OAuth 2.0 authentication for solace.cloud REST endpoints?

sjaak

Hi,

Is it possible to use OAuth 2.0 authentication for solace.cloud REST endpoints (instead of the default basic auth)?

Markus

Hello @sjaak ,

yes, of course you can do that, please see this description in the docs ( https://docs.solace.com/Security/Client-Authentication-Overview.htm#OAuth ) :

—quote—

For REST producers, requests must include one or more OAuth tokens in the HTTP Authorization header as a bearer token in one of the following forms:

If the OAuth profile is configured with the oauth-role set to resource-server:

Bearer <access_token>

If the OAuth profile is configured with the oauth-role set to client:

Bearer <id_token>/<access_token>

Where:

<access_token> is the access token given to the client by the authorization server. For OpenID, the access token is optional and can be omitted if it is not needed.

<id_token> is the OpenID Connect ID token represented as a JWT given to the client by the authorization server.

The maximum header length supported is 8KiB; the maximum ID token or access token size is 4KiB.

The bearer token in the Authorization header must be provided on every request.

In general, the iss claim in the ID token (for OpenID Connect) or access token (for OAuth 2.0), if present, is used by the event broker to identify which OAuth profile to use.

A specific OAuth profile can also be selected by adding ~base64(<issuer>)~ to the beginning of the bearer token. Base64 padding should not be used. For example, to use an OAuth profile called solace that has an issuer of https://www.solace.com with an access token:

Bearer ~aHR0cHM6Ly93d3cuc29sYWNlLmNvbQ~<access_token>

If a profile cannot be identified from the iss claim in the token, and no issuer prefix is provided in the Authorization header, the default profile is used.

—end quote—

To setup the OAuth in the Broker, I recommend also to read Victors Blog about that Topic: https://solace.com/blog/azure-oauth-setup-for-solace-rest-and-smf-clients/

Markus

Hello @sjaak ,

yes, of course you can do that, please see this description in the docs ( https://docs.solace.com/Security/Client-Authentication-Overview.htm#OAuth ) :

—quote—

For REST producers, requests must include one or more OAuth tokens in the HTTP Authorization header as a bearer token in one of the following forms:

If the OAuth profile is configured with the oauth-role set to resource-server:

Bearer <access_token>

If the OAuth profile is configured with the oauth-role set to client:

Bearer <id_token>/<access_token>

Where:

<access_token> is the access token given to the client by the authorization server. For OpenID, the access token is optional and can be omitted if it is not needed.

<id_token> is the OpenID Connect ID token represented as a JWT given to the client by the authorization server.

The maximum header length supported is 8KiB; the maximum ID token or access token size is 4KiB.

The bearer token in the Authorization header must be provided on every request.

In general, the iss claim in the ID token (for OpenID Connect) or access token (for OAuth 2.0), if present, is used by the event broker to identify which OAuth profile to use.

A specific OAuth profile can also be selected by adding ~base64(<issuer>)~ to the beginning of the bearer token. Base64 padding should not be used. For example, to use an OAuth profile called solace that has an issuer of https://www.solace.com with an access token:

Bearer ~aHR0cHM6Ly93d3cuc29sYWNlLmNvbQ~<access_token>

If a profile cannot be identified from the iss claim in the token, and no issuer prefix is provided in the Authorization header, the default profile is used.

—end quote—

To setup the OAuth in the Broker, I recommend also to read Victors Blog about that Topic: https://solace.com/blog/azure-oauth-setup-for-solace-rest-and-smf-clients/

sjaak

Hi @Markus, thanks for the info!