Authentication Using OAuth 2.0

TIBCO EMS supports authentication of client connections via OAuth 2.0.

When connecting to an EMS server configured with OAuth 2.0 authentication, an EMS client must authenticate itself to the server by presenting an access token issued by an OAuth 2.0 authorization server. This access token must be a signed JSON Web Token (JWT) that includes a claim containing the user that the client will identify itself as to the server (see Users); and optionally, another claim containing the list of groups the user belongs to (see Groups).

The EMS server validates the access token’s signature and claims and accepts or rejects the connection request accordingly. If this authentication process is successful, the EMS client will be allowed to connect as the EMS user specified in the access token. The server will enact access control for the client connection based on the permissions defined in the acl.conf file (and the Extensible Security permissions module, if applicable).

In order for an OAuth 2.0 authorization server to issue an access token with the expected claims, the relevant EMS user and group information must be made available to it. Depending on your OAuth 2.0 provider, there may be a number of options available for achieving this. For example, you may be able to define EMS users and groups directly in your provider, or you may be able to integrate your provider with an external authentication service such as LDAP. Refer to your OAuth 2.0 provider’s documentation for instructions.