You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@activemq.apache.org by SCOTT FIELDS <Sc...@kyndryl.com.INVALID> on 2023/10/31 19:17:40 UTC
Native Oauth/OIDC integration in ActiveMQ
To my knowledge, there is no native ActiveMQ integration for Authorization/Authentication via Oauth/OIDC.
Is there any plan, if not, to include this, besides requiring an external JAAS method provided either by an external vendor or require a custom coding front-end from the end-use provider?
If not, what's the best way to request this?
Scott Fields
Kyndryl
Senior Lead SRE - BNSF
817-593-5038 (BNSF)
scott.fields@kyndryl.com<ma...@kyndryl.com>
scott.fields@bnsf.com<ma...@bnsf.com>
Re: Native Oauth/OIDC integration in ActiveMQ
Posted by Łukasz Dywicki <lu...@code-house.org>.
Have a look on
https://github.com/apifocal/activemix/tree/master/jaas/activemix-auth-token.
I've wrote this code a long time ago, it didn't change much since it
simply works. ;) It does rely on JWT/OIDC and can stick with external
JWK (i.e. hosted by keycloak) to verify token signatures.
Cheers,
Łukasz
On 31.10.2023 22:22, SCOTT FIELDS wrote:
> Yes, using certificate based authentication/authorization is a secondary approved method if OIDC isn't supported for this customer.
>
> But...I wanted to pursue the OIDC mechanism, since that's the customer's primary solution.
>
> -----Original Message-----
> From: Matt Pavlovich <ma...@gmail.com>
> Sent: Tuesday, October 31, 2023 3:19 PM
> To: users@activemq.apache.org
> Subject: [EXTERNAL] Re: Native Oauth/OIDC integration in ActiveMQ
>
> Hi Scott-
>
> There is interest in adding this to Apache ActiveMQ. A DRAFT RP was started using JWT:
>
> https://github.com/apache/activemq/pull/1035
>
> In general, using OAuth/OIDC may not be desirable as having background threads refreshing tokens can have negative side effects. The OAuth2 "AppAuth pattern" is something else to look into.
>
> Have you considered two-way SSL authentication? Stronger security, with expiry and revocation support.
>
> Thanks,
> Matt Pavlovich
>
>> On Oct 31, 2023, at 2:17 PM, SCOTT FIELDS <Sc...@kyndryl.com.INVALID> wrote:
>>
>> To my knowledge, there is no native ActiveMQ integration for Authorization/Authentication via Oauth/OIDC.
>>
>> Is there any plan, if not, to include this, besides requiring an external JAAS method provided either by an external vendor or require a custom coding front-end from the end-use provider?
>>
>> If not, what's the best way to request this?
>>
>> Scott Fields
>> Kyndryl
>> Senior Lead SRE - BNSF
>> 817-593-5038 (BNSF)
>> scott.fields@kyndryl.com<ma...@kyndryl.com>
>> scott.fields@bnsf.com<ma...@bnsf.com>
>>
>
RE: Native Oauth/OIDC integration in ActiveMQ
Posted by SCOTT FIELDS <Sc...@kyndryl.com.INVALID>.
FYI, per the app using app teams, they're using the following protocols:
Mqtt
Amqp
Openwire
core
-----Original Message-----
From: SCOTT FIELDS <Sc...@kyndryl.com.INVALID>
Sent: Wednesday, November 1, 2023 1:03 PM
To: users@activemq.apache.org
Subject: [EXTERNAL] RE: Native Oauth/OIDC integration in ActiveMQ
FYI, I'm awaiting the technical details from the AMQ admins on our side regarding the client use cases involved.
-----Original Message-----
From: Justin Bertram <jb...@apache.org>
Sent: Wednesday, November 1, 2023 12:45 PM
To: users@activemq.apache.org
Subject: [EXTERNAL] Re: Native Oauth/OIDC integration in ActiveMQ
Can anybody clarify the use-case for this? What messaging protocols are in view here? I'd love to understand more. Thanks!
Justin
On Wed, Nov 1, 2023 at 12:27 PM Matt Pavlovich <ma...@gmail.com> wrote:
> Hi Scott-
>
> Got it, makes sense. Please open a JIRA for the request:
> INVALID URI REMOVED
> _jira_&d=DwIFaQ&c=cCoa5WWAB7EEETJScYfkXg&r=LQqpejpmPovblCMRepcZSfPCNx6
> OWpQ6tx9PqWhrghQ&m=nXztDtwq3oUC9PwBq8DSh1xJpsp8sEgsIJJgFfnOnXIEcWhXPnB
> O4nNZ-P0AcAvt&s=EsvNxmpIzKiaKvwq3i6NlRNPFd9sXiBiAoPA_ocaWtk&e=
>
> We’ll be doing roadmap and planning for the next round of release once
> 6.0.0 is out.
>
> Thanks,
> Matt Pavlovich
>
> > On Oct 31, 2023, at 4:22 PM, SCOTT FIELDS
> > <Sc...@kyndryl.com.INVALID>
> wrote:
> >
> > Yes, using certificate based authentication/authorization is a
> > secondary
> approved method if OIDC isn't supported for this customer.
> >
> > But...I wanted to pursue the OIDC mechanism, since that's the
> > customer's
> primary solution.
> >
> > -----Original Message-----
> > From: Matt Pavlovich <ma...@gmail.com>
> > Sent: Tuesday, October 31, 2023 3:19 PM
> > To: users@activemq.apache.org
> > Subject: [EXTERNAL] Re: Native Oauth/OIDC integration in ActiveMQ
> >
> > Hi Scott-
> >
> > There is interest in adding this to Apache ActiveMQ. A DRAFT RP was
> started using JWT:
> >
> > INVALID URI REMOVED
> > he_activemq_pull_1035&d=DwIFaQ&c=cCoa5WWAB7EEETJScYfkXg&r=LQqpejpmPo
> > vblCMRepcZSfPCNx6OWpQ6tx9PqWhrghQ&m=nXztDtwq3oUC9PwBq8DSh1xJpsp8sEgs
> > IJJgFfnOnXIEcWhXPnBO4nNZ-P0AcAvt&s=wAemuHPk4ei6Ff2zo03Bsa1sco_3PB2a-
> > dXkAYggG1A&e=
> >
> > In general, using OAuth/OIDC may not be desirable as having
> > background
> threads refreshing tokens can have negative side effects. The OAuth2
> "AppAuth pattern" is something else to look into.
