Dear qpid developers, I have a question regarding a setup I have running, to test out link-routing. The topology looks as follows (simplified), where ZoneA is Azure and ZoneB is AWS:
Edge Router (Zone A) → Mesh Router (Zone A) → Mesh Router (Zone B) → Edge Router (Zone B) à Edge Broker (Zone B) The meshes of Zone A and Zone B are connected via a connector over port 443 using the route-container role. In the setup I want to consume by connecting a client to Edge Router (Zone A). The address I connect to is on Broker (Zone B). I have set up a linkroute to this address and can successfully consume messages in this way. *However:*I was under the impression that the SASL authentication would be passed-through from where you establish the link (Edge Router Zone A), all the way through to the ultimate broker you connect with. I hoped that the SASL credentials you passed in to Edge Router (Zone A) would travel all the way to Edge Broker (Zone B) so that at this final station (Edge Broker Zone B) we could let the initial consumer authenticate and the broker could (de)-authorize the request to setup the link. However, when I look at the connection in the broker console when setting up such a link route, the broker sees the edge router (zone B) as *his client* and not the original consumer. *The Question* Is there a way to pass the authentication of the initial consumer all the way through the link-route down to the end-station? This could be either username/password or something like an OAuth token or so. The point for us is that we would want a way to authenticate/authorize the consumer at the source of the data (Broker zone B) rather than at the gate (Edge Router Zone A). Would be valuable to hear your perspective/take on this. Thanks a lot for your time. Kind regards, André van der Heijden
