[
https://issues.apache.org/jira/browse/ARTEMIS-5316?focusedWorklogId=973854&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-973854
]
ASF GitHub Bot logged work on ARTEMIS-5316:
-------------------------------------------
Author: ASF GitHub Bot
Created on: 08/Jul/25 16:09
Start Date: 08/Jul/25 16:09
Worklog Time Spent: 10m
Work Description: tabish121 commented on code in PR #5822:
URL: https://github.com/apache/activemq-artemis/pull/5822#discussion_r2192919187
##########
tests/integration-tests/src/test/java/org/apache/activemq/artemis/tests/integration/amqp/connect/AMQPConnectSaslTest.java:
##########
@@ -115,6 +117,81 @@ public void testConnectsWithPlain() throws Exception {
}
}
+ @Test
+ @Timeout(20)
+ public void testConnectsWithXOauth2() throws Exception {
+ try (ProtonTestServer peer = new ProtonTestServer()) {
+ peer.expectSaslXOauth2Connect(USER, PASSWD);
+ peer.expectOpen().respond();
+ peer.expectBegin().respond();
+ peer.start();
+
+ final URI remoteURI = peer.getServerURI();
+ logger.debug("Connect test started, peer listening on: {}",
remoteURI);
+
+ AMQPBrokerConnectConfiguration amqpConnection =
+ new AMQPBrokerConnectConfiguration(getTestName(),
"tcp://localhost:" + remoteURI.getPort() + "?saslMechanisms=" + XOAUTH2);
Review Comment:
Specifying the XOAUTH2 as the only enabled mech here isn't actually needed
and the test would pass without it since the test peer is only offering that
mechanism so the server should naturally pick it from the set of mechanisms it
supports given there is a user / pass supplied. You could write a test were
this tested it picks from a set that offered PLAIN if the server side disabled
it by scripting the peer as:
```
peer.expectSASLHeader().respondWithSASLHeader();
peer.remoteSaslMechanisms().withMechanisms("PLAIN", "XOAUTH2",
"ANONYMOUS").queue();
peer.expectSaslInit().withMechanism("XOAUTH2").withInitialResponse(peer.saslXOauth2InitialResponse(USER,
PASSWD));
peer.remoteSaslOutcome().withCode(SaslCode.OK).queue();
peer.expectAMQPHeader().respondWithAMQPHeader();
```
This would then test that the server side mechanisms exclusion works and it
filers out anything but XOAUTH2 when selecting from the offered set.
Issue Time Tracking
-------------------
Worklog Id: (was: 973854)
Time Spent: 3h (was: 2h 50m)
> Support for SASL XOAUTH2 Mechanism in Broker Connection
> -------------------------------------------------------
>
> Key: ARTEMIS-5316
> URL: https://issues.apache.org/jira/browse/ARTEMIS-5316
> Project: ActiveMQ Artemis
> Issue Type: New Feature
> Reporter: Tomasz Ćukasiewicz
> Priority: Major
> Labels: pull-request-available
> Time Spent: 3h
> Remaining Estimate: 0h
>
> There is a need to support XOAUTH2 authentication between two AMQP brokers,
> as the existing mechanisms are not sufficiently secure for certain use cases.
> Currently, Artemis does not support this authentication method on the client
> side, and the SaslFactory implementation is both private and final, making it
> impossible to extend.
> To address this, an XOAuth2SASLMechanism should be implemented within the
> AMQPBrokerConnection class and integrated into the SaslFactory. The new SASL
> mechanism should return its name as "XOAUTH2" and include the appropriate
> authentication headers.
> A working example of this approach has been successfully tested with the
> Solace broker:
> {code:java}
> @Override
> public byte[] getInitialResponse() {
> String response = String.format("user=%s\u0001auth=Bearer %s\u0001\u0001",
> userName, token);
> return response.getBytes(StandardCharsets.UTF_8);
> }
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
