Raymond, Did you submit the JIRA for this?
My company e-mail strips out the URL for the JIRA request included earlier. -----Original Message----- From: Matt Pavlovich <mattr...@gmail.com> Sent: Wednesday, November 1, 2023 2:28 PM To: users@activemq.apache.org Subject: [EXTERNAL] Re: Native Oauth/OIDC integration in ActiveMQ Hi Raymond— This is good info— can you make a JIRA for with it? Thanks! Matt Pavlovich > On Nov 1, 2023, at 1:58 PM, ski n <raymondmees...@gmail.com> wrote: > > What I know from my time as a consultant is that it often goes like this. > > The company: > > 1. Requirement 1: We need secure authentication. > 2. Requirement 2: We need to comply with standards. > 3. Requirement 3: We need a technology-neutral way to authenticate. > > The architects: > > The conclusion is that OAuth is the standard way to authenticate, so > every software component (application, api, middleware) in the > enterprise must follow it. > > How much sense it makes for each use case, that there are other > protocols (Kerberos, SAML, JAAS), that it may impact performance, that > it is only used internally, that oAuth has different workflows, that > it can complicate things and slow things down, it doesn't matter. I'm > not that familiar with JAAS, but if you bring this up to the > architects, they're probably going to say something like, "I don't > know JAAS. O, is it Java, then certainly not technology neutral and > secure. We were clear that OAuth is the enterprise standard”. > > I'm not saying that's right, but this is often how it goes. > > Raymond > > > > > > On Wed, Nov 1, 2023 at 7:04 PM SCOTT FIELDS > <scott.fie...@kyndryl.com.invalid> wrote: > >> FYI, I'm awaiting the technical details from the AMQ admins on our >> side regarding the client use cases involved. >> >> -----Original Message----- >> From: Justin Bertram <jbert...@apache.org> >> Sent: Wednesday, November 1, 2023 12:45 PM >> To: users@activemq.apache.org >> Subject: [EXTERNAL] Re: Native Oauth/OIDC integration in ActiveMQ >> >> Can anybody clarify the use-case for this? What messaging protocols >> are in view here? I'd love to understand more. Thanks! >> >> >> Justin >> >> On Wed, Nov 1, 2023 at 12:27 PM Matt Pavlovich <mattr...@gmail.com> wrote: >> >>> Hi Scott- >>> >>> Got it, makes sense. Please open a JIRA for the request: >>> INVALID URI REMOVED >>> _jira_&d=DwIFaQ&c=cCoa5WWAB7EEETJScYfkXg&r=LQqpejpmPovblCMRepcZSfPCN >>> x6 >>> OWpQ6tx9PqWhrghQ&m=nXztDtwq3oUC9PwBq8DSh1xJpsp8sEgsIJJgFfnOnXIEcWhXP >>> nB O4nNZ-P0AcAvt&s=EsvNxmpIzKiaKvwq3i6NlRNPFd9sXiBiAoPA_ocaWtk&e= >>> >>> We’ll be doing roadmap and planning for the next round of release >>> once >>> 6.0.0 is out. >>> >>> Thanks, >>> Matt Pavlovich >>> >>>> On Oct 31, 2023, at 4:22 PM, SCOTT FIELDS >>>> <scott.fie...@kyndryl.com.INVALID> >>> wrote: >>>> >>>> Yes, using certificate based authentication/authorization is a >>>> secondary >>> approved method if OIDC isn't supported for this customer. >>>> >>>> But...I wanted to pursue the OIDC mechanism, since that's the >>>> customer's >>> primary solution. >>>> >>>> -----Original Message----- >>>> From: Matt Pavlovich <mattr...@gmail.com> >>>> Sent: Tuesday, October 31, 2023 3:19 PM >>>> To: users@activemq.apache.org >>>> Subject: [EXTERNAL] Re: Native Oauth/OIDC integration in ActiveMQ >>>> >>>> Hi Scott- >>>> >>>> There is interest in adding this to Apache ActiveMQ. A DRAFT RP was >>> started using JWT: >>>> >>>> INVALID URI REMOVED >>>> he_activemq_pull_1035&d=DwIFaQ&c=cCoa5WWAB7EEETJScYfkXg&r=LQqpejpmP >>>> o >>>> vblCMRepcZSfPCNx6OWpQ6tx9PqWhrghQ&m=nXztDtwq3oUC9PwBq8DSh1xJpsp8sEg >>>> s >>>> IJJgFfnOnXIEcWhXPnBO4nNZ-P0AcAvt&s=wAemuHPk4ei6Ff2zo03Bsa1sco_3PB2a >>>> - >>>> dXkAYggG1A&e= >>>> >>>> In general, using OAuth/OIDC may not be desirable as having >>>> background >>> threads refreshing tokens can have negative side effects. The OAuth2 >>> "AppAuth pattern" is something else to look into. >>>> >>>> Have you considered two-way SSL authentication? Stronger security, >>>> with >>> expiry and revocation support. >>>> >>>> Thanks, >>>> Matt Pavlovich >>>> >>>>> On Oct 31, 2023, at 2:17 PM, SCOTT FIELDS >>>>> <scott.fie...@kyndryl.com.INVALID> >>> wrote: >>>>> >>>>> To my knowledge, there is no native ActiveMQ integration for >>> Authorization/Authentication via Oauth/OIDC. >>>>> >>>>> Is there any plan, if not, to include this, besides requiring an >>> external JAAS method provided either by an external vendor or >>> require a custom coding front-end from the end-use provider? >>>>> >>>>> If not, what's the best way to request this? >>>>> >>>>> Scott Fields >>>>> Kyndryl >>>>> Senior Lead SRE - BNSF >>>>> 817-593-5038 (BNSF) >>>>> scott.fie...@kyndryl.com<mailto:scott.fie...@kyndryl.com> >>>>> scott.fie...@bnsf.com<mailto:scott.fie...@bnsf.com> >>>>> >>>> >>> >>> >>
