 09 '25 07:10 felixauringer

Otherall agree with proposed changes but I would need clarifications on AUTHENTICATE "PLAIN" handling.

Oct 26 '25 15:10 chibenwa

Otherall agree with proposed changes but I would need clarifications on AUTHENTICATE "PLAIN" handling.

Now, the behavior is the same except that the code is more strict when it comes to quoting. SASL mechanisms and the values sent by the client must be quoted according to the RFC. (In the RFC, there is the possibility of sending unquoted data which must be preceded by the length in the form {20+} but that was not supported before and is not supported now.)

Nov 24 '25 08:11 felixauringer

I do not understand the failing test, I have changed nothing related to the Postgres repository, I think.

Nov 24 '25 11:11 felixauringer

The test failure is unrelated.

I rescheduled a new build.

Nov 24 '25 15:11 chibenwa

https://ci-builds.apache.org/job/james/job/ApacheJames/job/PR-2773/23

org.apache.james.managesieveserver.AuthenticateTest.authenticatedStateUnlocksNewCommands

Failing for the past 1 build (Since Failed#23 )
Took 0.63 sec.
Add description
Error Message
expected: OK
 but was: NO
Stacktrace
org.opentest4j.AssertionFailedError: 

expected: OK
 but was: NO
	at org.apache.james.managesieveserver.AuthenticateTest.authenticatePlain(AuthenticateTest.java:227)
	at org.apache.james.managesieveserver.AuthenticateTest.authenticatedStateUnlocksNewCommands(AuthenticateTest.java:182)
	at java.base/java.lang.reflect.Method.invoke(Method.java:580)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)

This seems related. Could you please have a look?

Dec 01 '25 21:12 chibenwa

This seems related. Could you please have a look?

Yes, should be fixed now.

I can give a hand with the picky test suite if of any use.

Thanks for the offer! But this time it was not the testsuite but just a plain programming error by me. I thought I could make this small change without running the tests locally but that didn't work apparently :sweat_smile: However, there are still 2 disabled tests where I wanted to check whether the server really closes the connection but I couldn't get them to work so far.

Dec 02 '25 10:12 felixauringer

I can give a hand with the picky test suite if of any use.

Good job it's :green_apple: :-)

