Isode Ltd

14 Castle Mews Hampton Middlesex TW12 2NP UK alexey.melnikov@isode.com

This document specifies an IMAP extension for generating quick reauthentication tokens that allow clients to re-login without user interaction, once authentication using a strong SASL mechanism is completed.

This document specifies an IMAP extension which is a protocol specific extension to Simple Authentication and Security Layer (SASL) framework for generation of proof-of-posession reauthentication tokens. Such tokens can be used for subsequent 1 roundtrip reauthentication using SASL mechanisms such as REMEMBERME and HT-*. The typical sequence of events is going to be like this: Client establishes IMAP connection protected by TLS on Connection 1. On Connection 1 the client authenticates using a strong SASL mechanism, which might be CPU intensive, and most likely requires user interaction, e.g., SCRAM with 2FA extension, PASSKEY. On Connection 1 the client requests reauthentication token using REMEMBERME command. <Connection gets interrupted or closed due to inactivity> Client establishes another IMAP connection protected by TLS on Connection N. The client then uses a previous issues quick reauthentication token with one of 1 round trip SASL mechanisms such as REMEMBERME and HT-*. The same token is reusable on other IMAP connections until it is replaced or revoked. IMAP servers advertise support for this extension by returning one or more TOKEN=<token-type> capabilities in the CAPABILITY response.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Token type REQUIRED TOKEN response code OK - new token successfully issued NO - authentication mechanism too week, unrecognized token type BAD - command unknown or arguments invalid, invalid state This command is only allowed in authenticated state. Upon receipt of REMEMBERME command the IMAP server checks that the specified token type is recognized and supported. If it is, it generates a new token of the requested type and returns it in the TOKEN response code in the tagged OK response. S: 24 OK Completed C: 25 REMEMBERME JWT S: 26 OK [TOKEN ] Completed ]]>

from [RFC3501] token-type = atom ;; SHOULD be registered with IANA resp-text-code =/ "TOKEN" SP base64-token base64-token = base64]]>

TBD. Regeister the IMAP capabilities and create a separate registry of token types.

TBD.