Configuring an Event Broker Service to Use OAuth Identity Provider Authorization

You can configure an event broker service to use an OAuth protocols to authorize connecting client applications. This allows the applications and clients to use OAuth authorization protocols when connecting to the event broker service. You use both the Cloud Console and PubSub+ Broker Manager to configure OAuth identity provider authentication for the event broker service. This topic assumes that you are familiar with OAuth and the configuration of your identity provider.

Enable OAuth authentication for your event broker service with these steps:

  1. Enable OAuth identity provider authorization
  2. Add the default profile to the event broker service

Enabling OAuth Identity Provider Authentication for Event Broker Services

  1. Log in to the PubSub+ Cloud Console if you have not done so yet. The URL to access the Cloud Console differs based on your authentication scheme. For more information, see Logging into the PubSub+ Cloud Console.

  2. Select Cluster Manager and select the event broker service that you want to enable OAuth authentication for.
  3. On the Manage tab for the event broker service, click Authentication.
    Screenshot highlighting the Authentication tile
  4. Click the OAuth Provider Authentication toggle to enable OAuth Provider Authentication for the event broker service.
  5. Click Save and then click OK to confirm.
  6. Click Back to Management
  7. To verify that OAuth provider authentication is enabled, click Access Control.

    Broker Manager opens in a new browser tab.

  8. On the Settings tab locate the OAuth Authentication toggle and ensure it is enabled. You will return to this window later to add the Default Profile Name as outlined in Adding a Default OAuth Profile to the Event Broker Service.

  9. To add an OAuth profile to the event broker service, click the OAuth Profile tab.

  10. Click + OAuth Profile.
  11. Enter an OAuth Profile Name and click Create.
  12. Enter the appropriate details for the following OAuth profile settings:
    13. Configuration Description
    Enabled

    Enables or disables the OAuth profile
    OAuth Client ID

    The OAuth client-id identifies the client responsible for the OAuth request. Client IDs configured on the event broker service must match with the OAuth Client ID.
    OAuth Role

    Select Resource Server if you want the event broker service to handle authenticated requests after the connecting service has obtained an access token.
    Disconnect on Token Expiration

    Enables or disables the disconnection of clients when their token expires. Changing this value does not affect existing clients.
    Issuer Identifier

    Enter the URL for the issuer identifier. This is the verifiable identifier for an issuer.

    This field is required. If left incomplete the profile will be inactive.
    EndPoints

    Leave all the fields in this section in their default state except the following two fields:

    • Introspection Endpoint—If the OAuth Role is Resource Server, the introspection endpoint returns claims associated with the user identified by the access token. Enter the URL to your the OAuth introspection endpoint. Only HTTPS addresses are supported in this field.
    • Introspection Request Timeout—This is the maximum time in seconds that can pass before the introspection request times out. The field's default value is 1. Solace recommends using a higher value during testing, and reducing the value until you find an appropriate setting.
    Authorization Group Claims Name

    Enter the <access-level-group-claim-name>. The group claim name is the name of the claim that contains the groups that the event broker will use to authorize the user. Once all appropriate token verification has been performed, the event broker will determine the OAuth groups based on the access-level-group-claim-name.
    Username Claim Name

    Enter the <username-claim-name>. The username claim name is the name of claim containing the username that the event broker verifies. You can configure a custom username-claim-name, which must be a string; for example, an email. Claims of other types such as number, boolean, object, array, etc., are not supported.
    Resource Server

    Toggle the validation requirements on or off depending on your needs. Generally, most of the options in this section are required by JSON Web Tokens instead of opaque OAuth2 tokens. However, completion of the Required Scope field may be necessary.

    • Required Scope—Enter a space-separated list of scopes that are required by the scope claim. If this field is left empty, no scope verification will be performed.
  13. Click Apply.

Adding a Default OAuth Profile to the Event Broker Service

After adding the OAuth profile to the event broker service, you can set it to be the default profile.

  1. If you don't have Broker Manager open, in Cluster Manager select the event broker service service you have enabled OAuth for and click Open PubSub+ Broker Manager.
  2. Click Access Control.
  3. On the Client Authentication > Settings tab, click Edit.
    screenshot showing the settings described in the surrounding text.
  4. Click Default Profile Name and select the profile you created from the menu. If you have numerous profiles, you can use the search field to search the list.
    Screenshot showing the settings described in the surrounding text.
  5. Click Apply.
  6. To confirm that the profile is active, click the OAuth Profile tab and then click the name of the OAuth Profile.
  7. Click the Stats tab and then click Details. Yes appears in the Active field when the profile is active.
    Screenshot showing the settings described in the surrounding text.