Does Qpid cpp client support authentication with XOAUTH2 SASL mechanism ?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Does Qpid cpp client support authentication with XOAUTH2 SASL mechanism ?

Oleksandr Rudyy
Hi folks,

I tried to authenticate a qpid-cpp client using XOAUTH2 SASL mechanism
agains Qpid Broker-J but it did not work for me.

I assumed that cyrus-sasl-xoauth2 (
https://github.com/moriyoshi/cyrus-sasl-xoauth2.git) might work with
qpid-cpp client as its SASL layer is built on top of cyrus-sals.

Thus, I built cyrus-sasl-xoauth2 from sources and installed it on my fedora
33 into /usr/lib/sasl2.

I tried to run client example hello_world using

export QPID_SSL_CERT_DB=sql:./nssdb
export LD_LIBRARY_PATH=/usr/lib/sasl2:.
export QPID_LOG_ENABLE="trace+"

./examples/messaging/hello_world localhost:5671 'test;{create:always}'
'{username:<user id>,password:<access_token>,transport:ssl}'

In the above, i specified my id and access token under <user id> and
<access_token> respectively.

An authentication had failed for me with the following trace logs:

2020-12-29 19:24:45 [Security] debug SslConnector created for 0-10
2020-12-29 19:24:45 [System] info Connecting: 192.168.1.102:5671
2020-12-29 19:24:45 [Client] debug RECV [[192.168.1.102:desktop:5671]]:
INIT(0-10)
2020-12-29 19:24:45 [Security] trace RECV [[192.168.1.102:desktop:5671]]:
Frame[BEbe; channel=0; {ConnectionStartBody:
server-properties={product:V2:7:str16(unknown),qpid.build:V2:7:str16(unknown),qpid.features:[{V2:17:str16(qpid.jms-selector)}]list([{V2:17:str16(qpid.jms-selector)}]),qpid.federation_tag:V2:36:str16(d00c463d-05b4-4f9b-9926-03229b53c8b9),qpid.instance_name:V2:6:str16(Broker),qpid.message_compression_supported:V2:4:str16(true),qpid.queue_lifetime_supported:V2:4:str16(true),qpid.virtualhost_properties_supported:V2:4:str16(true),version:V2:14:str16(9.0.0-SNAPSHOT)};
mechanisms=str16{V2:7:str16(XOAUTH2)}; locales=str16{V2:5:str16(en_US)}; }]
2020-12-29 19:24:45 [Security] debug CyrusSasl::start(XOAUTH2)
2020-12-29 19:24:45 [Security] debug external SSF detected and set to 128
2020-12-29 19:24:45 [Security] debug min_ssf: 0, max_ssf: 256
2020-12-29 19:24:45 [System] debug Exception constructed: Can't
authenticate using XOAUTH2
2020-12-29 19:24:45 [Client] warning Closing connection due to Can't
authenticate using XOAUTH2
2020-12-29 19:24:45 [Security] trace SENT [[192.168.1.102:desktop:5671]]:
Frame[BEbe; channel=0; {ConnectionCloseBody: reply-code=501;
reply-text=Can't authenticate using XOAUTH2; }]
2020-12-29 19:24:45 [Security] trace RECV [[192.168.1.102:desktop:5671]]:
Frame[BEbe; channel=0; {ConnectionCloseOkBody: }]
2020-12-29 19:24:45 [System] debug Exception constructed: Can't
authenticate using XOAUTH2

It seems that XOAUTH2 SASL authentication might not be supported, unless I
am doing something wrong...

Is there any way to make XOAUTH2 authentication working with a qpid-cpp
client?

Kind Regards,
Alex
Reply | Threaded
Open this post in threaded view
|

Re: Does Qpid cpp client support authentication with XOAUTH2 SASL mechanism ?

Oleksandr Rudyy
Hi all,

I made xouth2 authentication working with the cyrus plugin
"cyrus-sasl-xoauth2".

I am not sure what exactly went wrong when I built and installed
cyrus-sasl-xoauth2 using default settings.
After re-building the cyrus-sasl-xoauth2 plugin as shown below and
registering the built libraries in /etc/ld.so.conf,
the OAUTH2 authentication started working for me. I was able to use the
Qpid cpp client for sending and receiving messages against Qpid Broker-J
using OAUTH2 authentication.

