Configuring OAuth Authorization

Solace PubSub+ event brokers support two different types of OAuth tokens: access_token and id_token. The OAuth standards state that the access_token is required and is opaque data and that the id_token is optional and a JWT. PubSub+ event brokers permit both types of tokens and also allow the access_token to be a JWT.

JWTs can be cryptographically signed. Solace PubSub+ event brokers support JWTs with the alg claim equal to: none, RS256, RS384, RS512. If the alg claim is anything else, it is rejected as an invalid token. If the header includes a type claim, it must identify the payload as JWT (this corresponds to the type or typ claim in the JWT header).

To implement OAuth authorization for clients connecting to a Solace PubSub+ event broker, the following configurations are required on an event broker:

  1. An OAuth profile must be configured and enabled for OAuth authentication. See Managing Message VPN OAuth Profiles.
  2. The source used to determine the authorization group must be configured. See Authorization Groups Claim Name.
  3. An authorization group must be configured and enabled on the event broker. See Configuring Authorization Groups.