> >
> > Have you considered two-way SSL authentication? Stronger security,
> > with
> expiry and revocation support.
> >
> > Thanks,
> > Matt Pavlovich
> >
> >> On Oct 31, 2023, at 2:17 PM, SCOTT FIELDS
> >> <Sc...@kyndryl.com.INVALID>
> wrote:
> >>
> >> To my knowledge, there is no native ActiveMQ integration for
> Authorization/Authentication via Oauth/OIDC.
> >>
> >> Is there any plan, if not, to include this, besides requiring an
> external JAAS method provided either by an external vendor or require
> a custom coding front-end from the end-use provider?
> >>
> >> If not, what's the best way to request this?
> >>
> >> Scott Fields
> >> Kyndryl
> >> Senior Lead SRE - BNSF
> >> 817-593-5038 (BNSF)
> >> scott.fields@kyndryl.com<ma...@kyndryl.com>
> >> scott.fields@bnsf.com<ma...@bnsf.com>
> >>
> >
>
>
RE: Native Oauth/OIDC integration in ActiveMQ
Posted by SCOTT FIELDS <Sc...@kyndryl.com.INVALID>.
Raymond,
Did you submit the JIRA for this?
My company e-mail strips out the URL for the JIRA request included earlier.
-----Original Message-----
From: Matt Pavlovich <ma...@gmail.com>
Sent: Wednesday, November 1, 2023 2:28 PM
To: users@activemq.apache.org
Subject: [EXTERNAL] Re: Native Oauth/OIDC integration in ActiveMQ
Hi Raymond—
This is good info— can you make a JIRA for with it?
Thanks!
Matt Pavlovich
> On Nov 1, 2023, at 1:58 PM, ski n <ra...@gmail.com> wrote:
>
> What I know from my time as a consultant is that it often goes like this.
>
> The company:
>
> 1. Requirement 1: We need secure authentication.
> 2. Requirement 2: We need to comply with standards.
> 3. Requirement 3: We need a technology-neutral way to authenticate.
>
> The architects:
>
> The conclusion is that OAuth is the standard way to authenticate, so
> every software component (application, api, middleware) in the
> enterprise must follow it.
>
> How much sense it makes for each use case, that there are other
> protocols (Kerberos, SAML, JAAS), that it may impact performance, that
> it is only used internally, that oAuth has different workflows, that
> it can complicate things and slow things down, it doesn't matter. I'm
> not that familiar with JAAS, but if you bring this up to the
> architects, they're probably going to say something like, "I don't
> know JAAS. O, is it Java, then certainly not technology neutral and
> secure. We were clear that OAuth is the enterprise standard”.
>
> I'm not saying that's right, but this is often how it goes.
>
> Raymond
>
>
>
>
>
> On Wed, Nov 1, 2023 at 7:04 PM SCOTT FIELDS
> <Sc...@kyndryl.com.invalid> wrote:
>
>> FYI, I'm awaiting the technical details from the AMQ admins on our
>> side regarding the client use cases involved.
>>
>> -----Original Message-----
>> From: Justin Bertram <jb...@apache.org>
>> Sent: Wednesday, November 1, 2023 12:45 PM
>> To: users@activemq.apache.org
>> Subject: [EXTERNAL] Re: Native Oauth/OIDC integration in ActiveMQ
>>
>> Can anybody clarify the use-case for this? What messaging protocols
>> are in view here? I'd love to understand more. Thanks!
>>
>>
>> Justin
>>
>> On Wed, Nov 1, 2023 at 12:27 PM Matt Pavlovich <ma...@gmail.com> wrote:
>>
>>> Hi Scott-
>>>
>>> Got it, makes sense. Please open a JIRA for the request:
>>> INVALID URI REMOVED
>>> _jira_&d=DwIFaQ&c=cCoa5WWAB7EEETJScYfkXg&r=LQqpejpmPovblCMRepcZSfPCN
>>> x6
>>> OWpQ6tx9PqWhrghQ&m=nXztDtwq3oUC9PwBq8DSh1xJpsp8sEgsIJJgFfnOnXIEcWhXP
>>> nB O4nNZ-P0AcAvt&s=EsvNxmpIzKiaKvwq3i6NlRNPFd9sXiBiAoPA_ocaWtk&e=
>>>
>>> We’ll be doing roadmap and planning for the next round of release
>>> once
>>> 6.0.0 is out.
>>>
>>> Thanks,
>>> Matt Pavlovich
>>>
>>>> On Oct 31, 2023, at 4:22 PM, SCOTT FIELDS
>>>> <Sc...@kyndryl.com.INVALID>
>>> wrote:
>>>>
>>>> Yes, using certificate based authentication/authorization is a
>>>> secondary
>>> approved method if OIDC isn't supported for this customer.
>>>>
>>>> But...I wanted to pursue the OIDC mechanism, since that's the
>>>> customer's
>>> primary solution.
>>>>
>>>> -----Original Message-----
>>>> From: Matt Pavlovich <ma...@gmail.com>
>>>> Sent: Tuesday, October 31, 2023 3:19 PM
>>>> To: users@activemq.apache.org
>>>> Subject: [EXTERNAL] Re: Native Oauth/OIDC integration in ActiveMQ
>>>>
>>>> Hi Scott-
>>>>
>>>> There is interest in adding this to Apache ActiveMQ. A DRAFT RP was
>>> started using JWT:
>>>>
>>>> INVALID URI REMOVED
>>>> he_activemq_pull_1035&d=DwIFaQ&c=cCoa5WWAB7EEETJScYfkXg&r=LQqpejpmP
>>>> o
>>>> vblCMRepcZSfPCNx6OWpQ6tx9PqWhrghQ&m=nXztDtwq3oUC9PwBq8DSh1xJpsp8sEg
>>>> s
>>>> IJJgFfnOnXIEcWhXPnBO4nNZ-P0AcAvt&s=wAemuHPk4ei6Ff2zo03Bsa1sco_3PB2a
>>>> -
>>>> dXkAYggG1A&e=
>>>>
>>>> In general, using OAuth/OIDC may not be desirable as having
>>>> background
>>> threads refreshing tokens can have negative side effects. The OAuth2
>>> "AppAuth pattern" is something else to look into.
