The Long-Winded Guide to setting up Amlen: OAuth2

This is a section of a multi-part guide to setting up the Amlen Message Broker. If you want to see the other parts check out the Introduction/Contents.


We’ve previously looked at authenticating client using client certificates and using an LDAP server but let’s have a brief look at a third way: OAuth2 which tends to be used in Web/Mobile use cases rather than traditional IoT.

In OAuth2, before connecting to Amlen, sends credentials to an OAuth2 server and receives a token. It then connects to Amlen using the username IMA_OAUTH_ACCESS_TOKEN and supplies the token as the password. Amlen then verifies this token with the OAuth2 server and is told the username (and optional groups) that the token corresponds to.

OAuth2 allows Amlen to delegate the authentication to the OAuth2 server – it traditionally allows multiple services to have a shared single sign-on infrastructure but you can also view it as like an “authentication plugin” system for Amlen with Amlen communicating to the custom authentication logic over https.

There is a tiny example python OAuth2 server here:
https://github.com/jonquark/messagesight-demos-docker/tree/master/pythonOAuthServer

Because we have already covered LDAP and the setup is very similar I won’t go into detail – but make sure that the security profile that you use has the OAuth2 profile and password authentication turned on.

Next we’ll take a look at some policies in Amlen….but that installment is yet to be published.

Leave a comment

Your email address will not be published.