OAuth + Microsoft Azure AD

VvT · May 10, 2022, 5:11pm

Hi Stan,
I think you’re on the right track here. In order to connect your client app to Solace via OAuth, you need to create an OAuth Profile, which contains the settings for Solace to be able to connect to Azure and inspect the token you provide.
OAuth Profile works in two different modes: Client and Resource server. For OIDC compatible tokens Solace recommends to use Client mode. Resource server usually is for non-OIDC compliant JWT tokens or when username or group information isn’t present in the token and must be retrieved from an RFC 7662 OAuth 2.0 Token Introspection server. In the case of Azure you can use Resource server for the Access tokens issued by Azure.
Before you are able to connect your application, you need to setup the OAuth profile and OAuth group(s) matching the names of the Roles defined in Azure and returned in the token. Let’s say you define a role named “SolaceClient”. The obtained token should contain a claim part:“…“roles”: [“SolaceClient”] …” . You need to create an OAuth Group called SolaceClient, which will be used to map the logged in client app into Solace to a that particular OAuth group matching the name of the role.
The OAuth profile you configure should have at least:
“OAuth Client ID”: configured to the client ID you define in Azure to allow Solace broker to validate tokens.
“Issuer Identifier”: obtained from the token “iss” claim (if different from the one provided by the Azure endpoint).
“Discovery Endpoint”: the discovery endpoint provided by the Azure Endpoints page (OpenID connect metadata document).
“Authorization Groups Claim Name”: the claim that maps to the roles in the token. In our example value should be “roles”.
“Username Claim Name”: a claim from the token which can be used as a username/userId, used for the connection to the Solace broker.
“Required ID Token Type”: the type of the token. For the Azure token the token header value of “typ” should be “JWT”.
After you setup the OAuth Profile and the OAuth Group(s), you should be able to connect with your token to Solace. The client application should set the authentication type to OAuth: AUTHENTICATION_SCHEME_OAUTH2 and set the Access Token for session parameter: OAUTH2_ACCESS_TOKEN.
Also, make sure the OAuth authentication is enabled on the Solace broker.
Regards,
Victor

Topic		Replies	Views
OAuth with REST consumer General Discussions	4	8356	March 23, 2022
REST Consumer (RDP) OAuth JWT Authentication PubSub+ Event Broker rest , security , rest-delivery-point , broker	4	8116	February 18, 2022
OAuth in SAP Advance Event Mesh (Solace Event Broker) PubSub+ Event Broker rest , event-mesh , rest-delivery-point , sap	2	173	October 2, 2023
Regarding Token endpoints PubSub+ Event Broker	3	38	July 23, 2024
OAuth 2.0 authentication for solace.cloud REST endpoints? Connectors & Integrations	2	292	August 23, 2023

OAuth + Microsoft Azure AD

Related topics