>>>>
>>>> Have you considered two-way SSL authentication? Stronger security,
>>>> with
>>> expiry and revocation support.
>>>>
>>>> Thanks,
>>>> Matt Pavlovich
>>>>
>>>>> On Oct 31, 2023, at 2:17 PM, SCOTT FIELDS
>>>>> <Sc...@kyndryl.com.INVALID>
>>> wrote:
>>>>>
>>>>> To my knowledge, there is no native ActiveMQ integration for
>>> Authorization/Authentication via Oauth/OIDC.
>>>>>
>>>>> Is there any plan, if not, to include this, besides requiring an
>>> external JAAS method provided either by an external vendor or
>>> require a custom coding front-end from the end-use provider?
>>>>>
>>>>> If not, what's the best way to request this?
>>>>>
>>>>> Scott Fields
>>>>> Kyndryl
>>>>> Senior Lead SRE - BNSF
>>>>> 817-593-5038 (BNSF)
>>>>> scott.fields@kyndryl.com<ma...@kyndryl.com>
>>>>> scott.fields@bnsf.com<ma...@bnsf.com>
>>>>>
>>>>
>>>
>>>
>>
Re: Native Oauth/OIDC integration in ActiveMQ
Posted by Matt Pavlovich <ma...@gmail.com>.
Hi Raymond—
This is good info— can you make a JIRA for with it?
Thanks!
Matt Pavlovich
> On Nov 1, 2023, at 1:58 PM, ski n <ra...@gmail.com> wrote:
>
> What I know from my time as a consultant is that it often goes like this.
>
> The company:
>
> 1. Requirement 1: We need secure authentication.
> 2. Requirement 2: We need to comply with standards.
> 3. Requirement 3: We need a technology-neutral way to authenticate.
>
> The architects:
>
> The conclusion is that OAuth is the standard way to authenticate, so every
> software component (application, api, middleware) in the enterprise must
> follow it.
>
> How much sense it makes for each use case, that there are other protocols
> (Kerberos, SAML, JAAS), that it may impact performance, that it is only
> used internally,
> that oAuth has different workflows, that it can complicate things and slow
> things down, it doesn't matter. I'm not that familiar with JAAS, but if you
> bring this up to the architects, they're probably going to say something
> like, "I don't know JAAS. O, is it Java, then certainly not technology
> neutral and secure. We were clear that OAuth is the enterprise standard”.
>
> I'm not saying that's right, but this is often how it goes.
>
> Raymond
>
>
>
>
>
> On Wed, Nov 1, 2023 at 7:04 PM SCOTT FIELDS
> <Sc...@kyndryl.com.invalid> wrote:
>
>> FYI, I'm awaiting the technical details from the AMQ admins on our side
>> regarding the client use cases involved.
>>
>> -----Original Message-----
>> From: Justin Bertram <jb...@apache.org>
>> Sent: Wednesday, November 1, 2023 12:45 PM
>> To: users@activemq.apache.org
>> Subject: [EXTERNAL] Re: Native Oauth/OIDC integration in ActiveMQ
>>
>> Can anybody clarify the use-case for this? What messaging protocols are in
>> view here? I'd love to understand more. Thanks!
>>
>>
>> Justin
>>
>> On Wed, Nov 1, 2023 at 12:27 PM Matt Pavlovich <ma...@gmail.com> wrote:
>>
>>> Hi Scott-
>>>
>>> Got it, makes sense. Please open a JIRA for the request:
>>> INVALID URI REMOVED
>>> _jira_&d=DwIFaQ&c=cCoa5WWAB7EEETJScYfkXg&r=LQqpejpmPovblCMRepcZSfPCNx6
>>> OWpQ6tx9PqWhrghQ&m=nXztDtwq3oUC9PwBq8DSh1xJpsp8sEgsIJJgFfnOnXIEcWhXPnB
>>> O4nNZ-P0AcAvt&s=EsvNxmpIzKiaKvwq3i6NlRNPFd9sXiBiAoPA_ocaWtk&e=
>>>
>>> We’ll be doing roadmap and planning for the next round of release once
>>> 6.0.0 is out.
>>>
>>> Thanks,
>>> Matt Pavlovich
>>>
>>>> On Oct 31, 2023, at 4:22 PM, SCOTT FIELDS
>>>> <Sc...@kyndryl.com.INVALID>
>>> wrote:
>>>>
>>>> Yes, using certificate based authentication/authorization is a
>>>> secondary
>>> approved method if OIDC isn't supported for this customer.
>>>>
>>>> But...I wanted to pursue the OIDC mechanism, since that's the
>>>> customer's
>>> primary solution.
>>>>
>>>> -----Original Message-----
>>>> From: Matt Pavlovich <ma...@gmail.com>
>>>> Sent: Tuesday, October 31, 2023 3:19 PM
>>>> To: users@activemq.apache.org
>>>> Subject: [EXTERNAL] Re: Native Oauth/OIDC integration in ActiveMQ
>>>>
>>>> Hi Scott-
>>>>
>>>> There is interest in adding this to Apache ActiveMQ. A DRAFT RP was
>>> started using JWT:
>>>>
>>>> INVALID URI REMOVED
>>>> he_activemq_pull_1035&d=DwIFaQ&c=cCoa5WWAB7EEETJScYfkXg&r=LQqpejpmPo
>>>> vblCMRepcZSfPCNx6OWpQ6tx9PqWhrghQ&m=nXztDtwq3oUC9PwBq8DSh1xJpsp8sEgs
>>>> IJJgFfnOnXIEcWhXPnBO4nNZ-P0AcAvt&s=wAemuHPk4ei6Ff2zo03Bsa1sco_3PB2a-
>>>> dXkAYggG1A&e=
>>>>
>>>> In general, using OAuth/OIDC may not be desirable as having
>>>> background
>>> threads refreshing tokens can have negative side effects. The OAuth2
>>> "AppAuth pattern" is something else to look into.
>>>>
>>>> Have you considered two-way SSL authentication? Stronger security,
>>>> with
>>> expiry and revocation support.
