Skip to content

feat(#1737): Add OAuth2 JWT authentication support via JAAS LoginModule#1738

Open
jbonofre wants to merge 4 commits intoapache:mainfrom
jbonofre:gh-1737
Open

feat(#1737): Add OAuth2 JWT authentication support via JAAS LoginModule#1738
jbonofre wants to merge 4 commits intoapache:mainfrom
jbonofre:gh-1737

Conversation

@jbonofre
Copy link
Member

@jbonofre jbonofre commented Mar 8, 2026

Add OAuth2LoginModule to activemq-jaas that validates JWT access tokens using JWKS endpoint for signature verification.

Clients pass the JWT as the password field, and claims are mapped to UserPrincipal/GroupPrincipal for seamless integration with the existing JaasAuthenticationPlugin.

@jbonofre
feat(apache#1737): Add OAuth2 JWT authentication support via JAAS Log…
f33ae03 
…inModule

Add OAuth2LoginModule to activemq-jaas that validates JWT access tokens
using JWKS endpoint for signature verification. Clients pass the JWT as
the password field, and claims are mapped to UserPrincipal/GroupPrincipal
for seamless integration with the existing JaasAuthenticationPlugin.
@jbonofre jbonofre requested a review from jeanouii March 8, 2026 08:04
@jbonofre
Copy link
Member Author

jbonofre commented Mar 8, 2026

NB: this is a better approach imho to what I did initially in #1035 (with the same goal).

@jbonofre
Copy link
Member Author

jbonofre commented Mar 8, 2026

The test failure is related to #1741

jeanouii
jeanouii reviewed Mar 9, 2026
View reviewed changes
Copy link
Contributor

@jeanouii jeanouii left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some small details. nothing important

jeanouii
jeanouii previously approved these changes Mar 9, 2026
View reviewed changes
Copy link
Contributor

@jeanouii jeanouii left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mattrpav
Copy link
Contributor

mattrpav commented Mar 11, 2026

-1 on merging this as part of the activemq-jaas module. This drags in 3rd party dependency to all deployments -- I think this should go into a activemq-jaas-oath2 module.

@mattrpav mattrpav self-requested a review March 11, 2026 01:27
mattrpav
mattrpav requested changes Mar 11, 2026
View reviewed changes
Copy link
Contributor

@mattrpav mattrpav left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this should go into a separate module and get deployed into an extras folder (with the 3rd party) dependency instead of installed into the classpath by default for every running broker.

mattrpav
mattrpav requested changes Mar 11, 2026
View reviewed changes
@jbonofre
Copy link
Member Author

jbonofre commented Mar 11, 2026

I think this should go into a separate module and get deployed into an extras folder (with the 3rd party) dependency instead of installed into the classpath by default for every running broker.

@mattrpav what is the concern about the Nimbus dependency in the JAAS module ?

At the end, regarding the ActiveMQ distribution, it will be a dependency like another (like Jetty or Rome for instance).

Your concern is about the "embedded" ActiveMQ service in application (BrokerService) ?

@jeanouii
Copy link
Contributor

jeanouii commented Mar 11, 2026
edited
Loading

@mattrpav Using LinkedHashSet is a nice to have but not strictly required per spec. Actually Subject.getPrincipals() returns a Set, that's it. The rest is platform dependant. Our JaasAuthenticationBroker for instance gets all the principals and then iterates until it finds an instance of UserPrincipal.
The other login modules all rely on HashSet, so it is now inconsistent with other ActiveMQ LoginModule.

On the dependency, it will be in the final zip anyways, so until it becomes a problem, I'd prefer to keep in in activemq-jaas instead of creating another module for one class only. It is both simpler for us and for our users that don't have to know they need another module to use oauth2 tokens. We could go like this and if it's a problem split later on.
Jasypt is there as optional as well, so it's similar here. It won't be pulled as transitive dependency.
On the other hand, we have a full independant shiro module. Both are valid, Shiro has much more code, so that's understandable. activemq-jaas-oauth2 definitely makes sense, but it's one class for now so splitting now just makes it harder for us.

@jbonofre jbonofre linked an issue Mar 11, 2026 that may be closed by this pull request
Add OAuth2 support #1737
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mattrpav mattrpav mattrpav requested changes

@jeanouii jeanouii jeanouii left review comments

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add OAuth2 support

3 participants

@jbonofre @mattrpav @jeanouii