You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@qpid.apache.org by Dan Langford <da...@gmail.com> on 2023/05/18 21:14:22 UTC

BrokerJ + Oauth2 max frame size

we are exploring the use of Oauth2 with Qpid BrokerJ. We use okta but its
all openid and the keycloak provider seems like it might work for us. we
are referencing this confluence article about how to configure the qpid jms
client to update the token as it expires

https://cwiki.apache.org/confluence/display/qpid/XOAUTH2+SASL+Mechanism+and+token+expiration

oauth jwt tokens can be BIG!!!

here is the error

2023-05-18T20:29:10,377Z WARN  [IO-/172.22.0.1:59090]
(o.a.q.s.p.v.f.FrameHandler) - Unexpected exception handling frame
org.apache.qpid.server.util.ConnectionScopedRuntimeException:
Connection is closed before being fully established: specified frame
size 5007 larger than maximum frame header size 4096
    at org.apache.qpid.server.protocol.v1_0.AMQPConnection_1_0Impl.closeConnection(AMQPConnection_1_0Impl.java:1172)
    at org.apache.qpid.server.protocol.v1_0.AMQPConnection_1_0Impl.handleError(AMQPConnection_1_0Impl.java:785)
    at org.apache.qpid.server.protocol.v1_0.framing.FrameHandler.parse(FrameHandler.java:219)
    at org.apache.qpid.server.protocol.v1_0.AMQPConnection_1_0Impl.onReceive(AMQPConnection_1_0Impl.java:1309)
    at


as we are exploring this the problem we are running into seems to be that
the SASL frames are too big. and when we configure the max frame size on
the connection string that isnt configured until the Open frame is received
but that all is after the SASL. im wondering if there is a way to configure
the max frame size of the SASL frames or if there is a way to configure the
default/initial max frame size of BrokerJ.

https://github.com/apache/qpid-broker-j/blob/9.0.0/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/AMQPConnection_1_0Impl.java#L188

or did i misunderstand / misinterpret my error and should the SASL auth all
happen after the Open frame is sent? thanks

Re: BrokerJ + Oauth2 max frame size

Posted by Dan Langford <da...@gmail.com>.

thank you
https://issues.apache.org/jira/browse/QPID-8648

On Fri, May 19, 2023 at 4:04 AM Robbie Gemmell <ro...@gmail.com>
wrote:

> The SASL process occurs first, before the Open frame. The Open frames
> are what carries each peers advertised max frame size, mainly aimed at
> later message deliveries. The AMQP 1.0 spec defines before this
> however that the SASL frames can be at-most the 'min max frame size',
> which is fixed at 512 bytes, with no way to negotiate anything larger.
>
> As you can probably tell, that presents a problem if things in the
> SASL negotiation want to be larger, such as is likely in e.g a newer
> XOAUTH2 mechanism that didnt exist when that decision was originally
> made.
>
> To simply allow some of these newer alternative mechs to work, it was
> decided to just allow things to exceed the 512byte limit since both
> sides would have to already agree on using a given mech to begin with,
> so doing an alternative like creating a custom multi-challenge
> batching sequence to shuffle the bytes wasnt really going to be adding
> much except significant complexity.
>
> It appears broker-j allows up to 4096, and you have now found
> something to exceed even that. It doesnt look like it allows
> configuring it, but increasing that seems to be the only option that
> would help here.
>
> On Thu, 18 May 2023 at 22:14, Dan Langford <da...@gmail.com> wrote:
> >
> > we are exploring the use of Oauth2 with Qpid BrokerJ. We use okta but its
> > all openid and the keycloak provider seems like it might work for us. we
> > are referencing this confluence article about how to configure the qpid
> jms
> > client to update the token as it expires
> >
> >
> https://cwiki.apache.org/confluence/display/qpid/XOAUTH2+SASL+Mechanism+and+token+expiration
> >
> > oauth jwt tokens can be BIG!!!
> >
> > here is the error
> >
> > 2023-05-18T20:29:10,377Z WARN  [IO-/172.22.0.1:59090]
> > (o.a.q.s.p.v.f.FrameHandler) - Unexpected exception handling frame
> > org.apache.qpid.server.util.ConnectionScopedRuntimeException:
> > Connection is closed before being fully established: specified frame
> > size 5007 larger than maximum frame header size 4096
> >     at
> org.apache.qpid.server.protocol.v1_0.AMQPConnection_1_0Impl.closeConnection(AMQPConnection_1_0Impl.java:1172)
> >     at
> org.apache.qpid.server.protocol.v1_0.AMQPConnection_1_0Impl.handleError(AMQPConnection_1_0Impl.java:785)
> >     at
> org.apache.qpid.server.protocol.v1_0.framing.FrameHandler.parse(FrameHandler.java:219)
> >     at
> org.apache.qpid.server.protocol.v1_0.AMQPConnection_1_0Impl.onReceive(AMQPConnection_1_0Impl.java:1309)
> >     at
> >
> >
> > as we are exploring this the problem we are running into seems to be that
> > the SASL frames are too big. and when we configure the max frame size on
> > the connection string that isnt configured until the Open frame is
> received
> > but that all is after the SASL. im wondering if there is a way to
> configure
> > the max frame size of the SASL frames or if there is a way to configure
> the
> > default/initial max frame size of BrokerJ.
> >
> >
> https://github.com/apache/qpid-broker-j/blob/9.0.0/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/AMQPConnection_1_0Impl.java#L188
> >
> > or did i misunderstand / misinterpret my error and should the SASL auth
> all
> > happen after the Open frame is sent? thanks
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
> For additional commands, e-mail: users-help@qpid.apache.org
>
>

Re: BrokerJ + Oauth2 max frame size

Posted by Robbie Gemmell <ro...@gmail.com>.