>>>>
>>>> Thanks,
>>>> Matt Pavlovich
>>>>
>>>>> On Oct 31, 2023, at 2:17 PM, SCOTT FIELDS
>>>>> <Sc...@kyndryl.com.INVALID>
>>> wrote:
>>>>>
>>>>> To my knowledge, there is no native ActiveMQ integration for
>>> Authorization/Authentication via Oauth/OIDC.
>>>>>
>>>>> Is there any plan, if not, to include this, besides requiring an
>>> external JAAS method provided either by an external vendor or require
>>> a custom coding front-end from the end-use provider?
>>>>>
>>>>> If not, what's the best way to request this?
>>>>>
>>>>> Scott Fields
>>>>> Kyndryl
>>>>> Senior Lead SRE - BNSF
>>>>> 817-593-5038 (BNSF)
>>>>> scott.fields@kyndryl.com<ma...@kyndryl.com>
>>>>> scott.fields@bnsf.com<ma...@bnsf.com>
>>>>>
>>>>
>>>
>>>
>>
RE: Native Oauth/OIDC integration in ActiveMQ
Posted by Vilius Šumskas <vi...@rivile.lt>.
For what it's worth, I can give a real world example why OAuth in a messaging systems could be a great addition.
Not all messaging systems are used only in a closed trusted environment located in one (or several DCs). Also, not all messaging systems are used with limited number of MQ clients. For example, we are developing and supporting at least two products which use untrusted MQ clients from thousands of external organizations. Think of these clients as gateways between local organization on-premises infrastructure and our backend SaaS product, which also communicates to the same messaging system. Such clients are very distributed, can be installed on all sorts of external devices (POS systems, branch servers of large organizations, etc.). The only purpose of these gateways (and used messaging system) is to transfer data from external data sources into one centralized database, and back. Our SaaS product has all information about tenancy, health of these gateways, traffic billing, etc. For one of these products we use RabbitMQ, another uses ActiveMQ Artemis.
Unfortunately, at the time first products was built, RabbitMQ didn't support OAuth at all, so we opted to implement mutual TLS, which we decided was too complicated to support. Because we have thousands of clients certificate renewals and maintenance processes could be very costly. In the end, we have chosen to use RabbitMQ basic auth.
During development of the second product we tried to use Keycloak via JAAS. Again, Keycloak appeared too complicated to support. It was decided, that if we would invest time in implementing proper authentication server support, we should do it in a transparent way, so any major authentication server provider with proper support could be chosen (think Auth0, or Google Cloud Identity). Since we could not find how to do this with Artemis, we chose ActiveMQBasicSecurityManager for now.
In both cases it would be great to use OAuth to authenticate tenants (and associated clients). Of source, for our use case, provided OAuth support must have at least some advanced configuration parameters to not kill the MQ system itself, like caching or similar. But we can always hope for better tomorrow :)
--
Best Regards,
Vilius Šumskas
Rivile
IT manager
+370 614 75713
-----Original Message-----
From: ski n <ra...@gmail.com>
Sent: Wednesday, November 1, 2023 8:58 PM
To: users@activemq.apache.org
Subject: Re: Native Oauth/OIDC integration in ActiveMQ
What I know from my time as a consultant is that it often goes like this.
The company:
1. Requirement 1: We need secure authentication.
2. Requirement 2: We need to comply with standards.
3. Requirement 3: We need a technology-neutral way to authenticate.
The architects:
The conclusion is that OAuth is the standard way to authenticate, so every software component (application, api, middleware) in the enterprise must follow it.
How much sense it makes for each use case, that there are other protocols (Kerberos, SAML, JAAS), that it may impact performance, that it is only used internally, that oAuth has different workflows, that it can complicate things and slow things down, it doesn't matter. I'm not that familiar with JAAS, but if you bring this up to the architects, they're probably going to say something like, "I don't know JAAS. O, is it Java, then certainly not technology neutral and secure. We were clear that OAuth is the enterprise standard”.
I'm not saying that's right, but this is often how it goes.
Raymond
On Wed, Nov 1, 2023 at 7:04 PM SCOTT FIELDS <Sc...@kyndryl.com.invalid> wrote:
> FYI, I'm awaiting the technical details from the AMQ admins on our
> side regarding the client use cases involved.
>
> -----Original Message-----
> From: Justin Bertram <jb...@apache.org>
> Sent: Wednesday, November 1, 2023 12:45 PM
> To: users@activemq.apache.org
> Subject: [EXTERNAL] Re: Native Oauth/OIDC integration in ActiveMQ
>
> Can anybody clarify the use-case for this? What messaging protocols
> are in view here? I'd love to understand more. Thanks!
>
>
> Justin
>
> On Wed, Nov 1, 2023 at 12:27 PM Matt Pavlovich <ma...@gmail.com> wrote:
>
> > Hi Scott-
> >
> > Got it, makes sense. Please open a JIRA for the request:
> > INVALID URI REMOVED
> > _jira_&d=DwIFaQ&c=cCoa5WWAB7EEETJScYfkXg&r=LQqpejpmPovblCMRepcZSfPCN
> > x6
> > OWpQ6tx9PqWhrghQ&m=nXztDtwq3oUC9PwBq8DSh1xJpsp8sEgsIJJgFfnOnXIEcWhXP
> > nB O4nNZ-P0AcAvt&s=EsvNxmpIzKiaKvwq3i6NlRNPFd9sXiBiAoPA_ocaWtk&e=
> >
> > We’ll be doing roadmap and planning for the next round of release
> > once
> > 6.0.0 is out.
> >
> > Thanks,
> > Matt Pavlovich
> >
> > > On Oct 31, 2023, at 4:22 PM, SCOTT FIELDS
> > > <Sc...@kyndryl.com.INVALID>
> > wrote:
> > >
> > > Yes, using certificate based authentication/authorization is a
> > > secondary
> > approved method if OIDC isn't supported for this customer.
> > >
> > > But...I wanted to pursue the OIDC mechanism, since that's the
> > > customer's
> > primary solution.
