Rabbitmq OAuth 2.0 Plugin not working as expected with Azure AD

[sirine]

I am trying to use OAuth2 on rabbitmq with provider Azure AD (only for the management UI). I am using the docker image rabbitmq:3.11-management.

I have created an SPA app registration on Azure AD with a redirection url to the management UI home page. I have then created two app roles :

    <client_id>.tag:monitoring
    <client_id>.read:*/*

I have assigned those app roles to myself on Azure AD.

On rabbitmq side, I have put this configuration :

   
      auth_backends.1 = rabbitmq_auth_backend_oauth2

      auth_backends.2 = internal

      auth_oauth2.https.peer_verification = verify_none #for now


     


      auth_oauth2.https.peer_verification = verify_none


      auth_oauth2.resource_server_id=<app_registration_client_id>
    auth_oauth2.jwks_url=https://login.microsoftonline.com/<tenant>/discovery/v2.0/keys

      auth_oauth2.default_key = <JWT_key> # I have tried doing this in case of issue with jwt key, I have chosen a key from list


      auth_oauth2.additional_scopes_key=roles


      management.oauth_enabled=true  


      management.oauth_client_id=<app_registration_client_id>


      management.oauth_client_secret=<app_registration_secret> #not used as I have tried to allowPublic access on app registration


      management.oauth_provider_url=https://login.microsoftonline.com/<client_id>



When I connect to management UI I have the 'Click Here to Login' Button as expected with the used plugin but when I click, I have Not Authorized error.

In rabbitmq logs I have this (in debug mode):

   

    2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> User '043f5ce4-45da-478a-8c74-f7b799859141' authentication failed with error:undef:
    2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> [{rabbitmq_auth_backend_oauth2,user_login_authentication,
    2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>      [<<"043f5ce4-45da-478a-8c74-f7b799859141">>,
    2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>       [{password,
    2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>            <<"eyJ**********8Kw">>}]],
    2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>      []},
    2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>  {rabbit_access_control,try_authenticate,3,
    2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>      [{file,"rabbit_access_control.erl"},{line,86}]},
    2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>  {rabbit_access_control,'-check_user_login/2-fun-0-',4,
    2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>      [{file,"rabbit_access_control.erl"},{line,51}]},
    2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>  {lists,foldl,3,[{file,"lists.erl"},{line,1350}]},
    2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>  {rabbit_access_control,check_user_login,2,
    2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>      [{file,"rabbit_access_control.erl"},{line,36}]},
    2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>  {rabbit_mgmt_util,is_authorized,7,[{file,"rabbit_mgmt_util.erl"},{line,280}]},
    2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>  {cowboy_rest,call,3,[{file,"src/cowboy_rest.erl"},{line,1575}]},
    2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>  {cowboy_rest,is_authorized,2,[{file,"src/cowboy_rest.erl"},{line,368}]}]
    2023-06-06 06:04:20.427353+00:00 [warning] <0.15140.0> HTTP access denied: User '043f5ce4-45da-478a-8c74-f7b799859141' authentication failed with internal error. Enable debug logs to see the real error.


I have tried to see the content headers of the JWT Token and the result is that I see the claim 'roles' and I see in it the roles I have...

What am I missing here ? 

[Saifeddine Rajhi]

Hello,

Can you please decode you jwt token that was generated by AzureAD using jwt.io

I can't see extra_scopes_source in your conf

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/618c7b7a-d04f-4cda-84ee-0306b2e16fe8n%40googlegroups.com.

[sirine]

Hello,

I don't use scopes here as I am using 'roles' claim.

I have tried to decode the jwt token header and I see the roles, here is the full output or almost:

1. acr: "1"
2. aio: "AVQAqXXXXXXXXXXXXXXXX"
3. amr: (2) ['pwd', 'mfa']
4. appid: "043f5ce4-xxxxxxxx-xxxxxxxxxxxx"
5. appidacr: "1"
6. 
   
