RabbitMQ Oauth 2.0 not working with PingFederate
72 views
Skip to first unread message
Karthik V.
Nov 27, 2024, 3:54:52 PM11/27/24
to rabbitmq-users
Hello Team,
I have been trying to setup SSO for RabbitMQ using PingFederate (Only for Management UI, App communication would still on the creds that are created and stored in Rabbit). I tried following Okta example and worked with our SSO team to setup an app in pingfederate.
When i hit rabbit management endpoint (https on 15671) i could see the flow to pingfederate and key in my credentials (works until here, creds get validated). Then i see a server_error.
I tried a couple of things
Initially noticed cors related error on mgmt UI- Add the rabbit endpoint to allowed origins in PingFederate
Then came across invalid_target error (specified resource must be an absolute URI - so changed resource_server_id value from client_id to rabbit endpoint ).
Now i see server_error
Below is my current configuration. few configs(cors, peer_verification, host_verification etc) were added as trial and error to see if the issue gets resolved.
listeners.ssl.default = 5671
ssl_options.cacertfile = /etc/ssl/certs/ca-certificates.crt
ssl_options.certfile = /etc/rabbitmq-tls/tls.crt
ssl_options.keyfile = /etc/rabbitmq-tls/tls.key
ssl_options.verify = verify_none
ssl_options.fail_if_no_peer_cert = false
management.oauth_enabled = true
management.oauth_client_id = rabbitmq_poc
management.oauth_scopes = openid
auth_oauth2.issuer = https://pingnpc.xxx.com
auth_oauth2.resource_server_id = https://rabbit-poc-1.insidelabs.xxx.com:15671
auth_oauth2.jwks_url = https://pingnpc.xxx.com/pf/JWKS
auth_oauth2.token_endpoint = https://pingnpc.xxx.com/as/token.oauth2
auth_oauth2.additional_scopes_key = role
auth_oauth2.scope_prefix = pingfed.
auth_oauth2.https.peer_verification = verify_none
auth_oauth2.https.hostname_verification = none
auth_oauth2.verify_aud = false
management.cors.allow_origins.1 = *
log.file.level = debug
additionalPlugins:
- rabbitmq_management
- rabbitmq_federation
- rabbitmq_federation_management
- rabbitmq_peer_discovery_k8s
advancedConfig: |
[
%% Set a resource server ID. Will require all scopes to be prefixed with `rabbitmq.`
{rabbit_auth_backend_internal, [
{scope_aliases, #{
<<"admin">> => [
<<"pingfed.read:*/*">>,
<<"pingfed.write:*/*">>,
<<"pingfed.configure:*/*">>,
<<"pingfed.tag:administrator">>
],
<<"monitoring">> => [
<<"pingfed.read:*/*">>,
<<"pingfed.tag:management">>
]
}}
]} % rabbit_auth_backend_internal
].
I also enabled debug log and saw only below entries related to Oauth
2024-11-27 20:32:56.435012+00:00 [debug] <0.9924.0> Using oauth_provider {oauth_provider,"https://pingnpc.xxx.com",
2024-11-27 20:32:56.435012+00:00 [debug] <0.9924.0> "https://pingnpc.xxx.com/as/token.oauth2",
2024-11-27 20:32:56.435012+00:00 [debug] <0.9924.0> undefined,
2024-11-27 20:32:56.435012+00:00 [debug] <0.9924.0> "https://pingnpc.xxx.com/pf/JWKS",
2024-11-27 20:32:56.435012+00:00 [debug] <0.9924.0> [{verify,verify_none}]} from keyconfig
2024-11-27 20:32:56.520546+00:00 [debug] <0.9926.0> Using oauth_provider {oauth_provider,"https://pingnpc.xxx.com",
2024-11-27 20:32:56.520546+00:00 [debug] <0.9926.0> "https://pingnpc.xxx.com/as/token.oauth2",
2024-11-27 20:32:56.520546+00:00 [debug] <0.9926.0> undefined,
2024-11-27 20:32:56.520546+00:00 [debug] <0.9926.0> "https://pingnpc.xxx.com/pf/JWKS",
2024-11-27 20:32:56.520546+00:00 [debug] <0.9926.0> [{verify,verify_none}]} from keyconfig
2024-11-27 20:32:58.049298+00:00 [debug] <0.9934.0> accepting AMQP connection <0.9934.0> (10.153.11.240:42655 -> 10.153.12.21:5672)
2024-11-27 20:32:58.049443+00:00 [debug] <0.9934.0> closing AMQP connection <0.9934.0> (10.153.11.240:42655 -> 10.153.12.21:5672):
2024-11-27 20:32:58.049443+00:00 [debug] <0.9934.0> connection_closed_with_no_data_received
Admin and monitoring groups are o365 groups and are tied to admin and monitoring role in PingFederate.
Couple of questions
Has anyone setup Oauth using PingFederate?
In order to have just management UI sso enabled, how should the advanced config be setup for role mapping?
