[Proposal][AMQ-9244] Add proposal for OAuth 2.0

[kenliao94]

Design proposal for https://issues.apache.org/jira/browse/AMQ-9244

co-author: @LinC0416

[jbonofre]

Did you see my first PR about that: #1035 ?

[mattrpav]

I think we need a pluggable sub-module to support provider-specifics of this. There is a lack of consistency in form fields and providers vary on what login types and flows they support.

Example: OIDCProvider

• createRequest( .. ) // delegate the creation of the HTTP request
• processResponse( .. ) // delegate the response parsing

A DefaultOIDCProvider can ship, but also allow for simple injection of custom handling or provider-specific handler.

I think we can share the HTTP client handling and most of the JWT parsing between providers. I suggest JDK http client and HYTE can donate a JWT unmarshaller.

Outstanding: Logout flow needs to be addressed.

[kenliao94]

I think we need a pluggable sub-module to support provider-specifics of this. There is a lack of consistency in form fields and providers vary on what login types and flows they support.

Example: OIDCProvider

* createRequest( .. ) // delegate the creation of the HTTP request

* processResponse( .. ) // delegate the response parsing

A DefaultOIDCProvider can ship, but also allow for simple injection of custom handling or provider-specific handler.

I think we can share the HTTP client handling and most of the JWT parsing between providers. I suggest JDK http client and HYTE can donate a JWT unmarshaller.

Outstanding: Logout flow needs to be addressed.

Thanks @mattrpav will address the logout flow and incorporate the feedback of a pluggable sub-module

[kenliao94]

Did you see my first PR about that: #1035 ?

Yes @jbonofre this design doc and prototyping referenced your PR. However, do you see any implementation in this design doc that goes against your vision? From #1035 (comment) seems like that PR is not ready yet.