For what it's worth, I can give a real world example why OAuth in a messaging
systems could be a great addition.
Not all messaging systems are used only in a closed trusted environment located
in one (or several DCs). Also, not all messaging systems are used with limited
number of MQ clients. For example, we are developing and supporting at least
two products which use untrusted MQ clients from thousands of external
organizations. Think of these clients as gateways between local organization
on-premises infrastructure and our backend SaaS product, which also
communicates to the same messaging system. Such clients are very distributed,
can be installed on all sorts of external devices (POS systems, branch servers
of large organizations, etc.). The only purpose of these gateways (and used
messaging system) is to transfer data from external data sources into one
centralized database, and back. Our SaaS product has all information about
tenancy, health of these gateways, traffic billing, etc. For one of these
products we use RabbitMQ, another uses ActiveMQ Artemis.
Unfortunately, at the time first products was built, RabbitMQ didn't support
OAuth at all, so we opted to implement mutual TLS, which we decided was too
complicated to support. Because we have thousands of clients certificate
renewals and maintenance processes could be very costly. In the end, we have
chosen to use RabbitMQ basic auth.
During development of the second product we tried to use Keycloak via JAAS.
Again, Keycloak appeared too complicated to support. It was decided, that if we
would invest time in implementing proper authentication server support, we
should do it in a transparent way, so any major authentication server provider
with proper support could be chosen (think Auth0, or Google Cloud Identity).
Since we could not find how to do this with Artemis, we chose
ActiveMQBasicSecurityManager for now.
In both cases it would be great to use OAuth to authenticate tenants (and
associated clients). Of source, for our use case, provided OAuth support must
have at least some advanced configuration parameters to not kill the MQ system
itself, like caching or similar. But we can always hope for better tomorrow :)
--
Best Regards,
Vilius Šumskas
Rivile
IT manager
+370 614 75713
-----Original Message-----
From: ski n <raymondmees...@gmail.com>
Sent: Wednesday, November 1, 2023 8:58 PM
To: users@activemq.apache.org
Subject: Re: Native Oauth/OIDC integration in ActiveMQ
What I know from my time as a consultant is that it often goes like this.
The company:
1. Requirement 1: We need secure authentication.
2. Requirement 2: We need to comply with standards.
3. Requirement 3: We need a technology-neutral way to authenticate.
The architects:
The conclusion is that OAuth is the standard way to authenticate, so every
software component (application, api, middleware) in the enterprise must follow
it.
How much sense it makes for each use case, that there are other protocols
(Kerberos, SAML, JAAS), that it may impact performance, that it is only used
internally, that oAuth has different workflows, that it can complicate things
and slow things down, it doesn't matter. I'm not that familiar with JAAS, but
if you bring this up to the architects, they're probably going to say something
like, "I don't know JAAS. O, is it Java, then certainly not technology neutral
and secure. We were clear that OAuth is the enterprise standard”.
I'm not saying that's right, but this is often how it goes.
Raymond
On Wed, Nov 1, 2023 at 7:04 PM SCOTT FIELDS <scott.fie...@kyndryl.com.invalid>
wrote:
> FYI, I'm awaiting the technical details from the AMQ admins on our
> side regarding the client use cases involved.
>
> -----Original Message-----
> From: Justin Bertram <jbert...@apache.org>
> Sent: Wednesday, November 1, 2023 12:45 PM
> To: users@activemq.apache.org
> Subject: [EXTERNAL] Re: Native Oauth/OIDC integration in ActiveMQ
>
> Can anybody clarify the use-case for this? What messaging protocols
> are in view here? I'd love to understand more. Thanks!
>
>
> Justin
>
> On Wed, Nov 1, 2023 at 12:27 PM Matt Pavlovich <mattr...@gmail.com> wrote:
>
> > Hi Scott-
> >
> > Got it, makes sense. Please open a JIRA for the request:
> > INVALID URI REMOVED
> > _jira_&d=DwIFaQ&c=cCoa5WWAB7EEETJScYfkXg&r=LQqpejpmPovblCMRepcZSfPCN
> > x6
> > OWpQ6tx9PqWhrghQ&m=nXztDtwq3oUC9PwBq8DSh1xJpsp8sEgsIJJgFfnOnXIEcWhXP
> > nB O4nNZ-P0AcAvt&s=EsvNxmpIzKiaKvwq3i6NlRNPFd9sXiBiAoPA_ocaWtk&e=
> >
> > We’ll be doing roadmap and planning for the next round of release
> > once
> > 6.0.0 is out.
> >
> > Thanks,
> > Matt Pavlovich
> >
> > > On Oct 31, 2023, at 4:22 PM, SCOTT FIELDS
> > > <scott.fie...@kyndryl.com.INVALID>
> > wrote:
> > >
> > > Yes, using certificate based authentication/authorization is a
> > > secondary
> > approved method if OIDC isn't supported for this customer.
> > >
> > > But...I wanted to pursue the OIDC mechanism, since that's the
> > > customer's
> > primary solution.
> > >
> > > -----Original Message-----
> > > From: Matt Pavlovich <mattr...@gmail.com>
> > > Sent: Tuesday, October 31, 2023 3:19 PM
> > > To: users@activemq.apache.org
> > > Subject: [EXTERNAL] Re: Native Oauth/OIDC integration in ActiveMQ
> > >
> > > Hi Scott-
> > >
> > > There is interest in adding this to Apache ActiveMQ. A DRAFT RP
> > > was
> > started using JWT:
> > >
> > > INVALID URI REMOVED
> > > he_activemq_pull_1035&d=DwIFaQ&c=cCoa5WWAB7EEETJScYfkXg&r=LQqpejpm
> > > Po
> > > vblCMRepcZSfPCNx6OWpQ6tx9PqWhrghQ&m=nXztDtwq3oUC9PwBq8DSh1xJpsp8sE
> > > gs
> > > IJJgFfnOnXIEcWhXPnBO4nNZ-P0AcAvt&s=wAemuHPk4ei6Ff2zo03Bsa1sco_3PB2
> > > a-
> > > dXkAYggG1A&e=
> > >
> > > In general, using OAuth/OIDC may not be desirable as having
> > > background
> > threads refreshing tokens can have negative side effects. The OAuth2
> > "AppAuth pattern" is something else to look into.
> > >
> > > Have you considered two-way SSL authentication? Stronger security,
> > > with
> > expiry and revocation support.
> > >
> > > Thanks,
> > > Matt Pavlovich
> > >
> > >> On Oct 31, 2023, at 2:17 PM, SCOTT FIELDS
> > >> <scott.fie...@kyndryl.com.INVALID>
> > wrote:
> > >>
> > >> To my knowledge, there is no native ActiveMQ integration for
> > Authorization/Authentication via Oauth/OIDC.
> > >>
> > >> Is there any plan, if not, to include this, besides requiring an
> > external JAAS method provided either by an external vendor or
> > require a custom coding front-end from the end-use provider?
> > >>
> > >> If not, what's the best way to request this?
> > >>
> > >> Scott Fields
> > >> Kyndryl
> > >> Senior Lead SRE - BNSF
> > >> 817-593-5038 (BNSF)
> > >> scott.fie...@kyndryl.com<mailto:scott.fie...@kyndryl.com>
> > >> scott.fie...@bnsf.com<mailto:scott.fie...@bnsf.com>
> > >>
> > >
> >
> >
>