How do i reproduce this using postman or other means? to see the token being generated and if it carries scope?
Since i don't see authorization error, doesn't look like scope/role are evening coming into picture.
Any pointers towards how to trace oauth or configuration error would be much appreciated!
Thanks,
Karthik V.
I have been trying to setup SSO for RabbitMQ using PingFederate (Only for Management UI, App communication would still on the creds that are created and stored in Rabbit). I tried following Okta example and worked with our SSO team to setup an app in pingfederate.
When i hit rabbit management endpoint (https on 15671) i could see the flow to pingfederate and key in my credentials (works until here, creds get validated). Then i see a server_error.
I tried a couple of things
Initially noticed cors related error on mgmt UI- Add the rabbit endpoint to allowed origins in PingFederate
Then came across invalid_target error (specified resource must be an absolute URI - so changed resource_server_id value from client_id to rabbit endpoint ).
Now i see server_error
Below is my current configuration. few configs(cors, peer_verification, host_verification etc) were added as trial and error to see if the issue gets resolved.
listeners.ssl.default = 5671
ssl_options.cacertfile = /etc/ssl/certs/ca-certificates.crt
ssl_options.certfile = /etc/rabbitmq-tls/tls.crt
ssl_options.keyfile = /etc/rabbitmq-tls/tls.key
ssl_options.verify = verify_none
ssl_options.fail_if_no_peer_cert = false
management.oauth_enabled = true
management.oauth_client_id = rabbitmq_poc
management.oauth_scopes = openid
auth_oauth2.issuer = https://pingnpc.xxx.com
auth_oauth2.resource_server_id = https://rabbit-poc-1.insidelabs.xxx.com:15671
auth_oauth2.jwks_url = https://pingnpc.xxx.com/pf/JWKS
auth_oauth2.token_endpoint = https://pingnpc.xxx.com/as/token.oauth2
auth_oauth2.additional_scopes_key = role
auth_oauth2.scope_prefix = pingfed.
auth_oauth2.https.peer_verification = verify_none
auth_oauth2.https.hostname_verification = none
auth_oauth2.verify_aud = false
management.cors.allow_origins.1 = *
log.file.level = debug
additionalPlugins:
- rabbitmq_management
- rabbitmq_federation
- rabbitmq_federation_management
- rabbitmq_peer_discovery_k8s
advancedConfig: |
[
%% Set a resource server ID. Will require all scopes to be prefixed with `rabbitmq.`
{rabbit_auth_backend_internal, [
{scope_aliases, #{
<<"admin">> => [
<<"pingfed.read:*/*">>,
<<"pingfed.write:*/*">>,
<<"pingfed.configure:*/*">>,
<<"pingfed.tag:administrator">>
],
<<"monitoring">> => [
<<"pingfed.read:*/*">>,
<<"pingfed.tag:management">>
]
}}
]} % rabbit_auth_backend_internal
].
I also enabled debug log and saw only below entries related to Oauth
2024-11-27 20:32:56.435012+00:00 [debug] <0.9924.0> Using oauth_provider {oauth_provider,"https://pingnpc.xxx.com",
2024-11-27 20:32:56.435012+00:00 [debug] <0.9924.0> "https://pingnpc.xxx.com/as/token.oauth2",
2024-11-27 20:32:56.435012+00:00 [debug] <0.9924.0> undefined,
2024-11-27 20:32:56.435012+00:00 [debug] <0.9924.0> "https://pingnpc.xxx.com/pf/JWKS",
2024-11-27 20:32:56.435012+00:00 [debug] <0.9924.0> [{verify,verify_none}]} from keyconfig
2024-11-27 20:32:56.520546+00:00 [debug] <0.9926.0> Using oauth_provider {oauth_provider,"https://pingnpc.xxx.com",
2024-11-27 20:32:56.520546+00:00 [debug] <0.9926.0> "https://pingnpc.xxx.com/as/token.oauth2",
2024-11-27 20:32:56.520546+00:00 [debug] <0.9926.0> undefined,
2024-11-27 20:32:56.520546+00:00 [debug] <0.9926.0> "https://pingnpc.xxx.com/pf/JWKS",
2024-11-27 20:32:56.520546+00:00 [debug] <0.9926.0> [{verify,verify_none}]} from keyconfig
2024-11-27 20:32:58.049298+00:00 [debug] <0.9934.0> accepting AMQP connection <0.9934.0> (10.153.11.240:42655 -> 10.153.12.21:5672)
2024-11-27 20:32:58.049443+00:00 [debug] <0.9934.0> closing AMQP connection <0.9934.0> (10.153.11.240:42655 -> 10.153.12.21:5672):
2024-11-27 20:32:58.049443+00:00 [debug] <0.9934.0> connection_closed_with_no_data_received
Admin and monitoring groups are o365 groups and are tied to admin and monitoring role in PingFederate.
Couple of questions
Has anyone setup Oauth using PingFederate?
In order to have just management UI sso enabled, how should the advanced config be setup for role mapping?
