[
https://issues.apache.org/jira/browse/CAMEL-21936?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17941894#comment-17941894
]
Thomas Diesler edited comment on CAMEL-21936 at 4/8/25 2:05 PM:
----------------------------------------------------------------
I modified broker.xml like this
{code:xml}
<security-settings>
<security-setting match="#">
<permission type="createNonDurableQueue" roles="amq"/>
<permission type="deleteNonDurableQueue" roles="amq"/>
<permission type="createDurableQueue" roles="amq"/>
<permission type="deleteDurableQueue" roles="amq"/>
<permission type="createAddress" roles="amq"/>
<permission type="deleteAddress" roles="amq"/>
<permission type="consume" roles="amq"/>
<permission type="browse" roles="amq"/>
<permission type="send" roles="amq"/>
<!-- roles used by camel-cloud-examples -->
<permission type="send" roles="artemis-user"/>
<permission type="consume" roles="artemis-user"/>
<!-- we need this otherwise ./artemis data imp wouldn't work -->
<permission type="manage" roles="amq"/>
</security-setting>
</security-settings>
{code}
and added
-Djava.security.auth.login.config=/var/lib/artemis-instance/login.config
{code:java}
OAuth2Login {
org.apache.activemq.artemis.spi.core.security.jaas.OAuth2LoginModule required
jwksEndpoint="https://keycloak.local/kc/realms/camel/protocol/openid-connect/certs";
clientId="camel-client"
clientSecret="camel-client-secret"
roleClaim="resource_access.camel-client.roles";
};
{code}
Then, I obtain an access_token from Keycloak with grant_type
client_credentials, which I can decode on [https://jwt.io|https://jwt.io/]
{code:json}
{
"exp": 1744117460,
"iat": 1744117160,
"jti": "61cdefa7-15bc-4ad4-b2de-6c3201cf90c8",
"iss": "https://keycloak.local/kc/realms/camel";,
"sub": "32032a75-8909-4195-91ac-6dcd9ef79719",
"typ": "Bearer",
"azp": "camel-client",
"acr": "1",
"allowed-origins": [
"http://127.0.0.1:8080";
],
"resource_access": {
"camel-client": {
"roles": [
"artemis-user"
]
}
},
"scope": "email profile",
"email_verified": false,
"clientHost": "192.168.65.3",
"preferred_username": "service-account-camel-client",
"clientAddress": "192.168.65.3",
"client_id": "camel-client"
}
{code}
The ActiveMQConnectionFactory is configured like this
{code:java}
camel.component.sjms2.connection-factory=#class:org.apache.activemq.artemis.jms.client.ActiveMQConnectionFactory
camel.component.sjms2.connection-factory.broker-url=tcp://artemis:61616
camel.component.sjms2.connection-factory.user=Bearer
eyJhbGciOiJSUzI1NiIs...dDK_8WI_zqMIA
{code}
The Keycloak SSL cert from
[https://keycloak.local/kc/realms/camel/protocol/openid-connect/certs] is
trusted by the Artemis broker as well as by the Camel JMS client
When making a connection, I see this on the Broker side ...