The SASL process occurs first, before the Open frame. The Open frames
are what carries each peers advertised max frame size, mainly aimed at
later message deliveries. The AMQP 1.0 spec defines before this
however that the SASL frames can be at-most the 'min max frame size',
which is fixed at 512 bytes, with no way to negotiate anything larger.

As you can probably tell, that presents a problem if things in the
SASL negotiation want to be larger, such as is likely in e.g a newer
XOAUTH2 mechanism that didnt exist when that decision was originally
made.

To simply allow some of these newer alternative mechs to work, it was
decided to just allow things to exceed the 512byte limit since both
sides would have to already agree on using a given mech to begin with,
so doing an alternative like creating a custom multi-challenge
batching sequence to shuffle the bytes wasnt really going to be adding
much except significant complexity.

It appears broker-j allows up to 4096, and you have now found
something to exceed even that. It doesnt look like it allows
configuring it, but increasing that seems to be the only option that
would help here.

On Thu, 18 May 2023 at 22:14, Dan Langford <da...@gmail.com> wrote:
>
> we are exploring the use of Oauth2 with Qpid BrokerJ. We use okta but its
> all openid and the keycloak provider seems like it might work for us. we
> are referencing this confluence article about how to configure the qpid jms
> client to update the token as it expires
>
> https://cwiki.apache.org/confluence/display/qpid/XOAUTH2+SASL+Mechanism+and+token+expiration
>
> oauth jwt tokens can be BIG!!!
>
> here is the error
>
> 2023-05-18T20:29:10,377Z WARN  [IO-/172.22.0.1:59090]
> (o.a.q.s.p.v.f.FrameHandler) - Unexpected exception handling frame
> org.apache.qpid.server.util.ConnectionScopedRuntimeException:
> Connection is closed before being fully established: specified frame
> size 5007 larger than maximum frame header size 4096
>     at org.apache.qpid.server.protocol.v1_0.AMQPConnection_1_0Impl.closeConnection(AMQPConnection_1_0Impl.java:1172)
>     at org.apache.qpid.server.protocol.v1_0.AMQPConnection_1_0Impl.handleError(AMQPConnection_1_0Impl.java:785)
>     at org.apache.qpid.server.protocol.v1_0.framing.FrameHandler.parse(FrameHandler.java:219)
>     at org.apache.qpid.server.protocol.v1_0.AMQPConnection_1_0Impl.onReceive(AMQPConnection_1_0Impl.java:1309)
>     at
>
>
> as we are exploring this the problem we are running into seems to be that
> the SASL frames are too big. and when we configure the max frame size on
> the connection string that isnt configured until the Open frame is received
> but that all is after the SASL. im wondering if there is a way to configure
> the max frame size of the SASL frames or if there is a way to configure the
> default/initial max frame size of BrokerJ.
>
> https://github.com/apache/qpid-broker-j/blob/9.0.0/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/AMQPConnection_1_0Impl.java#L188
>
> or did i misunderstand / misinterpret my error and should the SASL auth all
> happen after the Open frame is sent? thanks

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org

Re: BrokerJ + Oauth2 max frame size

Posted by Daniil Kirilyuk <da...@gmail.com>.

Hi,

Indeed, it seems that SASL frames are handled before the _maxFrameSize
value is adjusted.

Could you please create a JIRA for this issue?

Kind regards,
Daniil Kirilyuk

On Thu, 18 May 2023 at 23:14, Dan Langford <da...@gmail.com> wrote:
>
> we are exploring the use of Oauth2 with Qpid BrokerJ. We use okta but its
> all openid and the keycloak provider seems like it might work for us. we
> are referencing this confluence article about how to configure the qpid jms
> client to update the token as it expires
>
> https://cwiki.apache.org/confluence/display/qpid/XOAUTH2+SASL+Mechanism+and+token+expiration
>
> oauth jwt tokens can be BIG!!!
>
> here is the error
>
> 2023-05-18T20:29:10,377Z WARN  [IO-/172.22.0.1:59090]
> (o.a.q.s.p.v.f.FrameHandler) - Unexpected exception handling frame
> org.apache.qpid.server.util.ConnectionScopedRuntimeException:
> Connection is closed before being fully established: specified frame
> size 5007 larger than maximum frame header size 4096
>     at org.apache.qpid.server.protocol.v1_0.AMQPConnection_1_0Impl.closeConnection(AMQPConnection_1_0Impl.java:1172)
>     at org.apache.qpid.server.protocol.v1_0.AMQPConnection_1_0Impl.handleError(AMQPConnection_1_0Impl.java:785)
>     at org.apache.qpid.server.protocol.v1_0.framing.FrameHandler.parse(FrameHandler.java:219)
>     at org.apache.qpid.server.protocol.v1_0.AMQPConnection_1_0Impl.onReceive(AMQPConnection_1_0Impl.java:1309)
>     at
>
>
> as we are exploring this the problem we are running into seems to be that
> the SASL frames are too big. and when we configure the max frame size on
> the connection string that isnt configured until the Open frame is received
> but that all is after the SASL. im wondering if there is a way to configure
> the max frame size of the SASL frames or if there is a way to configure the
> default/initial max frame size of BrokerJ.
>
> https://github.com/apache/qpid-broker-j/blob/9.0.0/broker-plugins/amqp-1-0-protocol/src/main/java/org/apache/qpid/server/protocol/v1_0/AMQPConnection_1_0Impl.java#L188
>
> or did i misunderstand / misinterpret my error and should the SASL auth all
> happen after the Open frame is sent? thanks

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org