I have been thinking a lot lately about how to implement OAuthIMAP(OAuthIMAP (Google OAuth & Federated Login Research)) in Zimbra with OAuth Provider Extension I post here(OAuth Provider Extension for ZCS6.0).
And I think it could be implemented like the following:
- When IMAP AUTHENTICATE command with the mechanism parameter of "OAUTH" is received by Nginx(ZimbraProxy), the payload of that is decoded by base64 in Nginx like other SASL mechanism. And the decoded payload is sent to NginxLookupExtension.
- From the payload, the NginxLookupExtension identifies one ZimbraStore server on which the authenticated user has own mailbox and sends back the ZimbraStore server info to Nginx.
- Nginx does proxy the IMAP AUTHENTICATE command with the mechanism parameter of "OAUTH" to the ZimbraStore server.
- The ZimbraStore server receives the payload of the IMAP AUTHENTICATE command with the mechanism parameter of "OAUTH" and send http get request to OAuth Provider Extension for validation check of the OAuth Token included in the payload.
(*)One obvious concern here is performance, because Nginx cannot use memcached to cache routing info for all OAuthIMAP sessions like SASL GSSAPI.
How do you think about it?
Let me know your concern about it or your ideas.