7. aud: "043f5ce4-xxxxxxxx-xxxxxxxxxxx" #client_id
8. 
   
9. exp: 1686042273
10. family_name: "myLastName"
11. given_name: "myName"
12. iat: 1686036886
13. ipaddr: "<ip_address>"
14. iss: "https://sts.windows.net/<tenant>/"
15. name: "My Full Name"
16. nbf: xxxxxxxxxx
17. oid: "107143d2XXXXXXXXXX"
18. onprem_sid: "S-XXXXXXXXXXXX"
19. rh: "0.xxxxxxxxxxxxxxxxxxx"
20. 
    
21. roles: (2) ['043f5ce4-45da-478a-xxxxxxxxxxxxx.tag:management', '043f5ce4-45da-478a-xxxxxxxxxxxxx.read:*/*'] #here I have changed the roles to test
22. 
    
23. scp: "User.Read"
24. 
    
25. sub: "yZAxxxxxxxxxxxxxxxx"
26. tid: "<tenant>"
27. unique_name: "xxxxxxxxxx"
28. upn: "xxxxxxxxx
29. uti: "xxxxxxxxxx"
30. ver: "1.0"

Here as you can see, the audience 'aud' is correct and roles are the app roles ones I have the app registration on Azure AD. 

You see there is 'scp' but with my config I'm relying on roles.

The Azure Active Directory has been tested as a valid Provider for Rabbitmq OAuth 2.0 plugin by the community but I'm missing something here...

[sirine]

And for info, here I am using the new config to specify the key for roles:

auth_oauth2.additional_scopes_key=roles

It is the equivalent of the config extra_scopes_source you were mentioning. 

As it is specified here:

https://github.com/rabbitmq/rabbitmq-server/blob/e290acbd7d6f989737c258d617f551c3fff58ada/deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema#L66

[Saifeddine Rajhi]

The best docs are here for AzureAD

https://github.com/rabbitmq/rabbitmq-oauth2-tutorial/blob/main/use-cases/azure.md

I think you are missing required fields

 {rabbitmq_auth_backend_oauth2, [
   {resource_server_id, <<"PUT YOUR AZURE AD APPLICATION ID">>},
   {extra_scopes_source, <<"roles">>},
   {key_config, [
     {jwks_url, <<"PUT YOUR AZURE AD JWKS URI VALUE">>}
   ]}
 ]}

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/6d85959b-4e73-4362-bca5-7d112560736dn%40googlegroups.com.

[sirine]

Thanks for your answer but actually this config is set, it is just that is put as in new format  (Not in advanced config, but global config)  that is specified here (you search for key, you find the equivalent of it) :

https://github.com/rabbitmq/rabbitmq-server/blob/e290acbd7d6f989737c258d617f551c3fff58ada/deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema#L66

 but I've also tried that just in case and I got the same issues.

So in what you've sent:

 {rabbitmq_auth_backend_oauth2, [
   {resource_server_id, <<"PUT YOUR AZURE AD APPLICATION ID">>},
   {extra_scopes_source, <<"roles">>},
   {key_config, [
     {jwks_url, <<"PUT YOUR AZURE AD JWKS URI VALUE">>}
   ]}
 ]}

This is the equivalent config here:

auth_oauth2.resource_server_id=<app_registration_client_id>

auth_oauth2.additional_scopes_key=roles

auth_oauth2.jwks_url=https://login.microsoftonline.com/<tenant>/discovery/v2.0/keys

It is same config, same results

[Saifeddine Rajhi]

One last thing please

for oauth_provider_url are you using https://login.microsoftonline.com/AZURE_AD_TENANT_ID ?