How do i reproduce this using postman or other means? to see the token being generated and if it carries scope?
Since i don't see authorization error, doesn't look like scope/role are evening coming into picture.
Any pointers towards how to trace oauth or configuration error would be much appreciated!
Thanks,
Karthik V.
Karthik V.
Jan 8, 2025, 9:15:44 AM1/8/25
to rabbitmq-users
I was able to resolve the SSO issue with ping federate setup. wanted to contribute the solution here incase others are working on similar setup.
The okta example in the rabbitmq documentation is more or less the same - https://www.rabbitmq.com/docs/oauth2-examples-okta
Couple of issues that i encountered while setting up.
Below is the config.
additionalConfig: |
listeners.ssl.default = 5671
ssl_options.cacertfile = /etc/ssl/certs/ca-certificates.crt
ssl_options.certfile = /etc/rabbitmq-tls/tls.crt
ssl_options.keyfile = /etc/rabbitmq-tls/tls.key
ssl_options.verify = verify_none
ssl_options.fail_if_no_peer_cert = false
auth_mechanisms.1 = AMQPLAIN
management.oauth_enabled = true
management.oauth_scopes = openid
management.oauth_client_id = rabbitmq_poc
management.oauth_client_secret = rabbitmq_secret
management.oauth_disable_basic_auth = false
auth_backends.1 = rabbit_auth_backend_oauth2
auth_backends.2 = internal
auth_oauth2.issuer = https://pingnpc.xxxx.com
auth_oauth2.resource_server_id = https://rabbit-poc-1.yyyy.xxxx.com:15671
auth_oauth2.additional_scopes_key = role
auth_oauth2.scope_prefix = rabbitmq.
auth_oauth2.verify_aud = false
log.console.level = info
log.file.level = info
additionalPlugins:
- rabbitmq_management
- rabbitmq_federation
- rabbitmq_federation_management
- rabbitmq_peer_discovery_k8s
- rabbitmq_auth_backend_oauth2
advancedConfig: |
[
%% Set a resource server ID. Will require all scopes to be prefixed with `rabbitmq.`
{rabbitmq_auth_backend_oauth2, [
{scope_aliases, #{
<<"admin">> => [
<<"rabbitmq.read:*/*">>,
<<"rabbitmq.write:*/*">>,
<<"rabbitmq.configure:*/*">>,
<<"rabbitmq.tag:administrator">>
],
<<"monitoring">> => [
<<"rabbitmq.read:*/*">>,
<<"rabbitmq.tag:monitoring">>
]
}}
]} % rabbitmq_auth_backend_oauth2
The okta example in the rabbitmq documentation is more or less the same - https://www.rabbitmq.com/docs/oauth2-examples-okta
Couple of issues that i encountered while setting up.
- Came across cors related error - blocked by CORS policy
- Had to allow rabbitmq endpoint in pingfederate.
- invalid_target : Resource must be an absolute URI
- changed resource_server_id from client_id to rabbit endpoint (as it was looking for URI gave https endpoint)
- Role mapping issues - Noticed Not Authorized error in RabbitMQ UI.
- Change was required in pingfederate to pass role in access token.
Below is the config.
additionalConfig: |
listeners.ssl.default = 5671
ssl_options.cacertfile = /etc/ssl/certs/ca-certificates.crt
ssl_options.certfile = /etc/rabbitmq-tls/tls.crt
ssl_options.keyfile = /etc/rabbitmq-tls/tls.key
ssl_options.verify = verify_none
ssl_options.fail_if_no_peer_cert = false
management.oauth_enabled = true
management.oauth_scopes = openid
management.oauth_client_id = rabbitmq_poc
management.oauth_client_secret = rabbitmq_secret
management.oauth_disable_basic_auth = false
auth_backends.1 = rabbit_auth_backend_oauth2
auth_backends.2 = internal
auth_oauth2.issuer = https://pingnpc.xxxx.com
auth_oauth2.resource_server_id = https://rabbit-poc-1.yyyy.xxxx.com:15671
auth_oauth2.additional_scopes_key = role
auth_oauth2.scope_prefix = rabbitmq.
auth_oauth2.verify_aud = false
log.console.level = info
log.file.level = info
additionalPlugins:
- rabbitmq_management
- rabbitmq_federation
- rabbitmq_federation_management
- rabbitmq_peer_discovery_k8s
advancedConfig: |
[
%% Set a resource server ID. Will require all scopes to be prefixed with `rabbitmq.`
{scope_aliases, #{
<<"admin">> => [
<<"rabbitmq.read:*/*">>,
<<"rabbitmq.write:*/*">>,
<<"rabbitmq.configure:*/*">>,
<<"rabbitmq.tag:administrator">>
],
<<"monitoring">> => [
<<"rabbitmq.read:*/*">>,
<<"rabbitmq.tag:monitoring">>
]
}}
]} % rabbitmq_auth_backend_oauth2
].
@rabbit team, please correct if anything mentioned is wrong or can be done better!!
Reply all
Reply to author
Forward
0 new messages