My built commands (on fedora 33)
./configure --prefix=/usr --libdir=/usr/lib64
--with-plugindir=/usr/lib64/sasl2
sed -i 's%pkglibdir = ${CYRUS_SASL_PREFIX}/lib/sasl2%pkglibdir =
${CYRUS_SASL_PREFIX}/lib64/sasl2%' Makefile
make
sudo make install

Kind Regards,
Alex

On Tue, 29 Dec 2020 at 19:32, Oleksandr Rudyy <[hidden email]> wrote:

> Hi folks,
>
> I tried to authenticate a qpid-cpp client using XOAUTH2 SASL mechanism
> agains Qpid Broker-J but it did not work for me.
>
> I assumed that cyrus-sasl-xoauth2 (
> https://github.com/moriyoshi/cyrus-sasl-xoauth2.git) might work with
> qpid-cpp client as its SASL layer is built on top of cyrus-sals.
>
> Thus, I built cyrus-sasl-xoauth2 from sources and installed it on my
> fedora 33 into /usr/lib/sasl2.
>
> I tried to run client example hello_world using
>
> export QPID_SSL_CERT_DB=sql:./nssdb
> export LD_LIBRARY_PATH=/usr/lib/sasl2:.
> export QPID_LOG_ENABLE="trace+"
>
> ./examples/messaging/hello_world localhost:5671 'test;{create:always}'
> '{username:<user id>,password:<access_token>,transport:ssl}'
>
> In the above, i specified my id and access token under <user id> and
> <access_token> respectively.
>
> An authentication had failed for me with the following trace logs:
>
> 2020-12-29 19:24:45 [Security] debug SslConnector created for 0-10
> 2020-12-29 19:24:45 [System] info Connecting: 192.168.1.102:5671
> 2020-12-29 19:24:45 [Client] debug RECV [[192.168.1.102:desktop:5671]]:
> INIT(0-10)
> 2020-12-29 19:24:45 [Security] trace RECV [[192.168.1.102:desktop:5671]]:
> Frame[BEbe; channel=0; {ConnectionStartBody:
> server-properties={product:V2:7:str16(unknown),qpid.build:V2:7:str16(unknown),qpid.features:[{V2:17:str16(qpid.jms-selector)}]list([{V2:17:str16(qpid.jms-selector)}]),qpid.federation_tag:V2:36:str16(d00c463d-05b4-4f9b-9926-03229b53c8b9),qpid.instance_name:V2:6:str16(Broker),qpid.message_compression_supported:V2:4:str16(true),qpid.queue_lifetime_supported:V2:4:str16(true),qpid.virtualhost_properties_supported:V2:4:str16(true),version:V2:14:str16(9.0.0-SNAPSHOT)};
> mechanisms=str16{V2:7:str16(XOAUTH2)}; locales=str16{V2:5:str16(en_US)}; }]
> 2020-12-29 19:24:45 [Security] debug CyrusSasl::start(XOAUTH2)
> 2020-12-29 19:24:45 [Security] debug external SSF detected and set to 128
> 2020-12-29 19:24:45 [Security] debug min_ssf: 0, max_ssf: 256
> 2020-12-29 19:24:45 [System] debug Exception constructed: Can't
> authenticate using XOAUTH2
> 2020-12-29 19:24:45 [Client] warning Closing connection due to Can't
> authenticate using XOAUTH2
> 2020-12-29 19:24:45 [Security] trace SENT [[192.168.1.102:desktop:5671]]:
> Frame[BEbe; channel=0; {ConnectionCloseBody: reply-code=501;
> reply-text=Can't authenticate using XOAUTH2; }]
> 2020-12-29 19:24:45 [Security] trace RECV [[192.168.1.102:desktop:5671]]:
> Frame[BEbe; channel=0; {ConnectionCloseOkBody: }]
> 2020-12-29 19:24:45 [System] debug Exception constructed: Can't
> authenticate using XOAUTH2
>
> It seems that XOAUTH2 SASL authentication might not be supported, unless I
> am doing something wrong...
>
> Is there any way to make XOAUTH2 authentication working with a qpid-cpp
> client?
>
> Kind Regards,
> Alex
>
>