What I know from my time as a consultant is that it often goes like this. The company:
1. Requirement 1: We need secure authentication. 2. Requirement 2: We need to comply with standards. 3. Requirement 3: We need a technology-neutral way to authenticate. The architects: The conclusion is that OAuth is the standard way to authenticate, so every software component (application, api, middleware) in the enterprise must follow it. How much sense it makes for each use case, that there are other protocols (Kerberos, SAML, JAAS), that it may impact performance, that it is only used internally, that oAuth has different workflows, that it can complicate things and slow things down, it doesn't matter. I'm not that familiar with JAAS, but if you bring this up to the architects, they're probably going to say something like, "I don't know JAAS. O, is it Java, then certainly not technology neutral and secure. We were clear that OAuth is the enterprise standard”. I'm not saying that's right, but this is often how it goes. Raymond On Wed, Nov 1, 2023 at 7:04 PM SCOTT FIELDS <scott.fie...@kyndryl.com.invalid> wrote: > FYI, I'm awaiting the technical details from the AMQ admins on our side > regarding the client use cases involved. > > -----Original Message----- > From: Justin Bertram <jbert...@apache.org> > Sent: Wednesday, November 1, 2023 12:45 PM > To: users@activemq.apache.org > Subject: [EXTERNAL] Re: Native Oauth/OIDC integration in ActiveMQ > > Can anybody clarify the use-case for this? What messaging protocols are in > view here? I'd love to understand more. Thanks! > > > Justin > > On Wed, Nov 1, 2023 at 12:27 PM Matt Pavlovich <mattr...@gmail.com> wrote: > > > Hi Scott- > > > > Got it, makes sense. Please open a JIRA for the request: > > INVALID URI REMOVED > > _jira_&d=DwIFaQ&c=cCoa5WWAB7EEETJScYfkXg&r=LQqpejpmPovblCMRepcZSfPCNx6 > > OWpQ6tx9PqWhrghQ&m=nXztDtwq3oUC9PwBq8DSh1xJpsp8sEgsIJJgFfnOnXIEcWhXPnB > > O4nNZ-P0AcAvt&s=EsvNxmpIzKiaKvwq3i6NlRNPFd9sXiBiAoPA_ocaWtk&e= > > > > We’ll be doing roadmap and planning for the next round of release once > > 6.0.0 is out. > > > > Thanks, > > Matt Pavlovich > > > > > On Oct 31, 2023, at 4:22 PM, SCOTT FIELDS > > > <scott.fie...@kyndryl.com.INVALID> > > wrote: > > > > > > Yes, using certificate based authentication/authorization is a > > > secondary > > approved method if OIDC isn't supported for this customer. > > > > > > But...I wanted to pursue the OIDC mechanism, since that's the > > > customer's > > primary solution. > > > > > > -----Original Message----- > > > From: Matt Pavlovich <mattr...@gmail.com> > > > Sent: Tuesday, October 31, 2023 3:19 PM > > > To: users@activemq.apache.org > > > Subject: [EXTERNAL] Re: Native Oauth/OIDC integration in ActiveMQ > > > > > > Hi Scott- > > > > > > There is interest in adding this to Apache ActiveMQ. A DRAFT RP was > > started using JWT: > > > > > > INVALID URI REMOVED > > > he_activemq_pull_1035&d=DwIFaQ&c=cCoa5WWAB7EEETJScYfkXg&r=LQqpejpmPo > > > vblCMRepcZSfPCNx6OWpQ6tx9PqWhrghQ&m=nXztDtwq3oUC9PwBq8DSh1xJpsp8sEgs > > > IJJgFfnOnXIEcWhXPnBO4nNZ-P0AcAvt&s=wAemuHPk4ei6Ff2zo03Bsa1sco_3PB2a- > > > dXkAYggG1A&e= > > > > > > In general, using OAuth/OIDC may not be desirable as having > > > background > > threads refreshing tokens can have negative side effects. The OAuth2 > > "AppAuth pattern" is something else to look into. > > > > > > Have you considered two-way SSL authentication? Stronger security, > > > with > > expiry and revocation support. > > > > > > Thanks, > > > Matt Pavlovich > > > > > >> On Oct 31, 2023, at 2:17 PM, SCOTT FIELDS > > >> <scott.fie...@kyndryl.com.INVALID> > > wrote: > > >> > > >> To my knowledge, there is no native ActiveMQ integration for > > Authorization/Authentication via Oauth/OIDC. > > >> > > >> Is there any plan, if not, to include this, besides requiring an > > external JAAS method provided either by an external vendor or require > > a custom coding front-end from the end-use provider? > > >> > > >> If not, what's the best way to request this? > > >> > > >> Scott Fields > > >> Kyndryl > > >> Senior Lead SRE - BNSF > > >> 817-593-5038 (BNSF) > > >> scott.fie...@kyndryl.com<mailto:scott.fie...@kyndryl.com> > > >> scott.fie...@bnsf.com<mailto:scott.fie...@bnsf.com> > > >> > > > > > > > >
