The SASL process occurs first, before the Open frame. The Open frames are what carries each peers advertised max frame size, mainly aimed at later message deliveries. The AMQP 1.0 spec defines before this however that the SASL frames can be at-most the 'min max frame size', which is fixed at 512 bytes, with no way to negotiate anything larger.
As you can probably tell, that presents a problem if things in the SASL negotiation want to be larger, such as is likely in e.g a newer XOAUTH2 mechanism that didnt exist when that decision was originally made. To simply allow some of these newer alternative mechs to work, it was decided to just allow things to exceed the 512byte limit since both sides would have to already agree on using a given mech to begin with, so doing an alternative like creating a custom multi-challenge batching sequence to shuffle the bytes wasnt really going to be adding much except significant complexity. It appears broker-j allows up to 4096, and you have now found something to exceed even that. It doesnt look like it allows configuring it, but increasing that seems to be the only option that would help here. On Thu, 18 May 2023 at 22:14, Dan Langford <danlangf...@gmail.com> wrote: > > we are exploring the use of Oauth2 with Qpid BrokerJ. We use okta but its > all openid and the keycloak provider seems like it might work for us. we > are referencing this confluence article about how to configure the qpid jms > client to update the token as it expires > > https://cwiki.apache.org/confluence/display/qpid/XOAUTH2+SASL+Mechanism+and+token+expiration > > oauth jwt tokens can be BIG!!! > > here is the error > > 2023-05-18T20:29:10,377Z WARN [IO-/172.22.0.1:59090] > (o.a.q.s.p.v.f.FrameHandler) - Unexpected exception handling frame > org.apache.qpid.server.util.ConnectionScopedRuntimeException: > Connection is closed before being fully established: specified frame > size 5007 larger than maximum frame header size 4096 > at > org.apache.qpid.server.protocol.v1_0.AMQPConnection_1_0Impl.closeConnection(AMQPConnection_1_0Impl.java:1172) > at > org.apache.qpid.server.protocol.v1_0.AMQPConnection_1_0Impl.handleError(AMQPConnection_1_0Impl.java:785) > at > org.apache.qpid.server.protocol.v1_0.framing.FrameHandler.parse(FrameHandler.java:219) > at > org.apache.qpid.server.protocol.v1_0.AMQPConnection_1_0Impl.onReceive(AMQPConnection_1_0Impl.java:1309) > at > > > as we are exploring this the problem we are running into seems to be that > the SASL frames are too big. and when we configure the max frame size on > the connection string that isnt configured until the Open frame is received > but that all is after the SASL. im wondering if there is a way to configure > the max frame size of the SASL frames or if there is a way to configure the > default/initial max frame size of BrokerJ. > > https://github.com/apache/qpid-broker-j/blob/9.0.0/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/AMQPConnection_1_0Impl.java#L188 > > or did i misunderstand / misinterpret my error and should the SASL auth all > happen after the Open frame is sent? thanks --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@qpid.apache.org For additional commands, e-mail: users-h...@qpid.apache.org
