I'm writing the frontend to an application that receives live-data from a Solace Message Broker. At the moment, both the frontend and the message broker are running in a protected dev environment.
At some point we obviously want to make the application openly available. We have working authentication in the application, but we want the message broker to validate the token sent from the frontend before building a connection and later on subscriptions.
Authentication is done with the angular-auth-oidc-client.
However, the solace documentation about Configuring OAuth Authorization states that
Solace PubSub+ event brokers support OAuth authorization only for MQTT clients.
The app uses the solcientjs npm package to communicate with the broker. I have to admit I am not very firm with all the message protocols that are there, but I think the package does not use an MQTT connection.
That leaves Kerberos from the list of available client authentication types. Looking at the kerberos authorization documentation however, it also says
Kerberos authentication is not available for Solace Web messaging APIs
So now I am left wondering how I could validate a token coming in from a client. Here is how an "ideal" flow would look for me:
- User authenticates, app receives bearer token
- App calls
session.connect()to build up a connection with the broker, sends the bearer token along - In the
preConnecthook (if it were to exist) I could send a request to the STS that issued the token and wait for a response - If the STS confirms that the token is valid, the message brokers confirms the connection and allows subscriptions. Otherwise it denies the connection.
Is there a way to achieve this? Am I maybe horribly misunderstanding something? I do not have much experience with Solace and work only on the frontend, not the part that manages the broker.
Grateful for any hints.