> > >
> > > -----Original Message-----
> > > From: Matt Pavlovich <ma...@gmail.com>
> > > Sent: Tuesday, October 31, 2023 3:19 PM
> > > To: users@activemq.apache.org
> > > Subject: [EXTERNAL] Re: Native Oauth/OIDC integration in ActiveMQ
> > >
> > > Hi Scott-
> > >
> > > There is interest in adding this to Apache ActiveMQ. A DRAFT RP
> > > was
> > started using JWT:
> > >
> > > INVALID URI REMOVED
> > > he_activemq_pull_1035&d=DwIFaQ&c=cCoa5WWAB7EEETJScYfkXg&r=LQqpejpm
> > > Po
> > > vblCMRepcZSfPCNx6OWpQ6tx9PqWhrghQ&m=nXztDtwq3oUC9PwBq8DSh1xJpsp8sE
> > > gs
> > > IJJgFfnOnXIEcWhXPnBO4nNZ-P0AcAvt&s=wAemuHPk4ei6Ff2zo03Bsa1sco_3PB2
> > > a-
> > > dXkAYggG1A&e=
> > >
> > > In general, using OAuth/OIDC may not be desirable as having
> > > background
> > threads refreshing tokens can have negative side effects. The OAuth2
> > "AppAuth pattern" is something else to look into.
> > >
> > > Have you considered two-way SSL authentication? Stronger security,
> > > with
> > expiry and revocation support.
> > >
> > > Thanks,
> > > Matt Pavlovich
> > >
> > >> On Oct 31, 2023, at 2:17 PM, SCOTT FIELDS
> > >> <Sc...@kyndryl.com.INVALID>
> > wrote:
> > >>
> > >> To my knowledge, there is no native ActiveMQ integration for
> > Authorization/Authentication via Oauth/OIDC.
> > >>
> > >> Is there any plan, if not, to include this, besides requiring an
> > external JAAS method provided either by an external vendor or
> > require a custom coding front-end from the end-use provider?
> > >>
> > >> If not, what's the best way to request this?
> > >>
> > >> Scott Fields
> > >> Kyndryl
> > >> Senior Lead SRE - BNSF
> > >> 817-593-5038 (BNSF)
> > >> scott.fields@kyndryl.com<ma...@kyndryl.com>
> > >> scott.fields@bnsf.com<ma...@bnsf.com>
> > >>
> > >
> >
> >
>
Re: Native Oauth/OIDC integration in ActiveMQ
Posted by ski n <ra...@gmail.com>.
What I know from my time as a consultant is that it often goes like this.
The company:
1. Requirement 1: We need secure authentication.
2. Requirement 2: We need to comply with standards.
3. Requirement 3: We need a technology-neutral way to authenticate.
The architects:
The conclusion is that OAuth is the standard way to authenticate, so every
software component (application, api, middleware) in the enterprise must
follow it.
How much sense it makes for each use case, that there are other protocols
(Kerberos, SAML, JAAS), that it may impact performance, that it is only
used internally,
that oAuth has different workflows, that it can complicate things and slow
things down, it doesn't matter. I'm not that familiar with JAAS, but if you
bring this up to the architects, they're probably going to say something
like, "I don't know JAAS. O, is it Java, then certainly not technology
neutral and secure. We were clear that OAuth is the enterprise standard”.
I'm not saying that's right, but this is often how it goes.
Raymond
On Wed, Nov 1, 2023 at 7:04 PM SCOTT FIELDS
<Sc...@kyndryl.com.invalid> wrote:
> FYI, I'm awaiting the technical details from the AMQ admins on our side
> regarding the client use cases involved.
>
> -----Original Message-----
> From: Justin Bertram <jb...@apache.org>
> Sent: Wednesday, November 1, 2023 12:45 PM
> To: users@activemq.apache.org
> Subject: [EXTERNAL] Re: Native Oauth/OIDC integration in ActiveMQ
>
> Can anybody clarify the use-case for this? What messaging protocols are in
> view here? I'd love to understand more. Thanks!
>
>
> Justin
>
> On Wed, Nov 1, 2023 at 12:27 PM Matt Pavlovich <ma...@gmail.com> wrote:
>
> > Hi Scott-
> >
> > Got it, makes sense. Please open a JIRA for the request:
> > INVALID URI REMOVED
> > _jira_&d=DwIFaQ&c=cCoa5WWAB7EEETJScYfkXg&r=LQqpejpmPovblCMRepcZSfPCNx6
> > OWpQ6tx9PqWhrghQ&m=nXztDtwq3oUC9PwBq8DSh1xJpsp8sEgsIJJgFfnOnXIEcWhXPnB
> > O4nNZ-P0AcAvt&s=EsvNxmpIzKiaKvwq3i6NlRNPFd9sXiBiAoPA_ocaWtk&e=
> >
> > We’ll be doing roadmap and planning for the next round of release once
> > 6.0.0 is out.
> >
> > Thanks,
> > Matt Pavlovich
> >
> > > On Oct 31, 2023, at 4:22 PM, SCOTT FIELDS
> > > <Sc...@kyndryl.com.INVALID>
> > wrote:
> > >
> > > Yes, using certificate based authentication/authorization is a
> > > secondary
> > approved method if OIDC isn't supported for this customer.
> > >
> > > But...I wanted to pursue the OIDC mechanism, since that's the
> > > customer's
> > primary solution.
> > >
> > > -----Original Message-----
> > > From: Matt Pavlovich <ma...@gmail.com>
> > > Sent: Tuesday, October 31, 2023 3:19 PM
> > > To: users@activemq.apache.org
> > > Subject: [EXTERNAL] Re: Native Oauth/OIDC integration in ActiveMQ
> > >
> > > Hi Scott-
> > >
> > > There is interest in adding this to Apache ActiveMQ. A DRAFT RP was
> > started using JWT:
> > >
> > > INVALID URI REMOVED
> > > he_activemq_pull_1035&d=DwIFaQ&c=cCoa5WWAB7EEETJScYfkXg&r=LQqpejpmPo
> > > vblCMRepcZSfPCNx6OWpQ6tx9PqWhrghQ&m=nXztDtwq3oUC9PwBq8DSh1xJpsp8sEgs
> > > IJJgFfnOnXIEcWhXPnBO4nNZ-P0AcAvt&s=wAemuHPk4ei6Ff2zo03Bsa1sco_3PB2a-
> > > dXkAYggG1A&e=
> > >
> > > In general, using OAuth/OIDC may not be desirable as having
> > > background
> > threads refreshing tokens can have negative side effects. The OAuth2
> > "AppAuth pattern" is something else to look into.