{code:java}
2025-04-08 13:17:27,184 WARN [org.apache.activemq.artemis.core.server]
AMQ222216: Security problem while authenticating: AMQ229031: Unable to validate
user from 10.1.5.79:56844. Username: Bearer
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJPRVo4U2NYR0hGSDhUREs4LWhnLXNhQ2lVY29oZ0R1R3dKckZnX2RiVjdrIn0.eyJleHAiOjE3NDQxMTg1MzIsImlhdCI6MTc0NDExODIzMiwianRpIjoiZDBhNTM4ZGUtZmY5My00YTJhLWIwYWItZjM0MjRiNjVkODM0IiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5sb2NhbC9rYy9yZWFsbXMvY2FtZWwiLCJzdWIiOiIzMjAzMmE3NS04OTA5LTQxOTUtOTFhYy02ZGNkOWVmNzk3MTkiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJjYW1lbC1jbGllbnQiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbIiJdLCJyZXNvdXJjZV9hY2Nlc3MiOnsiY2FtZWwtY2xpZW50Ijp7InJvbGVzIjpbImFydGVtaXMtdXNlciJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiY2xpZW50SG9zdCI6IjE5Mi4xNjguNjUuMyIsInByZWZlcnJlZF91c2VybmFtZSI6InNlcnZpY2UtYWNjb3VudC1jYW1lbC1jbGllbnQiLCJjbGllbnRBZGRyZXNzIjoiMTkyLjE2OC42NS4zIiwiY2xpZW50X2lkIjoiY2FtZWwtY2xpZW50In0.Cpfmg7XVyXmEDfMRFWmoewZl0MmTRlMC9oVJt0QnIDGA2ghetkMNVgLv7FrMCZit6U-unapGeEfOlyOxBL6qdtiogsCa1xYVm0WpRuuOgKRkH0ViaT_Ro--yhl_U3Ckag-KcJsZLwuaDjsQKlVp6JEcZHsLaXl8X3mC3ZPo6DcdaS5J3AtXbHIxhOoPoO2e5kQ9uaQZxSOwzQTU-IQ59afj5BCMX-ybg_Vj9tQ1sAruAff2s_-kJPtoyP-UCiARGxEsJaFc-gxyAnLx1uGvcBegl6f4NrZahllBV0ckFQDvLdSWBt8UsyOrFG4jeMRZM1r1G37069dDK_8WI_zqMIA;
SSL certificate subject DN: unavailable
{code}
and this on the client side ...
{code:java}
Caused by: jakarta.jms.JMSSecurityException: AMQ229031: Unable to validate user
from 10.1.5.80:49274. Username: Bearer
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJPRVo4U2NYR0hGSDhUREs4LWhnLXNhQ2lVY29oZ0R1R3dKckZnX2RiVjdrIn0.eyJleHAiOjE3NDQxMTg1MzIsImlhdCI6MTc0NDExODIzMiwianRpIjoiZDBhNTM4ZGUtZmY5My00YTJhLWIwYWItZjM0MjRiNjVkODM0IiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5sb2NhbC9rYy9yZWFsbXMvY2FtZWwiLCJzdWIiOiIzMjAzMmE3NS04OTA5LTQxOTUtOTFhYy02ZGNkOWVmNzk3MTkiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJjYW1lbC1jbGllbnQiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbIiJdLCJyZXNvdXJjZV9hY2Nlc3MiOnsiY2FtZWwtY2xpZW50Ijp7InJvbGVzIjpbImFydGVtaXMtdXNlciJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiY2xpZW50SG9zdCI6IjE5Mi4xNjguNjUuMyIsInByZWZlcnJlZF91c2VybmFtZSI6InNlcnZpY2UtYWNjb3VudC1jYW1lbC1jbGllbnQiLCJjbGllbnRBZGRyZXNzIjoiMTkyLjE2OC42NS4zIiwiY2xpZW50X2lkIjoiY2FtZWwtY2xpZW50In0.Cpfmg7XVyXmEDfMRFWmoewZl0MmTRlMC9oVJt0QnIDGA2ghetkMNVgLv7FrMCZit6U-unapGeEfOlyOxBL6qdtiogsCa1xYVm0WpRuuOgKRkH0ViaT_Ro--yhl_U3Ckag-KcJsZLwuaDjsQKlVp6JEcZHsLaXl8X3mC3ZPo6DcdaS5J3AtXbHIxhOoPoO2e5kQ9uaQZxSOwzQTU-IQ59afj5BCMX-ybg_Vj9tQ1sAruAff2s_-kJPtoyP-UCiARGxEsJaFc-gxyAnLx1uGvcBegl6f4NrZahllBV0ckFQDvLdSWBt8UsyOrFG4jeMRZM1r1G37069dDK_8WI_zqMIA;
SSL certificate subject DN: unavailable
at
org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:580)
at
org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:465)
at
org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:457)
at
org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQClientProtocolManager.createSessionContext(ActiveMQClientProtocolManager.java:308)
at
org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQClientProtocolManager.createSessionContext(ActiveMQClientProtocolManager.java:256)
at
org.apache.activemq.artemis.core.client.impl.ClientSessionFactoryImpl.createSessionChannel(ClientSessionFactoryImpl.java:1498)
at
org.apache.activemq.artemis.core.client.impl.ClientSessionFactoryImpl.createSessionInternal(ClientSessionFactoryImpl.java:843)
at
org.apache.activemq.artemis.core.client.impl.ClientSessionFactoryImpl.createSession(ClientSessionFactoryImpl.java:350)
at
org.apache.activemq.artemis.jms.client.ActiveMQConnection.authorize(ActiveMQConnection.java:647)
at
org.apache.activemq.artemis.jms.client.ActiveMQConnectionFactory.createConnectionInternal(ActiveMQConnectionFactory.java:946)
at
org.apache.activemq.artemis.jms.client.ActiveMQConnectionFactory.createConnection(ActiveMQConnectionFactory.java:311)