Dec 02 '25 11:12 chibenwa

Recent changes regarding SASL improvement impact this PR

10:42:32,414 [ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.14.0:compile (default-compile) on project protocols-managesieve: Compilation failure: Compilation failure: 
more_vert
9765	11:42:32 AM	
10:42:32,414 [ERROR] /home/jenkins/workspace/james_ApacheJames_PR-2773/protocols/managesieve/src/main/java/org/apache/james/managesieve/api/Session.java:[27,38] cannot find symbol
more_vert
9766	11:42:32 AM	
10:42:32,414 [ERROR]   symbol:   class OidcSASLConfiguration
more_vert
9767	11:42:32 AM	
10:42:32,414 [ERROR]   location: package org.apache.james.protocols.api
more_vert
9768	11:42:32 AM	
10:42:32,414 [ERROR] /home/jenkins/workspace/james_ApacheJames_PR-2773/protocols/managesieve/src/main/java/org/apache/james/managesieve/api/Session.java:[57,14] cannot find symbol
more_vert
9769	11:42:32 AM	
10:42:32,414 [ERROR]   symbol:   class OidcSASLConfiguration
more_vert
9770	11:42:32 AM	
10:42:32,414 [ERROR]   location: interface org.apache.james.managesieve.api.Session
more_vert
9771	11:42:32 AM	
10:42:32,414 [ERROR] /home/jenkins/workspace/james_ApacheJames_PR-2773/protocols/managesieve/src/main/java/org/apache/james/managesieve/api/Session.java:[59,44] cannot find symbol
more_vert
9772	11:42:32 AM	
10:42:32,414 [ERROR]   symbol:   class OidcSASLConfiguration
more_vert
9773	11:42:32 AM	
10:42:32,414 [ERROR]   location: interface org.apache.james.managesieve.api.Session
more_vert
9774	11:42:32 AM	
10:42:32,414 [ERROR] /home/jenkins/workspace/james_ApacheJames_PR-2773/protocols/managesieve/src/main/java/org/apache/james/managesieve/core/OAUTHAuthenticationProcessor.java:[34,38] cannot find symbol
more_vert
9775	11:42:32 AM	
10:42:32,414 [ERROR]   symbol:   class OidcSASLConfiguration
more_vert
9776	11:42:32 AM	
10:42:32,414 [ERROR]   location: package org.apache.james.protocols.api
more_vert
9777	11:42:32 AM	
10:42:32,414 [ERROR] /home/jenkins/workspace/james_ApacheJames_PR-2773/protocols/managesieve/src/main/java/org/apache/james/managesieve/core/OAUTHAuthenticationProcessor.java:[40,19] cannot find symbol
more_vert
9778	11:42:32 AM	
10:42:32,414 [ERROR]   symbol:   class OidcSASLConfiguration
more_vert
9779	11:42:32 AM	
10:42:32,414 [ERROR]   location: class org.apache.james.managesieve.core.OAUTHAuthenticationProcessor
more_vert
9780	11:42:32 AM	
10:42:32,414 [ERROR] /home/jenkins/workspace/james_ApacheJames_PR-2773/protocols/managesieve/src/main/java/org/apache/james/managesieve/core/OAUTHAuthenticationProcessor.java:[42,41] cannot find symbol
more_vert
9781	11:42:32 AM	
10:42:32,414 [ERROR]   symbol:   class OidcSASLConfiguration
more_vert
9782	11:42:32 AM	
10:42:32,415 [ERROR]   location: class org.apache.james.managesieve.core.OAUTHAuthenticationProcessor
more_vert
9783	11:42:32 AM	
10:42:32,415 [ERROR] /home/jenkins/workspace/james_ApacheJames_PR-2773/protocols/managesieve/src/main/java/org/apache/james/managesieve/util/SettableSession.java:[28,38] cannot find symbol
more_vert
9784	11:42:32 AM	
10:42:32,415 [ERROR]   symbol:   class OidcSASLConfiguration
more_vert
9785	11:42:32 AM	
10:42:32,415 [ERROR]   location: package org.apache.james.protocols.api
more_vert
9786	11:42:32 AM	
10:42:32,415 [ERROR] /home/jenkins/workspace/james_ApacheJames_PR-2773/protocols/managesieve/src/main/java/org/apache/james/managesieve/util/SettableSession.java:[36,22] cannot find symbol
more_vert
9787	11:42:32 AM	
10:42:32,415 [ERROR]   symbol:   class OidcSASLConfiguration
more_vert
9788	11:42:32 AM	
10:42:32,415 [ERROR]   location: class org.apache.james.managesieve.util.SettableSession
more_vert
9789	11:42:32 AM	
10:42:32,415 [ERROR] /home/jenkins/workspace/james_ApacheJames_PR-2773/protocols/managesieve/src/main/java/org/apache/james/managesieve/util/SettableSession.java:[89,21] cannot find symbol
more_vert
9790	11:42:32 AM	
10:42:32,415 [ERROR]   symbol:   class OidcSASLConfiguration
more_vert
9791	11:42:32 AM	
10:42:32,415 [ERROR]   location: class org.apache.james.managesieve.util.SettableSession
more_vert
9792	11:42:32 AM	
10:42:32,415 [ERROR] /home/jenkins/workspace/james_ApacheJames_PR-2773/protocols/managesieve/src/main/java/org/apache/james/managesieve/util/SettableSession.java:[94,51] cannot find symbol
more_vert
9793	11:42:32 AM	
10:42:32,415 [ERROR]   symbol:   class OidcSASLConfiguration
more_vert
9794	11:42:32 AM	
10:42:32,415 [ERROR]   location: class org.apache.james.managesieve.util.SettableSession
more_vert
9795	11:42:32 AM	
10:42:32,415 [ERROR] -> [Help 1]

A rebase is needed. If needed I can do it.

Dec 17 '25 10:12 chibenwa