[jira] [Commented] (ARTEMIS-5200) OAuth Bearer Token Support

Grzegorz Grzybek (Jira) Thu, 12 Mar 2026 06:14:08 -0700


    [ 
https://issues.apache.org/jira/browse/ARTEMIS-5200?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18065373#comment-18065373
 ]


Grzegorz Grzybek commented on ARTEMIS-5200:
-------------------------------------------

How about using [SASL 
frames|https://docs.oasis-open.org/amqp/core/v1.0/os/amqp-core-security-v1.0-os.html#type-sasl-mechanisms]
 and [OAUTHBEARER|https://datatracker.ietf.org/doc/html/rfc7628#section-3] 
mechanism?
I'll check 
https://docs.oasis-open.org/amqp/amqp-cbs/v1.0/csd01/amqp-cbs-v1.0-csd01.html 
too.


> OAuth Bearer Token Support
> --------------------------
>
>                 Key: ARTEMIS-5200
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-5200
>             Project: Artemis
>          Issue Type: New Feature
>            Reporter: Luís Alves
>            Priority: Major
>
> In line with KAFKA 
> [KIP-768|https://cwiki.apache.org/confluence/pages/viewpage.action?pageId=186877575],
>  Artemis should also provide bearer token support for authN and authZ.
> Motivation is the same as in Kafka. I already use OAuth on many services that 
> have to communicate with the broker, so why don't leverage the [OAuth 2.0 
> client credentials flow|https://oauth.net/2/grant-types/client-credentials/].
> The current integration with Keycloak on the 
> [examples|https://github.com/apache/activemq-artemis-examples/tree/main/examples/features/standard/security-keycloak]
>  is not great in terms of security. We have to give away our credentials to 
> Artemis and it uses them to do a [password 
> grant|oauth.net/2/grant-types/password]. This flow is strongly discouraged.
> I think the major blocker is that Artemis is designed to do authN with a 
> username and a password. I only have experience with the Java client with 
> CORE protocol and I couldn't find any interceptor on the authN process to 
> replace the password field with a fresh token. With some workarounds is 
> possible to make it work, but is not a vanilla and supported solution.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Commented] (ARTEMIS-5200) OAuth Bearer Token Support

Reply via email to