at
org.apache.activemq.artemis.jms.client.ActiveMQConnectionFactory.createConnection(ActiveMQConnectionFactory.java:306)
at
org.apache.camel.component.sjms.consumer.SimpleMessageListenerContainer.createConnection(SimpleMessageListenerContainer.java:302)
at
org.apache.camel.component.sjms.consumer.SimpleMessageListenerContainer.doStart(SimpleMessageListenerContainer.java:228)
{code}
We can install the broker with [like
this|https://github.com/tdiesler/camel/blob/CAMEL-21936/components/camel-oauth/helm/README.md#installing-artemis]
...
{code}
helm upgrade --install artemis ./helm -f ./helm/values-artemis.yaml
{code}
and run the client [like
this|https://github.com/tdiesler/camel-cloud-examples/blob/CAMEL-21936/camel-main/amq7-oauth/Makefile#L33]
...
{code}
k8s-export: k8s-fetch-cert fetch-access-token
@$(CAMEL_CMD) kubernetes export amq7-oauth-files/* tls/* \
--gav=examples:amq7-oauth:1.0.0 \
--dep=org.apache.activemq:artemis-jakarta-client:2.40.0 \
--property=camel.component.sjms2.connection-factory=#class:org.apache.activemq.artemis.jms.client.ActiveMQConnectionFactory
\
--property=camel.component.sjms2.connection-factory.broker-url=tcp://artemis:61616
\
--property=camel.component.sjms2.connection-factory.user="Bearer
$(ACCESS_TOKEN)" \
--property=ssl.truststore.certificates=tls/cluster.crt \
--trait container.image-pull-policy=IfNotPresent \
--image-builder=docker \
--image-push=false \
--runtime=camel-main
{code}
was (Author: tdiesler):
I modified broker.xml like this
{code:xml}
<security-settings>
<security-setting match="#">
<permission type="createNonDurableQueue" roles="amq"/>
<permission type="deleteNonDurableQueue" roles="amq"/>
<permission type="createDurableQueue" roles="amq"/>
<permission type="deleteDurableQueue" roles="amq"/>
<permission type="createAddress" roles="amq"/>
<permission type="deleteAddress" roles="amq"/>
<permission type="consume" roles="amq"/>
<permission type="browse" roles="amq"/>
<permission type="send" roles="amq"/>
<!-- roles used by camel-cloud-examples -->
<permission type="send" roles="artemis-user"/>
<permission type="consume" roles="artemis-user"/>
<!-- we need this otherwise ./artemis data imp wouldn't work -->
<permission type="manage" roles="amq"/>
</security-setting>
</security-settings>
{code}
and added
-Djava.security.auth.login.config=/var/lib/artemis-instance/login.config
{code}
OAuth2Login {
org.apache.activemq.artemis.spi.core.security.jaas.OAuth2LoginModule required
jwksEndpoint="https://keycloak.local/kc/realms/camel/protocol/openid-connect/certs";
clientId="camel-client"
clientSecret="camel-client-secret"
roleClaim="resource_access.camel-client.roles";
};
{code}
Then, I obtain an access_token from Keycloak with grant_type
client_credentials, which I can decode on https://jwt.io
{code:json}
{
"exp": 1744117460,
"iat": 1744117160,
"jti": "61cdefa7-15bc-4ad4-b2de-6c3201cf90c8",
"iss": "https://keycloak.local/kc/realms/camel";,
"sub": "32032a75-8909-4195-91ac-6dcd9ef79719",
"typ": "Bearer",
"azp": "camel-client",
"acr": "1",
"allowed-origins": [
"http://127.0.0.1:8080";
],
"resource_access": {
"camel-client": {
"roles": [
"artemis-user"
]
}
},
"scope": "email profile",
"email_verified": false,
"clientHost": "192.168.65.3",
"preferred_username": "service-account-camel-client",
"clientAddress": "192.168.65.3",
"client_id": "camel-client"
}
{code}
The ActiveMQConnectionFactory is configured like this
{code}
camel.component.sjms2.connection-factory=#class:org.apache.activemq.artemis.jms.client.ActiveMQConnectionFactory
camel.component.sjms2.connection-factory.broker-url=tcp://artemis:61616
camel.component.sjms2.connection-factory.user=Bearer
eyJhbGciOiJSUzI1NiIs...dDK_8WI_zqMIA
{code}
The Keycloak SSL cert from
https://keycloak.local/kc/realms/camel/protocol/openid-connect/certs is trusted
by the Artemis broker as well as by the Camel JMS client
When making a connection, I see this on the Broker side ...