> > >
> > > Have you considered two-way SSL authentication? Stronger security,
> > > with
> > expiry and revocation support.
> > >
> > > Thanks,
> > > Matt Pavlovich
> > >
> > >> On Oct 31, 2023, at 2:17 PM, SCOTT FIELDS
> > >> <Sc...@kyndryl.com.INVALID>
> > wrote:
> > >>
> > >> To my knowledge, there is no native ActiveMQ integration for
> > Authorization/Authentication via Oauth/OIDC.
> > >>
> > >> Is there any plan, if not, to include this, besides requiring an
> > external JAAS method provided either by an external vendor or require
> > a custom coding front-end from the end-use provider?
> > >>
> > >> If not, what's the best way to request this?
> > >>
> > >> Scott Fields
> > >> Kyndryl
> > >> Senior Lead SRE - BNSF
> > >> 817-593-5038 (BNSF)
> > >> scott.fields@kyndryl.com<ma...@kyndryl.com>
> > >> scott.fields@bnsf.com<ma...@bnsf.com>
> > >>
> > >
> >
> >
>
RE: Native Oauth/OIDC integration in ActiveMQ
Posted by SCOTT FIELDS <Sc...@kyndryl.com.INVALID>.
FYI, I'm awaiting the technical details from the AMQ admins on our side regarding the client use cases involved.
-----Original Message-----
From: Justin Bertram <jb...@apache.org>
Sent: Wednesday, November 1, 2023 12:45 PM
To: users@activemq.apache.org
Subject: [EXTERNAL] Re: Native Oauth/OIDC integration in ActiveMQ
Can anybody clarify the use-case for this? What messaging protocols are in view here? I'd love to understand more. Thanks!
Justin
On Wed, Nov 1, 2023 at 12:27 PM Matt Pavlovich <ma...@gmail.com> wrote:
> Hi Scott-
>
> Got it, makes sense. Please open a JIRA for the request:
> INVALID URI REMOVED
> _jira_&d=DwIFaQ&c=cCoa5WWAB7EEETJScYfkXg&r=LQqpejpmPovblCMRepcZSfPCNx6
> OWpQ6tx9PqWhrghQ&m=nXztDtwq3oUC9PwBq8DSh1xJpsp8sEgsIJJgFfnOnXIEcWhXPnB
> O4nNZ-P0AcAvt&s=EsvNxmpIzKiaKvwq3i6NlRNPFd9sXiBiAoPA_ocaWtk&e=
>
> We’ll be doing roadmap and planning for the next round of release once
> 6.0.0 is out.
>
> Thanks,
> Matt Pavlovich
>
> > On Oct 31, 2023, at 4:22 PM, SCOTT FIELDS
> > <Sc...@kyndryl.com.INVALID>
> wrote:
> >
> > Yes, using certificate based authentication/authorization is a
> > secondary
> approved method if OIDC isn't supported for this customer.
> >
> > But...I wanted to pursue the OIDC mechanism, since that's the
> > customer's
> primary solution.
> >
> > -----Original Message-----
> > From: Matt Pavlovich <ma...@gmail.com>
> > Sent: Tuesday, October 31, 2023 3:19 PM
> > To: users@activemq.apache.org
> > Subject: [EXTERNAL] Re: Native Oauth/OIDC integration in ActiveMQ
> >
> > Hi Scott-
> >
> > There is interest in adding this to Apache ActiveMQ. A DRAFT RP was
> started using JWT:
> >
> > INVALID URI REMOVED
> > he_activemq_pull_1035&d=DwIFaQ&c=cCoa5WWAB7EEETJScYfkXg&r=LQqpejpmPo
> > vblCMRepcZSfPCNx6OWpQ6tx9PqWhrghQ&m=nXztDtwq3oUC9PwBq8DSh1xJpsp8sEgs
> > IJJgFfnOnXIEcWhXPnBO4nNZ-P0AcAvt&s=wAemuHPk4ei6Ff2zo03Bsa1sco_3PB2a-
> > dXkAYggG1A&e=
> >
> > In general, using OAuth/OIDC may not be desirable as having
> > background
> threads refreshing tokens can have negative side effects. The OAuth2
> "AppAuth pattern" is something else to look into.
> >
> > Have you considered two-way SSL authentication? Stronger security,
> > with
> expiry and revocation support.
> >
> > Thanks,
> > Matt Pavlovich
> >
> >> On Oct 31, 2023, at 2:17 PM, SCOTT FIELDS
> >> <Sc...@kyndryl.com.INVALID>
> wrote:
> >>
> >> To my knowledge, there is no native ActiveMQ integration for
> Authorization/Authentication via Oauth/OIDC.
> >>
> >> Is there any plan, if not, to include this, besides requiring an
> external JAAS method provided either by an external vendor or require
> a custom coding front-end from the end-use provider?
> >>
> >> If not, what's the best way to request this?
> >>
> >> Scott Fields
> >> Kyndryl
> >> Senior Lead SRE - BNSF
> >> 817-593-5038 (BNSF)
> >> scott.fields@kyndryl.com<ma...@kyndryl.com>
> >> scott.fields@bnsf.com<ma...@bnsf.com>
> >>
> >
>
>
Re: Native Oauth/OIDC integration in ActiveMQ
Posted by Justin Bertram <jb...@apache.org>.
Can anybody clarify the use-case for this? What messaging protocols are in
view here? I'd love to understand more. Thanks!
Justin
On Wed, Nov 1, 2023 at 12:27 PM Matt Pavlovich <ma...@gmail.com> wrote:
> Hi Scott-
>
> Got it, makes sense. Please open a JIRA for the request:
> https://issues.apache.org/jira/
>
> We’ll be doing roadmap and planning for the next round of release once
> 6.0.0 is out.
>
> Thanks,
> Matt Pavlovich
>
> > On Oct 31, 2023, at 4:22 PM, SCOTT FIELDS <Sc...@kyndryl.com.INVALID>
> wrote:
> >
> > Yes, using certificate based authentication/authorization is a secondary
> approved method if OIDC isn't supported for this customer.
> >
> > But...I wanted to pursue the OIDC mechanism, since that's the customer's
> primary solution.
