feat(#1737): Add OAuth2 JWT authentication support via JAAS LoginModule#1738
feat(#1737): Add OAuth2 JWT authentication support via JAAS LoginModule#1738jbonofre wants to merge 5 commits intoapache:mainfrom
Conversation
…inModule Add OAuth2LoginModule to activemq-jaas that validates JWT access tokens using JWKS endpoint for signature verification. Clients pass the JWT as the password field, and claims are mapped to UserPrincipal/GroupPrincipal for seamless integration with the existing JaasAuthenticationPlugin.
|
NB: this is a better approach imho to what I did initially in #1035 (with the same goal). |
|
The test failure is related to #1741 |
activemq-jaas/src/main/java/org/apache/activemq/jaas/OAuth2LoginModule.java
Outdated
Show resolved
Hide resolved
jeanouii
left a comment
jeanouii
left a comment
There was a problem hiding this comment.
Some small details. nothing important
|
-1 on merging this as part of the activemq-jaas module. This drags in 3rd party dependency to all deployments -- I think this should go into a activemq-jaas-oath2 module. |
mattrpav
left a comment
mattrpav
left a comment
There was a problem hiding this comment.
I think this should go into a separate module and get deployed into an extras folder (with the 3rd party) dependency instead of installed into the classpath by default for every running broker.
activemq-jaas/src/main/java/org/apache/activemq/jaas/OAuth2LoginModule.java
Outdated
Show resolved
Hide resolved
@mattrpav what is the concern about the Nimbus dependency in the JAAS module ? At the end, regarding the ActiveMQ distribution, it will be a dependency like another (like Jetty or Rome for instance). Your concern is about the "embedded" ActiveMQ service in application ( |
|
@mattrpav Using LinkedHashSet is a nice to have but not strictly required per spec. Actually Subject.getPrincipals() returns a Set, that's it. The rest is platform dependant. Our JaasAuthenticationBroker for instance gets all the principals and then iterates until it finds an instance of UserPrincipal. On the dependency, it will be in the final zip anyways, so until it becomes a problem, I'd prefer to keep in in activemq-jaas instead of creating another module for one class only. It is both simpler for us and for our users that don't have to know they need another module to use oauth2 tokens. We could go like this and if it's a problem split later on. |
I think this line of thinking 'it's just one class' is what gets us into dependency trouble as a project. Yes, it is one class in the ActiveMQ tree, but this pulls in several transitive dependencies-- not just the one listed as optional. Being a security-related component also increases the probability that it will get tagged w/ a vulnerability (or one of its transitive deps will). I think it would be most correct to have separate modules per security mechanism (the shiro appoarch). We could do an activemq-jaas-extras, but that doesn't seem to make sense b/c rarely are multiple external security providers (used outside of local accounts). |
|
@mattrpav that's fair. I'm not a big fan of I will update the PR accordingly. |
…h2 module Extract OAuth2 JWT authentication into its own activemq-oauth2 module (similar to activemq-shiro) with package org.apache.activemq.oauth2. Remove nimbus-jose-jwt dependency from activemq-jaas and assembly, add activemq-oauth2 to parent modules/dependencyManagement and assembly. Include commented-out OAuth2 configuration example in the distribution login.config.
3 participants
Add OAuth2LoginModule to activemq-jaas that validates JWT access tokens using JWKS endpoint for signature verification.
Clients pass the JWT as the password field, and claims are mapped to UserPrincipal/GroupPrincipal for seamless integration with the existing JaasAuthenticationPlugin.