Keycloak Enabling

[Satheesh Kumar]

Hi Team

I want to enable key-cloak  authentication to existing rabbitmq. It was deployed using rabbitmq-operator. I don't see any rabbitmq.conf or advanced.conf inside the pod.

How can i do the configuration for key-cloak. what parameter required for key-cloak configuration

[Marcial Rosales]

Hi, RabbitMQ does not support keycloak as an authentication backend per-se. If you want to RabbitMQ to authenticate All users against keycloak your only option is to use Oauth2 authentication backend. 

This means that All your users, i.e. management ui end-users and applications, will have to use Oauth2 protocol to authenticate/authorize. If your applications (e.g. those using AMQP protocol ) are not ready to authenticate with Oauth2 then you still have to manage those credentials in RabbitMQ. 

[Satheesh Kumar]

Hi Marcial

I am ok to use OAuth2 authentication that internally uses keycloak for authentication. I need to use  OAuth for both management user and mqtt based subscribers.

What kind of config changes i need to in rabbitmq.conf or advanced.conf for enabling OAuth2. I am using rabbitmq-operator for deployments and the rabbitmq version is  3.9

Also i referred the wiki for rabbitmq https://www.rabbitmq.com/oauth2-examples-keycloak.html

I did not understand how to use this in existing  config in rabbitmq 

[Marcial Rosales]

Hi, to use RabbitMQ Oauth2 in the management ui you need 3.10 and I recommend, if you can, to use 3.11. 3.9 and earlier version only not support UAA as Authorization server and implicit flow. You need Keycloak and authorization code + PKCE and that is only supported on 3.10 onwards.

With regards what configuration you need for keycloak, there are sample configuration files in both formats, old style and new style, here https://github.com/rabbitmq/rabbitmq-oauth2-tutorial/tree/main/conf/keycloak

Those sample configuration files configure a signing key however you can configure a jwks_url . Here is a sample https://github.com/rabbitmq/rabbitmq-oauth2-tutorial/blob/main/conf/auth0/rabbitmq.conf#L11

Make sure your configure RabbitMq oauth client in Keycloak properly. See this section https://github.com/rabbitmq/rabbitmq-oauth2-tutorial/blob/main/use-cases/keycloak.md#configure-client

[Satheesh Kumar]

Hi Marcial,

As you suggested i have upgraded my rabbitmq version to 3.11.13

I tried it my local but the i am getting the below error when i tried access the rabbitmq-management ui with clientid and client secret

Error

023-04-14 22:15:32 demo-broker  | 2023-04-14 16:45:32.522806+00:00 [warning] <0.892.0> HTTP access denied: Authentication using an OAuth 2/JWT token failed: provided token is invalid
2023-04-14 22:16:34 demo-broker  | 2023-04-14 16:46:34.773457+00:00 [warning] <0.894.0> HTTP access denied: Authentication using an OAuth 2/JWT token failed: provided token is invalid

rabbitmq.conf

```

default_user = john123
default_pass = 123456
listeners.tcp.default = 5672
management.tcp.port = 15672
management.load_definitions = /etc/rabbitmq/definitions.json
auth_backends.1 = rabbit_auth_backend_oauth2
management.oauth_enabled = true
management.oauth_client_id = "rabbitmq-mgmt"
management.oauth_client_secret = "zcfLy7QiNbIbJ1mKlk9GKOZsBrfpOA4H"
management.oauth_scopes = openid profile rabbitmq.tag:administrator
management.oauth_provider_url = http://keycloak:8080/realms/master/protocol/openid-connect/auth
auth_oauth2.resource_server_id = rabbitmq
```

Keycloak Server Details

Server info

Version: 21.0.2Product: Default
Client-Details: Attached below as file

[Marcial Rosales]

I suggest you follow this part of the RabbitMQ Oauth2 tutorial -: https://github.com/rabbitmq/rabbitmq-oauth2-tutorial/blob/main/use-cases/keycloak.md

You are missing the signing key and I doubt the url you have configured is the OIDC discovery endpoint in keycloak.