[midPoint] Feature Request - Email Approval

Arnošt Starosta arnost.starosta at ami.cz
Wed Feb 4 17:35:02 CET 2026 

Hi Kyle,

I like the convenience of the feature but I'm very concerned about its security implications.

The current email infrastructure is improving but still brittle as an authorization channel.

  1.
It's not a secure channel offering easy let alone default end-to-end encryption.
  2.
Forging the senders identity may still be easy depending on domain configuration and enforcement policies.
  3.
Workitem ID is not a secret value.
  4.
Time-limited token if used is not a secret value once transmitted in plaintext over email. Moreover the necessary validity window in the approval context is drastically different from password resets and similar features.
  5.
Mailboxes remain among the most attacked resources online.

There are multiple industry bodies explicitly warning against relying on email alone for authorization decisions.

The service providers offering email-based approval should make these limitations clear.

I would not use this feature given the current state of email security and would discourage clients from doing so without a thorough risk assessment.

Best Regards,
Arnost

________________________________
From: midPoint <midpoint-bounces at lists.evolveum.com> on behalf of Kyle Chau via midPoint <midpoint at lists.evolveum.com>
Sent: Monday, February 2, 2026 3:35 PM
To: midpoint at lists.evolveum.com <midpoint at lists.evolveum.com>
Cc: Kyle Chau <kylechaukccs at gmail.com>
Subject: [midPoint] Feature Request - Email Approval

Dear MidPoint team,

  I am interested in implementing an email approval feature as my individual contribution to the project. Would you please provide some insight on whether this suggestion would be accepted as a core feature? The implementation, from my understanding, involves the following:

  *   A sample message template that crafts the email approval content.
  *   A new task type for enabling and scheduling the mailbox processing.

  I can contribute to the design and development of this feature for the next six months.

  You may refer to the following for a high-level illustration on the proposal. Thank you.

  Do let me know if you have any questions.

https://github.com/KyleChaukccs/docs/blob/master/midpoint/features/planned/email-approval.adoc

Best Regards,
Kyle
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.evolveum.com/pipermail/midpoint/attachments/20260204/99a44cc0/attachment.htm>

More information about the midPoint mailing list