Authentication in RabbitMQ with OAuth2 access token from a not UAA OAuth2 Provider

[陈家航]

Hey,

currently i am working in a project and my task is to let users authenticate using JWT-encoded oauth2 access token. To do this, I have enabled OAuth2 Plugin.

After following the document [1] i realize that only the scope and sub fields are really interested. Wenn connecting at the web UI, i only need to pass the access token in the password field. The username field can be ignored. So i just get rabbitmq as username and access token as password at the web management UI. 

However, i can not get the access to rabbitmq server with my setup. Following i will post my config file, decoded access token and a section from log file.

advanced.config:

[

  {rabbit, [

    {auth_backends, [rabbit_auth_backend_oauth2, rabbit_auth_backend_internal]},

{auth_mechanisms, ['PLAIN','AMQPPLAIN','EXTERNAL']}

  ]},

  {rabbitmq_auth_backend_oauth2, [

    {resource_server_id, <<"rabbitmq">>},

    {key_config, [

      {default_key, <<"key">>},

      {signing_keys, #{

        <<"key">> => {map, #{<<"kty">> => <<"RSA">>,

                                  <<"alg">> => <<"RS256">>,

                                  <<"value">> => <<"-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiAb+J6Uc+7uulKKaVUOK4LjXeburIYNf0wVMg5QaoPOxr2cVY4QziMD81+LtcIA9bK2PABSO2BEaC2CeLZGbPRfS+uIA6khNpAv1XTAflHYM4YqrHgGVMJObo+5RhpU9IMJ5gGQOqRA5xxX26RTAWllmV1xlt6AgbofudcMKSQQLJONzZYgtlOuqIonmCNpDM/2SgUxLgE1kFHXc1Zbtvb/koV3nyvqEk0BFv7jW9/P5QAIHkCls07F0RYzLyIZRKiTcvhhshvJLUrBy0xjYMU0JqcQcykSSmyFNt2yDNQwgJub3Q1V+RWYwR8KYmIz2PtxIKYFkXNkL34n7czzLAwIDAQAB

-----END PUBLIC KEY-----">>}}

          }}

      ]}

  ]}

].

payload decoded access token:

{

  "jti": "2f908949-4e36-4412-a7be-47dbcb966532",

  "exp": 1579012163,

  "nbf": 0,

  "iat": 1579011863,

  "iss": "http://localhost:8080/auth/realms/Test-Chen",

  "aud": "rabbitmq",

  "sub": "d19394e0-0077-46b0-9c37-14a5e3fb3bb5",

  "typ": "Bearer",

  "azp": "rabbitmq",

  "auth_time": 0,

  "session_state": "f57e7d9f-a8e3-4ef1-95c4-48cdff85bffc",

  "acr": "1",

  "scope": "rabbitmq.read:*/*/* rabbitmq.write:*/*/* rabbitmq.configure:*/*/*"

}

log file:

only two lines were updated after login

PLAIN login refused: user 'rabbitmq' - invalid credentials

2020-01-14 15:24:23.026 [info] <0.5988.0> closing AMQP connection <0.5988.0> (127.0.0.1:61941 -> 127.0.0.1:5672)

Version:

rabbitmq: 3.8.0

erlang: 22.1

From my point of view, the failed access probably can be the type of scope field. As you can see, the scope is not a list. 

Can someone give me suggestions, how can i solve my problem?

[1]: https://github.com/rabbitmq/rabbitmq-auth-backend-oauth2

[Arnaud Cogoluègnes]

The decoded payload looks correct to me, scope as a string is
supported [1]. From the test suite, a token like the following works:

{
"aud": "hare rabbitmq",
"exp": 1579013934,
"foo": "bar",
"iss": "unit_test",
"kid": "token-key",
"scope": "rabbitmq.configure:*/* rabbitmq.write:*/* rabbitmq.read:*/*"
}

If you provide the encoded token (consistent with the server
configuration you provided), I should be able to investigate more.

