[
https://issues.apache.org/jira/browse/QPID-7801?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16036709#comment-16036709
]
Rob Godfrey commented on QPID-7801:
-----------------------------------
Apologies - I should have made clearer that I knew that the work on this JIRA
was not yet complete... I just wanted to get the main structural changes in - I
fixing the validation to allow for URIs with variables still unsubstituted was
still on my list to complete.
{quote}
When OAuth2 auth provider is attempted to create with
{{KeycloakOAuth2IdentityResolverService}} without setting URI attributes and
context variables {{$\{keycloak.baseUrl\}}} and {{$\{keycloak.domain\}}}, the
error reported by the Broker is not user friendly and it could be unclear how
to fix the problem.
{quote}
Yeah - this is a good point. I'll modify the validation here to check for
context variables which can't be substituted.
{quote}
AMQP connection authentication
{{SubjectCreator}} is created in a constructor of {{AMQPConnection_1_0Impl}}.
As result, virtual host can only be set in SubjectCreator via SNI only.
Potentially, the implementation can be changed to create {{SubjectCreator}} in
{{#receiveSaslInit()}} and virtual host can be taken from {{"sasl-init"}}
performative in addition to {{SNI}}. That would allow to use virtual host
substitution with {{SASL}} without TLS.
{quote}
The available SASL mechanisms for a connection need to be sent before we
receive the sasl-init. At this point we know which host was given in SNI, but
we don't have the sasl-init host yet. It seems weird to choose the available
mechanisms based on the SNI host, but then use a potentially different host to
instantiate the SubjectCreator, that's why I chose not to defer creation of the
SubjectCreator until we have received the sasl-init.
> [Java Broker] Allow variable substitution of virtualhost in OAuth2 resolver
> URIs
> ---------------------------------------------------------------------------------
>
> Key: QPID-7801
> URL: https://issues.apache.org/jira/browse/QPID-7801
> Project: Qpid
> Issue Type: Improvement
> Reporter: Rob Godfrey
> Assignee: Rob Godfrey
> Time Spent: 3h
> Remaining Estimate: 0h
>
> Allow substitution of address space (based on resolution of SNI / HTTPS HOST
> to vhost) in OAuth2 resolver URIs (to allow per vhost configuration). Add
> keycloak provider
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