> >
> > -----Original Message-----
> > From: Matt Pavlovich <ma...@gmail.com>
> > Sent: Tuesday, October 31, 2023 3:19 PM
> > To: users@activemq.apache.org
> > Subject: [EXTERNAL] Re: Native Oauth/OIDC integration in ActiveMQ
> >
> > Hi Scott-
> >
> > There is interest in adding this to Apache ActiveMQ. A DRAFT RP was
> started using JWT:
> >
> > https://github.com/apache/activemq/pull/1035
> >
> > In general, using OAuth/OIDC may not be desirable as having background
> threads refreshing tokens can have negative side effects. The OAuth2
> "AppAuth pattern" is something else to look into.
> >
> > Have you considered two-way SSL authentication? Stronger security, with
> expiry and revocation support.
> >
> > Thanks,
> > Matt Pavlovich
> >
> >> On Oct 31, 2023, at 2:17 PM, SCOTT FIELDS <Sc...@kyndryl.com.INVALID>
> wrote:
> >>
> >> To my knowledge, there is no native ActiveMQ integration for
> Authorization/Authentication via Oauth/OIDC.
> >>
> >> Is there any plan, if not, to include this, besides requiring an
> external JAAS method provided either by an external vendor or require a
> custom coding front-end from the end-use provider?
> >>
> >> If not, what's the best way to request this?
> >>
> >> Scott Fields
> >> Kyndryl
> >> Senior Lead SRE - BNSF
> >> 817-593-5038 (BNSF)
> >> scott.fields@kyndryl.com<ma...@kyndryl.com>
> >> scott.fields@bnsf.com<ma...@bnsf.com>
> >>
> >
>
>
Re: Native Oauth/OIDC integration in ActiveMQ
Posted by Matt Pavlovich <ma...@gmail.com>.
Hi Scott-
Got it, makes sense. Please open a JIRA for the request: https://issues.apache.org/jira/
We’ll be doing roadmap and planning for the next round of release once 6.0.0 is out.
Thanks,
Matt Pavlovich
> On Oct 31, 2023, at 4:22 PM, SCOTT FIELDS <Sc...@kyndryl.com.INVALID> wrote:
>
> Yes, using certificate based authentication/authorization is a secondary approved method if OIDC isn't supported for this customer.
>
> But...I wanted to pursue the OIDC mechanism, since that's the customer's primary solution.
>
> -----Original Message-----
> From: Matt Pavlovich <ma...@gmail.com>
> Sent: Tuesday, October 31, 2023 3:19 PM
> To: users@activemq.apache.org
> Subject: [EXTERNAL] Re: Native Oauth/OIDC integration in ActiveMQ
>
> Hi Scott-
>
> There is interest in adding this to Apache ActiveMQ. A DRAFT RP was started using JWT:
>
> https://github.com/apache/activemq/pull/1035
>
> In general, using OAuth/OIDC may not be desirable as having background threads refreshing tokens can have negative side effects. The OAuth2 "AppAuth pattern" is something else to look into.
>
> Have you considered two-way SSL authentication? Stronger security, with expiry and revocation support.
>
> Thanks,
> Matt Pavlovich
>
>> On Oct 31, 2023, at 2:17 PM, SCOTT FIELDS <Sc...@kyndryl.com.INVALID> wrote:
>>
>> To my knowledge, there is no native ActiveMQ integration for Authorization/Authentication via Oauth/OIDC.
>>
>> Is there any plan, if not, to include this, besides requiring an external JAAS method provided either by an external vendor or require a custom coding front-end from the end-use provider?
>>
>> If not, what's the best way to request this?
>>
>> Scott Fields
>> Kyndryl
>> Senior Lead SRE - BNSF
>> 817-593-5038 (BNSF)
>> scott.fields@kyndryl.com<ma...@kyndryl.com>
>> scott.fields@bnsf.com<ma...@bnsf.com>
>>
>
RE: Native Oauth/OIDC integration in ActiveMQ
Posted by SCOTT FIELDS <Sc...@kyndryl.com.INVALID>.
Yes, using certificate based authentication/authorization is a secondary approved method if OIDC isn't supported for this customer.
But...I wanted to pursue the OIDC mechanism, since that's the customer's primary solution.
-----Original Message-----
From: Matt Pavlovich <ma...@gmail.com>
Sent: Tuesday, October 31, 2023 3:19 PM
To: users@activemq.apache.org
Subject: [EXTERNAL] Re: Native Oauth/OIDC integration in ActiveMQ
Hi Scott-
There is interest in adding this to Apache ActiveMQ. A DRAFT RP was started using JWT:
https://github.com/apache/activemq/pull/1035
In general, using OAuth/OIDC may not be desirable as having background threads refreshing tokens can have negative side effects. The OAuth2 "AppAuth pattern" is something else to look into.
Have you considered two-way SSL authentication? Stronger security, with expiry and revocation support.
Thanks,
Matt Pavlovich
> On Oct 31, 2023, at 2:17 PM, SCOTT FIELDS <Sc...@kyndryl.com.INVALID> wrote:
>
> To my knowledge, there is no native ActiveMQ integration for Authorization/Authentication via Oauth/OIDC.
>
> Is there any plan, if not, to include this, besides requiring an external JAAS method provided either by an external vendor or require a custom coding front-end from the end-use provider?
>
> If not, what's the best way to request this?
>
> Scott Fields
> Kyndryl
> Senior Lead SRE - BNSF
> 817-593-5038 (BNSF)
> scott.fields@kyndryl.com<ma...@kyndryl.com>
> scott.fields@bnsf.com<ma...@bnsf.com>
>
Re: Native Oauth/OIDC integration in ActiveMQ
Posted by Matt Pavlovich <ma...@gmail.com>.
Hi Scott-
There is interest in adding this to Apache ActiveMQ. A DRAFT RP was started using JWT:
https://github.com/apache/activemq/pull/1035
In general, using OAuth/OIDC may not be desirable as having background threads refreshing tokens can have negative side effects. The OAuth2 "AppAuth pattern" is something else to look into.
Have you considered two-way SSL authentication? Stronger security, with expiry and revocation support.
