Client Authorization Overview

If a client connection to a Message VPN is successfully authenticated, access to the event broker resources and messaging capabilities within that Message VPN must be authorized for the client.

For a client to be authorized, it must provide the host event broker with a client username that matches one that is provisioned on the Message VPN to which the connection has been made. (These client usernames can either be provided by the connected client or be automatically generated for the client based on an LDAP group that it is a member of.) If the client provides a valid client username and password, the client’s connection is authorized.

Once authorized, the following two types of profiles that are assigned to the provisioned client username are then used to provide the client with its access permissions and messaging capabilities:

  • Access Control List (ACL) profiles
  • ACL profiles define whether the client is permitted to connect to the Message VPN, and, if it is, permissions are assigned to the client that set whether it can publish messages to topics and whether it can subscribe to topics. They also set whether its publish and subscribe rights are limited to an explicit range of topics. For more information, refer to Controlling Client Access with ACL Profiles.

  • Client profiles
  • Client profiles are sets of common configuration parameters that can be applied to groups of clients, which allows consistent configurations to be readily defined for many clients. For more information, refer to Configuring Clients with Client Profiles.

The following figure shows the basic process for authorizing an authenticated client according to the authorization properties assigned to a client username provisioned on the Message VPN.

Authorization Process Using Provisioned Client Usernames

Client Authentication With Client Usernames

Authorizing Clients Through the Internal Database

When internal authorization is used, rather than LDAP group authorization, client usernames provisioned on the Message VPN will determine a client’s authorization. If the client provides a client username that matches a client username provisioned in the Message VPN that the client has connected to, the client and ACL profiles configured for that client username are applied to the client. If the client does not provide a client username, the event broker will attempt to apply the client username named default and the client and ACL profiles configured for that client username.

Internal authorization is the default authorization mode for Message VPNs.

:  The default client username account always exists on the event broker and cannot be deleted. However, by default, this account is not enabled.

After the client is bound to a client username account in the specified Message VPN, the event broker checks whether that client username account is enabled or not. If the client username account is not enabled, the client is disconnected. (The response “403 Client Username Is Shutdown” is sent before disconnecting.)

If the bound client username account is enabled, the client is then created with the properties of the client profile and ACL profile configured for the bound client username account object.

Not all authorization methods can be used with all authentication methods. For more information, see Authentication and Authorization Method Compatibility.

Related Provisioning and Configuration Information

Authorizing Clients Through LDAP Groups

Clients can also receive their authorizations based on whether they belong to specific LDAP authorization groups. Using LDAP authorization groups to authorize clients can assist network administrators that deal with large numbers of clients, especially when those clients are already configured in a corporate server, and churn frequently as employees join and leave an organization.

When LDAP authorization is enabled for the Message VPN that an authenticated client is attempting to connect to, an LDAP attribute (typically MEMBEROF) is retrieved for the client, and an LDAP lookup is made to an external LDAP server to determine the LDAP groups that the client belongs to.

Any LDAP groups that the lookup returns are compared against the LDAP authorization groups configured on the event broker, and the client is assigned a matching enabled authorization group that has the highest priority.

:  The maximum number of authorization groups that may be retrieved for a client from an external LDAP server is 128. The client will not be authorized if more authorization groups are returned.

A client username is then automatically generated for the client, and the client and ACL profiles configured for the matching group are applied to the client username that the client is bound to. These profiles provide the client with its authorizations.

Not all authorization methods can be used with all authentication methods. For more information, see Authentication and Authorization Method Compatibility.

The following figure shows the basic process for authorizing an authenticated client that belongs to a configured LDAP authorization group.

Authorization Process Using LDAP Groups

Authorization Process Using LDAP Groups

Related Provisioning and Configuration Information

Authorizing Clients Through OAuth

Clients that login using an OAuth token can also receive their authorizations based on whether they belong to specific LDAP authorization groups.

When OAuth authorization is enabled for a Message VPN that an authenticated client is attempting to connect to, the event broker extracts authorization groups from the provided OAuth token or the token introspection result. The event broker then compares the extracted groups with authorization groups configured on the event broker as if they were returned from an LDAP lookup. Once the client's authorization group is determined, the client profile and ACL profile configured for the group are applied to the client. These profiles provide the client with its authorizations.

Not all authorization methods can be used with all authentication methods. For more information, see Authentication and Authorization Method Compatibility.

The following figure shows the basic process for authorizing an authenticated client that belongs to a configured LDAP authorization group using OAuth.

Authorization Process Using OAuth

Related Provisioning and Configuration Information

Authentication and Authorization Method Compatibility

PubSub+ event brokers do not support using any authentication method with any authorization method. The following table shows the authentication and authorization methods that can be used together.

  Authorization Method
Authentication Method Internal LDAP OAuth
Internal
LDAP
Radius
Client Certificate
Kerberos
OAuth