Many apps authenticating via OAuth

zgl
zgl Member Posts: 8 ✭✭
Hi!
I have a scenario where many applications will authenticate to the broker using OAuth, consumers and producers. I managed to authenticate one app but I'm not able to authenticate the others.
I don't want them sharing the same client id and secret, but they share the same issuer identifier (https://oauth-provider-test/oauth/token).

For example, created two oauth profiles:
profile 1-- client id: x1 / issuer identifier: oauth-provider-test/oauth/token
profile 2-- client id: x2 / issuer identifier: oauth-provider-test/oauth/token

Two applications.
First app getting oauth token passing the client id x1 and the second app getting token passing client id 2.

First app is able to connect to Solace. For the second app connection is refused.

I've checked the profile 2 status, and in the details tab there's a message:
Active: No - Inactive Reason: Duplicate issuer

I'm not sure what I've done wrong, but the point is that I don't want all my apps sharing the same client id and secret to authenticate in the broker.

How can I solve it?

Thanks and regards,
Guilherme
Tagged:

Answers

  • swenhelge
    swenhelge Member, Employee Posts: 80 Solace Employee
    edited August 2023 #2

    Hi,

    If I understand correctly you have created multiple OAuth profiles on the broker?

    You don't need to do that - you only need one OAuth profile per OAuth authorization server (ie the server that issues/manages tokens).

    The OAuth profile defines the "Username Claim Name" and "Authorization Groups Claim Name" that tell the broker which information to use to map the appropriate ACL and Client Profile to the incoming connection.

    This blog walks you through the PS+ admin console setup for OAuth - maybe it helps?

    https://solace.com/blog/connect-pubsub-smf-with-oauth-openid-connect/

    (Initial link I posted was outdated)

  • zgl
    zgl Member Posts: 8 ✭✭

    Hi!
    Thanks for your reply. I tried creating two OAuth profiles because don't want all my apps using the same client id.

    I set up oauth role as "client" because was not able to do "resource-server" work.
    Using this way, all my apps are required to use the same Client ID, only Secret are different.

    These are my token header/payload.
    "alg": "RS256",
    "jku": "https://c580d8f1trial.authentication.us10.hana.ondemand.com/token_keys",
    "kid": "default-jwt-key--1909570378",
    "typ": "JWT",
    "jid": "2NtAiUSRbY6BGYkoBMmPFllnJ3uE1fMVDOTmaB3bHI8="
    }

    {
    "jti": "e6bd3d5b42fc4898af1ea9458a9fa88f",
    "ext_attr": {
    "enhancer": "XSUAA",
    "subaccountid": "a0291e34-35fb-46fe-92b6-21bcc0f343a0",
    "zdn": "c580d8f1trial"
    },
    "sub": "sb-aem-broker!b185994",
    "authorities": [
    "uaa.resource"
    ],
    "scope": [
    "uaa.resource"
    ],
    "client_id": "sb-aem-broker!b185994",
    "cid": "sb-aem-broker!b185994",
    "azp": "sb-aem-broker!b185994",
    "grant_type": "client_credentials",
    "rev_sig": "ccab5504",
    "iat": 1691768625,
    "exp": 1691811825,
    "iss": "https://c580d8f1trial.authentication.us10.hana.ondemand.com/oauth/token",
    "zid": "a0291e34-35fb-46fe-92b6-21bcc0f343a0",
    "aud": [
    "uaa",
    "sb-aem-broker!b185994"
    ]
    }

    How can I set up OAuth profile to not require my apps using the same username?

    Thanks and regards