Below example was tested and validated 

[
  {rabbit, [
   {auth_backends, [rabbit_auth_backend_oauth2, rabbit_auth_backend_internal]}
  ]},
  {rabbitmq_management, [
    {listener, [{port,    15671},
                {ssl,      true},
                {ssl_opts, [{cacertfile, "/etc/rabbitmq/rabbitmq-ca.crt"},
                           {certfile,   "/etc/rabbitmq/rabbitmq.crt"},
                           {keyfile,    "/etc/rabbitmq/rabbitmq.key"},

                           %% don't do peer verification to HTTPS clients
                           {verify,               verify_none},
                           {fail_if_no_peer_cert, false},

                           {client_renegotiation, false},
                           {secure_renegotiate,   true},
                           {honor_ecc_order,      true},
                           {honor_cipher_order,   true}
                 ]}
     ]},
     {oauth_enabled, true},
     {oauth_client_id, "0e4305ff-3df1-4695-b2c7-ef804cf9c105"},    
     {oauth_provider_url, "https://login.microsoftonline.com/b39138ca-3cee-4b4a-a4d6-cd83d9dd62f0"}

 ]},
 {rabbitmq_auth_backend_oauth2, [
   {resource_server_id, <<"0e4305ff-3df1-4695-b2c7-ef804cf9c105">>},
   {extra_scopes_source, <<"roles">>},
   {key_config, [
     {jwks_url, <<"https://login.microsoftonline.com/b39138ca-3cee-4b4a-a4d6-cd83d9dd62f0/discovery/v2.0/keys">>}
   ]}
  ]}
 ].

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/7f1ee0d3-64e0-4f98-b8b6-4bce8ec79bc1n%40googlegroups.com.

[sirine]

Yes. I am using  https://login.microsoftonline.com/AZURE_AD_TENANT_ID  (I have put client ID by mistake in first message when I was covering the real values)

For the example you're sending, for ssl I just escaped the verification so I don't put any config related to that part. For other config, it is the same as I have sent, just put different format as I have sent you in previous messages the schema file from rabbitmq repo, let me know if you see difference from what I'm sending . Thanks for taking time to answer anyway, if you have any test in mind, that can be helpful, thank you. 

[Saifeddine Rajhi]

Honestly it looks ok, what is the version of rabbitMQ and erlang please ?

and is the oauth2 backend plugin enabled 

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/d2f30702-f126-4c60-8a4a-d11042306b4dn%40googlegroups.com.

[sirine]

I am using the Docker image rabbitmq:3.11-management (with rabbitmq Kubernetes Operator). 

[Saifeddine Rajhi]

Can you please exec into rabbitmq container and run below command

I want to check if "rabbitmq_auth_backend_oauth2" plugin is enabled 

rabbitmq-plugins list -e -m

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/b6a1e7cd-704b-483b-bb32-ebafe11ed85cn%40googlegroups.com.

[Marcial Rosales]

Hi Sirine, as Rajhi suggested could you please access the browser's local-storage entry  "rabbitmq.credentials"  and paste the content here? I need to see what Azure is sending. 

I am planning on moving all the configuration in oauth2 tutorial to cuttlefish format to avoid any confusion. 

Thanks Rajhi for helping ! Both plugins are enabled because they show up in the sracktrace. It must be something related to the scopes in the token.

[sirine]

Hello Marcial and Rajhi,

So the plugin is of course enabled because otherwise I won't be at that level.

For the roles it is all ok.

So the issue was really that I messed up with the module name...
Here:       auth_backends.1 = rabbitmq_auth_backend_oauth2

The right is one :       auth_backends.1 = rabbit_auth_backend_oauth2

To all: never assume plugin and module name are the same, and you can see that in code rabbitmq itself (when you're at some point, you don't check that xD)

[sirine]

Thanks to both of you for trying to help :) 

[Marcial Rosales]

Hi Sirine, glad it is working now. Is there anything you would change from our azure guide (https://github.com/rabbitmq/rabbitmq-oauth2-tutorial/blob/main/use-cases/azure.md) that would have made it easier to set up rabbitmq?

Thanks