[
https://issues.apache.org/jira/browse/ARTEMIS-5200?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18070557#comment-18070557
]
ASF subversion and git services commented on ARTEMIS-5200:
----------------------------------------------------------
Commit 98b24f02ae76ef1d732b317e94cead35e13c93fb in artemis's branch
refs/heads/main from Grzegorz Grzybek
[ https://gitbox.apache.org/repos/asf?p=artemis.git;h=98b24f02ae ]
ARTEMIS-5200 Implement JAAS OIDC LoginModule for JWT authentication
ARTEMIS-5200 Initial implementation of JAAS OIDC Login Module
* support for fetching OIDC metadata
* caching and handling JWK keys
* JAAS Login module that verifies claims and JWT signature
* extensive test coverage
* based on JDK HTTP Client
* JAAS string-based configuration (etc/login.config)
ARTEMIS-5200 Extracting principal identities/roles from JWT
ARTEMIS-5200 Add logging information and signature tests
ARTEMIS-5200 Implement RFC 8705 (OAuth2 + mTLS)
ARTEMIS-5200 Add test for full LoginContext usage with OIDC in login.config
ARTEMIS-5200 Fix SSL Context initialization in HttpClient
ARTEMIS-5200 Adjust OSGi headers and features for artemis-server-osgi
ARTEMIS-5200 Cleanup in OIDCLoginModule.logout()
> OAuth Bearer Token Support
> --------------------------
>
> Key: ARTEMIS-5200
> URL: https://issues.apache.org/jira/browse/ARTEMIS-5200
> Project: Artemis
> Issue Type: New Feature
> Reporter: Luís Alves
> Priority: Major
>
> In line with KAFKA
> [KIP-768|https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=186877575],
> Artemis should also provide bearer token support for authN and authZ.
> Motivation is the same as in Kafka. I already use OAuth on many services that
> have to communicate with the broker, so why don't leverage the [OAuth 2.0
> client credentials flow|https://oauth.net/2/grant-types/client-credentials/].
> The current integration with Keycloak on the
> [examples|https://github.com/apache/activemq-artemis-examples/tree/main/examples/features/standard/security-keycloak]
> is not great in terms of security. We have to give away our credentials to
> Artemis and it uses them to do a [password
> grant|oauth.net/2/grant-types/password]. This flow is strongly discouraged.
> I think the major blocker is that Artemis is designed to do authN with a
> username and a password. I only have experience with the Java client with
> CORE protocol and I couldn't find any interceptor on the authN process to
> replace the password field with a fresh token. With some workarounds is
> possible to make it work, but is not a vanilla and supported solution.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
