[
https://issues.apache.org/jira/browse/ARTEMIS-5977?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18069862#comment-18069862
]
Grzegorz Grzybek edited comment on ARTEMIS-5977 at 3/31/26 10:46 AM:
---------------------------------------------------------------------
With ARTEMIS-5200, the {{cnf/x5t#256}} JWT claim (it's a SHA256 of DER-encoding
of X.509) is verified against the certificate from the mTLS layer - it's part
of the new {{OIDCLoginModule}}.
A LoginModule for this case would have to take the connection ID similarly to
the certificate (from
{{org.apache.activemq.artemis.spi.core.protocol.RemotingConnection}}) and
vaidate it with a value from the certificate (mTLS) or JWT (OIDC/OAuth2).
Client ID is in
{{org.apache.activemq.artemis.spi.core.protocol.RemotingConnection#getClientID()}}.
was (Author: gzres):
With ARTEMIS-5200, the {{cnf/x5t#256}} JWT claim (it's a SHA256 of DER-encoding
of X.509) is verified against the certificate from the mTLS layer - it's part
of the new {{OIDCLoginModule}}.
A LoginModule for this case would have to take the connection ID similarly to
the certificate (from
{{org.apache.activemq.artemis.spi.core.protocol.RemotingConnection}}) and
vaidate it with a value from the certificate (mTLS) or JWT (OIDC/OAuth2).
> JAAS login module that validates client id against subject principal
> --------------------------------------------------------------------
>
> Key: ARTEMIS-5977
> URL: https://issues.apache.org/jira/browse/ARTEMIS-5977
> Project: Artemis
> Issue Type: Improvement
> Components: JAAS, MQTT
> Affects Versions: 2.53.0
> Reporter: Gary Tully
> Priority: Major
>
> To add proof of possession, such that an authentication token or client cert
> is in pinned to a particular client, it is useful if the client id is
> validated.
> consider the mtls external certificate login module, that grants permissions
> based on the claims from SAN fields, and the identity from the CN. This could
> be augmented to further restrict the access based on the clientId provided on
> the connection, such that the cert is bound to a single clientid.
> only grant access when the CN matches the clientId.
> A secondary login module that just validates the client id provides a great
> way to compose this solution.
> it probably needs a regex match against the subjects, to deal with plain
> client ids or values from cert cn's.
> I wonder if it should also match a role principal?
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
