qpid-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Godfrey <rob.j.godf...@gmail.com>
Subject OAUTH2 authentication
Date Mon, 22 Feb 2016 13:54:00 GMT
Moving from an unrelated thread in private....

On 22 February 2016 at 13:24, Gordon Sim <gsim@redhat.com> wrote:

> On 22/02/16 13:03, Keith W wrote:
>
>>
>>
>
<... snip discussion from private@ ...>


> Separately on the OAuth2 thing, is there any write up/description of that?
> I know similar things have been requested/discussed at one time or another
> for other servers and clients. Having as much uniformity between components
> helps users and makes the overall project more compelling. Rather than
> cutting a new path through the forest, it would be good for the existing
> trail to be well known to all who might follow.
>

Most of the work on OAuth2 was really the integration with the broker's
HTTP Management Console and REST API - I'm not sure how relevant that is to
other clients/brokers.  There will be more user facing documentation for
the 6.1 release when we've added a UI to enable easier end-user
configuration.


>
> (Is there a SASL interchange defined for OAuth2?)
>
>
There are 2 different SASL mechanisms that have been put forward, which are
detailed on the JIRA (with links to the definitions):
https://issues.apache.org/jira/browse/QPID-7045.  I believe the Java Broker
currently only provides one of these - we should probably look to support
the IETF mechanism as well.

One issue is that while OAUTH2 gives authorization it doesn't provide the
authenticated identity.  Theoretically OpenID Connect should solve this
issue but this doesn't seem widely deployed... as such the process of
obtaining a user identity once in possession of an access token (which is
carried through the SASL exchange) is very much provider dependent.

-- Rob

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message