qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Godfrey <rob.j.godf...@gmail.com>
Subject Re: OAUTH2 authentication
Date Tue, 23 Feb 2016 13:24:25 GMT
I think Gordon may be coming at this from a different angle...  if you
imagine a broker which can support authentication against multiple OAUTH2
providers from a single port... is there a way by which the client can
indicate which of those providers the access token is valid for
(alternatively, is this information already part of the access token)?

This, and my issue that the server is not able (to my knowledge) able to
indicate to the client which providers it supports, makes the OAUTH2 SASL
mechanism less useful as it can only be used if there is prior knowledge
about exactly which provider MUST be used.

-- Rob

On 23 February 2016 at 12:48, Lorenz Quack <quack.lorenz@gmail.com> wrote:

>
>
> On 23/02/16 12:08, Gordon Sim wrote:
>
>> On 23/02/16 10:42, Lorenz Quack wrote:
>>
>>> On 22/02/16 18:36, Gordon Sim wrote:
>>>
>>>> What does the java broker use the sasl interchange for? Does it allow
>>>> AMQP connections to specify XOAUTH2?
>>>>
>>>
>>> Yes. In this scenario you would specify the access token as a password
>>> (the username gets ignored).
>>>
>>
>> Is there some way to specify the service the token is from?
>>
>>
> Not sure what exactly you mean. Maybe it helps if I explain briefly how
> this currently works.
> You configure an OAuth2AuthenticationProvider to use certain OAuth2
> authorization and token endpoints.
> You then associate the OAuth2AuthenticationProvider with a certain broker
> port.
> Currently, you can only associate a single AuthenticationProvider with
> each port.
> So the access_token will have to be from the authorization endpoint that
> works with the token endpoint configured on the
> OAuth2AuthenticationProvider associated with the port you connect to.
> Presumably that is the same authorization endpoint configured on the
> OAuth2AuthenticationProvider.
>
> Does that make sense and answer your question?
>
> Kind Regards,
> Lorenz
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message