Configuring OAuth Authorization

Solace PubSub+ event brokers support two different types of OAuth tokens: access_token and id_token. The OAuth standards state that the access_token is required and is opaque data and that the id_token is optional and a JSON Web Token (JWT). PubSub+ event brokers permit both types of tokens and also allow the access_token to be a JWT.

JWTs can be cryptographically signed. PubSub+ event brokers support JWTs with the alg claim (a header parameter value) equal to: none, RS256, RS384, RS512, ES256, ES384, ES512. If the alg claim is anything else, it is rejected as an invalid token. If the header includes a type claim, it must identify the payload as JWT (this corresponds to the type or typ claim in the JWT header).

To implement OAuth authorization for clients connecting to a PubSub+ event broker, the following configurations are required on the event broker:

  1. An OAuth profile must be configured and enabled for OAuth authentication. See Managing Message VPN OAuth Profiles.
  2. The source used to determine the authorization group must be configured. See Authorization Groups Claim.
  3. An authorization group must be configured and enabled on the event broker. See Configuring Authorization Groups.