Moving from an unrelated thread in private.... On 22 February 2016 at 13:24, Gordon Sim <[email protected]> wrote:
> On 22/02/16 13:03, Keith W wrote: > >> >> > <... snip discussion from private@ ...> > Separately on the OAuth2 thing, is there any write up/description of that? > I know similar things have been requested/discussed at one time or another > for other servers and clients. Having as much uniformity between components > helps users and makes the overall project more compelling. Rather than > cutting a new path through the forest, it would be good for the existing > trail to be well known to all who might follow. > Most of the work on OAuth2 was really the integration with the broker's HTTP Management Console and REST API - I'm not sure how relevant that is to other clients/brokers. There will be more user facing documentation for the 6.1 release when we've added a UI to enable easier end-user configuration. > > (Is there a SASL interchange defined for OAuth2?) > > There are 2 different SASL mechanisms that have been put forward, which are detailed on the JIRA (with links to the definitions): https://issues.apache.org/jira/browse/QPID-7045. I believe the Java Broker currently only provides one of these - we should probably look to support the IETF mechanism as well. One issue is that while OAUTH2 gives authorization it doesn't provide the authenticated identity. Theoretically OpenID Connect should solve this issue but this doesn't seem widely deployed... as such the process of obtaining a user identity once in possession of an access token (which is carried through the SASL exchange) is very much provider dependent. -- Rob