Thanks,
Matt Pavlovich
> On Oct 31, 2023, at 2:17 PM, SCOTT FIELDS <Sc...@kyndryl.com.INVALID> wrote:
>
> To my knowledge, there is no native ActiveMQ integration for Authorization/Authentication via Oauth/OIDC.
>
> Is there any plan, if not, to include this, besides requiring an external JAAS method provided either by an external vendor or require a custom coding front-end from the end-use provider?
>
> If not, what's the best way to request this?
>
> Scott Fields
> Kyndryl
> Senior Lead SRE - BNSF
> 817-593-5038 (BNSF)
> scott.fields@kyndryl.com<ma...@kyndryl.com>
> scott.fields@bnsf.com<ma...@bnsf.com>
>
Re: Native Oauth/OIDC integration in ActiveMQ
Posted by Justin Bertram <jb...@apache.org>.
What messaging client implementation(s) and protocol(s) will your customer
be using? What's their use-case?
Justin
On Tue, Oct 31, 2023 at 2:34 PM SCOTT FIELDS
<Sc...@kyndryl.com.invalid> wrote:
> Only that our customer is migrating to cloud solutions and their desired
> authentication/authorization service will be desired to use OIDC (OpenID
> Connect).
>
>
>
> -----Original Message-----
> From: Justin Bertram <jb...@apache.org>
> Sent: Tuesday, October 31, 2023 2:29 PM
> To: users@activemq.apache.org
> Subject: [EXTERNAL] Re: Native Oauth/OIDC integration in ActiveMQ
>
> As far as I'm aware, using JAAS *is* the "native" way to integrate with
> security providers in both "Classic" and Artemis. I don't believe an Oauth
> JAAS login module is being developed in the community.
>
> For what it's worth, most messaging protocols and/or clients don't support
> Oauth anyway.
>
> Is there a specific use-case you have in mind that requires Oauth?
>
>
> Justin
>
> On Tue, Oct 31, 2023 at 2:18 PM SCOTT FIELDS <Sc...@kyndryl.com.invalid>
> wrote:
>
> > To my knowledge, there is no native ActiveMQ integration for
> > Authorization/Authentication via Oauth/OIDC.
> >
> > Is there any plan, if not, to include this, besides requiring an
> > external JAAS method provided either by an external vendor or require
> > a custom coding front-end from the end-use provider?
> >
> > If not, what's the best way to request this?
> >
> > Scott Fields
> > Kyndryl
> > Senior Lead SRE - BNSF
> > 817-593-5038 (BNSF)
> > scott.fields@kyndryl.com<ma...@kyndryl.com>
> > scott.fields@bnsf.com<ma...@bnsf.com>
> >
> >
>
RE: Native Oauth/OIDC integration in ActiveMQ
Posted by SCOTT FIELDS <Sc...@kyndryl.com.INVALID>.
Only that our customer is migrating to cloud solutions and their desired authentication/authorization service will be desired to use OIDC (OpenID Connect).
-----Original Message-----
From: Justin Bertram <jb...@apache.org>
Sent: Tuesday, October 31, 2023 2:29 PM
To: users@activemq.apache.org
Subject: [EXTERNAL] Re: Native Oauth/OIDC integration in ActiveMQ
As far as I'm aware, using JAAS *is* the "native" way to integrate with security providers in both "Classic" and Artemis. I don't believe an Oauth JAAS login module is being developed in the community.
For what it's worth, most messaging protocols and/or clients don't support Oauth anyway.
Is there a specific use-case you have in mind that requires Oauth?
Justin
On Tue, Oct 31, 2023 at 2:18 PM SCOTT FIELDS <Sc...@kyndryl.com.invalid> wrote:
> To my knowledge, there is no native ActiveMQ integration for
> Authorization/Authentication via Oauth/OIDC.
>
> Is there any plan, if not, to include this, besides requiring an
> external JAAS method provided either by an external vendor or require
> a custom coding front-end from the end-use provider?
>
> If not, what's the best way to request this?
>
> Scott Fields
> Kyndryl
> Senior Lead SRE - BNSF
> 817-593-5038 (BNSF)
> scott.fields@kyndryl.com<ma...@kyndryl.com>
> scott.fields@bnsf.com<ma...@bnsf.com>
>
>
Re: Native Oauth/OIDC integration in ActiveMQ
Posted by Justin Bertram <jb...@apache.org>.
As far as I'm aware, using JAAS *is* the "native" way to integrate with
security providers in both "Classic" and Artemis. I don't believe an Oauth
JAAS login module is being developed in the community.
For what it's worth, most messaging protocols and/or clients don't support
Oauth anyway.
Is there a specific use-case you have in mind that requires Oauth?
Justin
On Tue, Oct 31, 2023 at 2:18 PM SCOTT FIELDS
<Sc...@kyndryl.com.invalid> wrote:
> To my knowledge, there is no native ActiveMQ integration for
> Authorization/Authentication via Oauth/OIDC.
>
> Is there any plan, if not, to include this, besides requiring an external
> JAAS method provided either by an external vendor or require a custom
> coding front-end from the end-use provider?
>
> If not, what's the best way to request this?
>
> Scott Fields
> Kyndryl
> Senior Lead SRE - BNSF
> 817-593-5038 (BNSF)
> scott.fields@kyndryl.com<ma...@kyndryl.com>
> scott.fields@bnsf.com<ma...@bnsf.com>
>
>
Re: Native Oauth/OIDC integration in ActiveMQ
Posted by barry haycock <bd...@gmail.com>.
I've been trying to get the jetty implementation working with keycloak for
a while now.
It would be good to get that side working with Oidc
On Wed, 1 Nov 2023, 06:17 SCOTT FIELDS, <Sc...@kyndryl.com.invalid>
wrote:
> To my knowledge, there is no native ActiveMQ integration for
> Authorization/Authentication via Oauth/OIDC.
>
> Is there any plan, if not, to include this, besides requiring an external
> JAAS method provided either by an external vendor or require a custom
> coding front-end from the end-use provider?
>
> If not, what's the best way to request this?
>
> Scott Fields
> Kyndryl
> Senior Lead SRE - BNSF
> 817-593-5038 (BNSF)
> scott.fields@kyndryl.com<ma...@kyndryl.com>
> scott.fields@bnsf.com<ma...@bnsf.com>
>
>