Luís Alves created ARTEMIS-5200:
-----------------------------------
Summary: OAuth Bearer Token Support
Key: ARTEMIS-5200
URL: https://issues.apache.org/jira/browse/ARTEMIS-5200
Project: ActiveMQ Artemis
Issue Type: New Feature
Reporter: Luís Alves
In line with KAFKA
[KIP-768|https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=186877575],
Artemis should also provide bearer token support for authN and authZ.
Motivation is the same as in Kafka. I already use OAuth on many services that
have to communicate with the broker, so why don't leverage the [OAuth 2.0
client credentials flow|https://oauth.net/2/grant-types/client-credentials/].
The current integration with Keycloak on the
[examples|https://github.com/apache/activemq-artemis-examples/tree/main/examples/features/standard/security-keycloak]
is not great in terms of security. We have to give away our credentials to
Artemis and it uses them to do a [password
grant|oauth.net/2/grant-types/password]. This flow is strongly discouraged.
I think the major blocker is that Artemis is designed to do authN with a
username and a password. I only have experience with the Java client with CORE
protocol and I couldn't find any interceptor on the authN process to replace
the password field with a fresh token. With some workarounds is possible to
make it work, but is not a vanilla and supported solution.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