{code}
2025-04-08 13:17:27,184 WARN [org.apache.activemq.artemis.core.server]
AMQ222216: Security problem while authenticating: AMQ229031: Unable to validate
user from 10.1.5.79:56844. Username: Bearer
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJPRVo4U2NYR0hGSDhUREs4LWhnLXNhQ2lVY29oZ0R1R3dKckZnX2RiVjdrIn0.eyJleHAiOjE3NDQxMTg1MzIsImlhdCI6MTc0NDExODIzMiwianRpIjoiZDBhNTM4ZGUtZmY5My00YTJhLWIwYWItZjM0MjRiNjVkODM0IiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5sb2NhbC9rYy9yZWFsbXMvY2FtZWwiLCJzdWIiOiIzMjAzMmE3NS04OTA5LTQxOTUtOTFhYy02ZGNkOWVmNzk3MTkiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJjYW1lbC1jbGllbnQiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbIiJdLCJyZXNvdXJjZV9hY2Nlc3MiOnsiY2FtZWwtY2xpZW50Ijp7InJvbGVzIjpbImFydGVtaXMtdXNlciJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiY2xpZW50SG9zdCI6IjE5Mi4xNjguNjUuMyIsInByZWZlcnJlZF91c2VybmFtZSI6InNlcnZpY2UtYWNjb3VudC1jYW1lbC1jbGllbnQiLCJjbGllbnRBZGRyZXNzIjoiMTkyLjE2OC42NS4zIiwiY2xpZW50X2lkIjoiY2FtZWwtY2xpZW50In0.Cpfmg7XVyXmEDfMRFWmoewZl0MmTRlMC9oVJt0QnIDGA2ghetkMNVgLv7FrMCZit6U-unapGeEfOlyOxBL6qdtiogsCa1xYVm0WpRuuOgKRkH0ViaT_Ro--yhl_U3Ckag-KcJsZLwuaDjsQKlVp6JEcZHsLaXl8X3mC3ZPo6DcdaS5J3AtXbHIxhOoPoO2e5kQ9uaQZxSOwzQTU-IQ59afj5BCMX-ybg_Vj9tQ1sAruAff2s_-kJPtoyP-UCiARGxEsJaFc-gxyAnLx1uGvcBegl6f4NrZahllBV0ckFQDvLdSWBt8UsyOrFG4jeMRZM1r1G37069dDK_8WI_zqMIA;
SSL certificate subject DN: unavailable
{code}
and this on the client side ...
