Skip to content

[AMQ-9244] Expanded proposal for supporting OAuth 2.0 Authentication #1480

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

[AMQ-9244] Expanded proposal for supporting OAuth 2.0 Authentication #1480

wants to merge 3 commits into from

Conversation

sergio-d-lemos
Copy link
Contributor

This PR expands the design initially proposed by @kenliao94 and @LinC0416 for supporting OAuth 2.0 authentication and @jbonofre initial work on #1035 back in 2023.

@mattrpav
Copy link
Contributor

I like the idea of a standard oauth2 plugin for authn, but it could be tricky without a bunch of provider specific plugins to re-work request and response handler payloads b/c there are subtle differences. Might need that layer to be pluggable/highly configurable.

Using scope claims for groups (ie authz) is tricky, because some providers limit the number of available groups provided in the token—- which means users can’t rely on those tokens for group membership and need to make secondary lookups for group/role info to a non-standard API.

The flow is simple enough that it would be great if we could use the JDK http client.

@mattrpav
Copy link
Contributor

mattrpav commented Aug 21, 2025
edited
Loading

@sergio-d-lemos I think we can move forward with the JAAS LoginModule. Do you want to take a pass at it or would it be helpful if I drafted one out?

@sergio-d-lemos
Copy link
Contributor Author

I can publish a draft (likely over the weekend), won't be "production ready" but it's a start.

@sergio-d-lemos
Copy link
Contributor Author

Included a basic implementation. The code is still WIP with a bunch of TODOs on things which still need more work (and there are no tests), but I think it demonstrates the ideas I had in mind.

@mattrpav
Copy link
Contributor

@sergio-d-lemos Good start.

I think having an embedded 'mock' OAuth2 server would be helpful. I think using the JDK http server would be pretty simple to spin up and then allow us to mock payloads and status codes.

Thoughts?

mattrpav
mattrpav requested changes Aug 25, 2025
View reviewed changes
assembly/src/release/conf/login.config
issuer="https://cognito-idp.us-west-2.amazonaws.com/us-west-2_iz1VrIxct"
jwks_uri="https://cognito-idp.us-west-2.amazonaws.com/us-west-2_iz1VrIxct/.well-known/jwks.json"
group_resolver_class="org.apache.activemq.jaas.oauth.NoOpGroupResolver"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using a class for group resolution gets tricky across runtimes that have varying classloader behaviors (specifically Apache Karaf and OSGi-based runtimes.)

Since there is only one method, I think having an AbstractOAuthLoginModule with shared methods and an abstract method for groupLookup() is the way to go.

The default implementation can simply load a groups.properties file with user, group and role mappings similar to how pure local accounts work.

@sergio-d-lemos
Copy link
Contributor Author

@sergio-d-lemos Good start.

I think having an embedded 'mock' OAuth2 server would be helpful. I think using the JDK http server would be pretty simple to spin up and then allow us to mock payloads and status codes.

Thoughts?

Yes, I think somehow mocking the HTTP server will be necessary to test. I will look into it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mattrpav mattrpav mattrpav requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@sergio-d-lemos @mattrpav