[jira] [Commented] (ARTEMIS-5977) JAAS login module that validates client id against subject principal

Tue, 31 Mar 2026 02:57:11 -0700 


    [ 
https://issues.apache.org/jira/browse/ARTEMIS-5977?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18069862#comment-18069862
 ] 

Grzegorz Grzybek commented on ARTEMIS-5977:
-------------------------------------------

With ARTEMIS-5200, the {{cnf/x5t#256}} JWT claim (it's a SHA256 of DER-encoding 
of X.509) is verified against the certificate from the mTLS layer - it's part 
of the new {{OIDCLoginModule}}.

A LoginModule for this case would have to take the connection ID similarly to 
the certificate (from 
{{org.apache.activemq.artemis.spi.core.protocol.RemotingConnection}}) and 
vaidate it with a value from the certificate (mTLS) or JWT (OIDC/OAuth2).

> JAAS login module that validates client id against subject principal
> --------------------------------------------------------------------
>
>                 Key: ARTEMIS-5977
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-5977
>             Project: Artemis
>          Issue Type: Improvement
>          Components: JAAS, MQTT
>    Affects Versions: 2.53.0
>            Reporter: Gary Tully
>            Priority: Major
>
> To add proof of possession, such that an authentication token or client cert 
> is in pinned to a particular client, it is useful if the client id is 
> validated. 
> consider the mtls external certificate login module, that grants permissions 
> based on the claims from SAN fields, and the identity from the CN. This could 
> be augmented to further restrict the access based on the clientId provided on 
> the connection, such that the cert is bound to a single clientid.
> only grant access when the CN matches the clientId. 
> A secondary login module that just validates the client id provides a great 
> way to compose this solution.
> it probably needs a regex match against the subjects, to deal with plain 
> client ids or values from cert cn's.
> I wonder if it should also match a role principal? 



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to