{code}
Caused by: jakarta.jms.JMSSecurityException: AMQ229031: Unable to validate user
from 10.1.5.80:49274. Username: Bearer
eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJPRVo4U2NYR0hGSDhUREs4LWhnLXNhQ2lVY29oZ0R1R3dKckZnX2RiVjdrIn0.eyJleHAiOjE3NDQxMTg1MzIsImlhdCI6MTc0NDExODIzMiwianRpIjoiZDBhNTM4ZGUtZmY5My00YTJhLWIwYWItZjM0MjRiNjVkODM0IiwiaXNzIjoiaHR0cHM6Ly9rZXljbG9hay5sb2NhbC9rYy9yZWFsbXMvY2FtZWwiLCJzdWIiOiIzMjAzMmE3NS04OTA5LTQxOTUtOTFhYy02ZGNkOWVmNzk3MTkiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJjYW1lbC1jbGllbnQiLCJhY3IiOiIxIiwiYWxsb3dlZC1vcmlnaW5zIjpbIiJdLCJyZXNvdXJjZV9hY2Nlc3MiOnsiY2FtZWwtY2xpZW50Ijp7InJvbGVzIjpbImFydGVtaXMtdXNlciJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiY2xpZW50SG9zdCI6IjE5Mi4xNjguNjUuMyIsInByZWZlcnJlZF91c2VybmFtZSI6InNlcnZpY2UtYWNjb3VudC1jYW1lbC1jbGllbnQiLCJjbGllbnRBZGRyZXNzIjoiMTkyLjE2OC42NS4zIiwiY2xpZW50X2lkIjoiY2FtZWwtY2xpZW50In0.Cpfmg7XVyXmEDfMRFWmoewZl0MmTRlMC9oVJt0QnIDGA2ghetkMNVgLv7FrMCZit6U-unapGeEfOlyOxBL6qdtiogsCa1xYVm0WpRuuOgKRkH0ViaT_Ro--yhl_U3Ckag-KcJsZLwuaDjsQKlVp6JEcZHsLaXl8X3mC3ZPo6DcdaS5J3AtXbHIxhOoPoO2e5kQ9uaQZxSOwzQTU-IQ59afj5BCMX-ybg_Vj9tQ1sAruAff2s_-kJPtoyP-UCiARGxEsJaFc-gxyAnLx1uGvcBegl6f4NrZahllBV0ckFQDvLdSWBt8UsyOrFG4jeMRZM1r1G37069dDK_8WI_zqMIA;
SSL certificate subject DN: unavailable
at
org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:580)
at
org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:465)
at
org.apache.activemq.artemis.core.protocol.core.impl.ChannelImpl.sendBlocking(ChannelImpl.java:457)
at
org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQClientProtocolManager.createSessionContext(ActiveMQClientProtocolManager.java:308)
at
org.apache.activemq.artemis.core.protocol.core.impl.ActiveMQClientProtocolManager.createSessionContext(ActiveMQClientProtocolManager.java:256)
at
org.apache.activemq.artemis.core.client.impl.ClientSessionFactoryImpl.createSessionChannel(ClientSessionFactoryImpl.java:1498)
at
org.apache.activemq.artemis.core.client.impl.ClientSessionFactoryImpl.createSessionInternal(ClientSessionFactoryImpl.java:843)
at
org.apache.activemq.artemis.core.client.impl.ClientSessionFactoryImpl.createSession(ClientSessionFactoryImpl.java:350)
at
org.apache.activemq.artemis.jms.client.ActiveMQConnection.authorize(ActiveMQConnection.java:647)
at
org.apache.activemq.artemis.jms.client.ActiveMQConnectionFactory.createConnectionInternal(ActiveMQConnectionFactory.java:946)
at
org.apache.activemq.artemis.jms.client.ActiveMQConnectionFactory.createConnection(ActiveMQConnectionFactory.java:311)
at
org.apache.activemq.artemis.jms.client.ActiveMQConnectionFactory.createConnection(ActiveMQConnectionFactory.java:306)
at
org.apache.camel.component.sjms.consumer.SimpleMessageListenerContainer.createConnection(SimpleMessageListenerContainer.java:302)
at
org.apache.camel.component.sjms.consumer.SimpleMessageListenerContainer.doStart(SimpleMessageListenerContainer.java:228)
{code}
> camel-oauth - Add support for OAuth Authentication for Messaging
> ----------------------------------------------------------------
>
> Key: CAMEL-21936
> URL: https://issues.apache.org/jira/browse/CAMEL-21936
> Project: Camel
> Issue Type: New Feature
> Components: camel-oauth
> Reporter: Thomas Diesler
> Assignee: Thomas Diesler
> Priority: Major
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
