🎄 Happy Holidays! 🥳

Most of Solace is closed December 24–January 1 so our employees can spend time with their families. We will re-open Thursday, January 2, 2024. Please expect slower response times during this period and open a support ticket for anything needing immediate assistance.

Happy Holidays!

Please note: most of Solace is closed December 25–January 2, and will re-open Tuesday, January 3, 2023.

OAuth 2.0 authentication for solace.cloud REST endpoints?

sjaak
sjaak Member Posts: 109 ✭✭✭

Hi,

Is it possible to use OAuth 2.0 authentication for solace.cloud REST endpoints (instead of the default basic auth)?

Best Answer

  • Markus
    Markus Member, Employee Posts: 7 Solace Employee
    #2 Answer ✓

    Hello @sjaak ,

    yes, of course you can do that, please see this description in the docs ( https://docs.solace.com/Security/Client-Authentication-Overview.htm#OAuth ) :

    —quote—

    For REST producers, requests must include one or more OAuth tokens in the HTTP Authorization header as a bearer token in one of the following forms:

    If the OAuth profile is configured with the oauth-role set to resource-server:

    Bearer <access_token>

    If the OAuth profile is configured with the oauth-role set to client:

    Bearer <id_token>/<access_token>

    Where:

    <access_token> is the access token given to the client by the authorization server. For OpenID, the access token is optional and can be omitted if it is not needed.

    <id_token> is the OpenID Connect ID token represented as a JWT given to the client by the authorization server.

    The maximum header length supported is 8KiB; the maximum ID token or access token size is 4KiB.

    The bearer token in the Authorization header must be provided on every request.

    In general, the iss claim in the ID token (for OpenID Connect) or access token (for OAuth 2.0), if present, is used by the event broker to identify which OAuth profile to use.

    A specific OAuth profile can also be selected by adding ~base64(<issuer>)~ to the beginning of the bearer token. Base64 padding should not be used. For example, to use an OAuth profile called solace that has an issuer of https://www.solace.com with an access token:

    Bearer ~aHR0cHM6Ly93d3cuc29sYWNlLmNvbQ~<access_token>

    If a profile cannot be identified from the iss claim in the token, and no issuer prefix is provided in the Authorization header, the default profile is used.

    —end quote—

    To setup the OAuth in the Broker, I recommend also to read Victors Blog about that Topic: https://solace.com/blog/azure-oauth-setup-for-solace-rest-and-smf-clients/

Answers

  • Markus
    Markus Member, Employee Posts: 7 Solace Employee
    #3 Answer ✓

    Hello @sjaak ,

    yes, of course you can do that, please see this description in the docs ( https://docs.solace.com/Security/Client-Authentication-Overview.htm#OAuth ) :

    —quote—

    For REST producers, requests must include one or more OAuth tokens in the HTTP Authorization header as a bearer token in one of the following forms:

    If the OAuth profile is configured with the oauth-role set to resource-server:

    Bearer <access_token>

    If the OAuth profile is configured with the oauth-role set to client:

    Bearer <id_token>/<access_token>

    Where:

    <access_token> is the access token given to the client by the authorization server. For OpenID, the access token is optional and can be omitted if it is not needed.

    <id_token> is the OpenID Connect ID token represented as a JWT given to the client by the authorization server.

    The maximum header length supported is 8KiB; the maximum ID token or access token size is 4KiB.

    The bearer token in the Authorization header must be provided on every request.

    In general, the iss claim in the ID token (for OpenID Connect) or access token (for OAuth 2.0), if present, is used by the event broker to identify which OAuth profile to use.

    A specific OAuth profile can also be selected by adding ~base64(<issuer>)~ to the beginning of the bearer token. Base64 padding should not be used. For example, to use an OAuth profile called solace that has an issuer of https://www.solace.com with an access token:

    Bearer ~aHR0cHM6Ly93d3cuc29sYWNlLmNvbQ~<access_token>

    If a profile cannot be identified from the iss claim in the token, and no issuer prefix is provided in the Authorization header, the default profile is used.

    —end quote—

    To setup the OAuth in the Broker, I recommend also to read Victors Blog about that Topic: https://solace.com/blog/azure-oauth-setup-for-solace-rest-and-smf-clients/

  • sjaak
    sjaak Member Posts: 109 ✭✭✭

    Hi @Markus, thanks for the info!