[1] https://github.com/rabbitmq/rabbitmq-auth-backend-oauth2/issues/24

> --
> You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
> To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/2bd76f96-942e-4bd6-9606-44b95a3949dc%40googlegroups.com.

[Arnaud Cogoluègnes]

I forgot to mention that the encoded token should have an expiration
date as far as possible.

[陈家航]

Hello,

you can see the access token following corresponding to the configuration provided before:

eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxdHRDcFEweFRZQ2xnZGItNDBfQWc2UXVuZUF4RFdWd3JzNVhsNTR2azNzIn0.eyJqdGkiOiIwNzVkZGIyMi04MDVhLTQxZDctYmE4Yi0xMGZiODY3Njk0NTIiLCJleHAiOjE1NzkxMTI2MzIsIm5iZiI6MCwiaWF0IjoxNTc5MDc2NjMyLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvVGVzdC1DaGVuIiwiYXVkIjoicmFiYml0bXEiLCJzdWIiOiJkMTkzOTRlMC0wMDc3LTQ2YjAtOWMzNy0xNGE1ZTNmYjNiYjUiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJyYWJiaXRtcSIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6IjQ5M2UxZmEzLWEzOWUtNDc5Mi1iNzI3LWRlMzc0NjExYTEzZCIsImFjciI6IjEiLCJzY29wZSI6InJhYmJpdG1xLnJlYWQ6Ki8qLyogcmFiYml0bXEud3JpdGU6Ki8qLyogcmFiYml0bXEuY29uZmlndXJlOiovKi8qIn0.B9p_4wIPRedls9DC7q0sA0SAKfkTIDA_emveZKI5CEh5JzWIIcHrqoWbKi-wrnnsaL3d9jRAVgyVv2J9fCIP_6oVuUXRg0SyOCk-mlLXi1bpvvH82_xtAaQRTMipjJ8-f9B1DtgszpalzZB65MzmMzQgXoQGd4kxY3KmfJIJPEeY6_XpiSqUmnRdkLmuzDCDAobXDFIrtUMfV1vpigYmMGwkH1EEcFy51PrOkcRBNegjSDgss0-6hS_lz47qwd6xE8znvk6SlmjtuGM0snu0XaZ-gvn9_4zCOno1QqYsoW49-MdU3k4thEPVI7D71lSpJ0_wXL-Bt3RLFhXTylE7bw

在 2020年1月14日星期二 UTC+1下午5:28:19，Arnaud Cogoluègnes写道：

> > To unsubscribe from this group and stop receiving emails from it, send an email to rabbitm...@googlegroups.com.

[Arnaud Cogoluègnes]

Change your configuration to the following:

[
{rabbit, [
{auth_backends, [rabbit_auth_backend_oauth2, rabbit_auth_backend_internal]},
{auth_mechanisms, ['PLAIN','AMQPPLAIN','EXTERNAL']}
]},
{rabbitmq_auth_backend_oauth2, [
{resource_server_id, <<"rabbitmq">>},
{key_config, [

{default_key, <<"qttCpQ0xTYClgdb-40_Ag6QuneAxDWVwrs5Xl54vk3s">>},
{signing_keys, #{
<<"qttCpQ0xTYClgdb-40_Ag6QuneAxDWVwrs5Xl54vk3s">> => {pem,
<<"-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiAb+J6Uc+7uulKKaVUOK4LjXeburIYNf0wVMg5QaoPOxr2cVY4QziMD81+LtcIA9bK2PABSO2BEaC2CeLZGbPRfS+uIA6khNpAv1XTAflHYM4YqrHgGVMJObo+5RhpU9IMJ5gGQOqRA5xxX26RTAWllmV1xlt6AgbofudcMKSQQLJONzZYgtlOuqIonmCNpDM/2SgUxLgE1kFHXc1Zbtvb/koV3nyvqEk0BFv7jW9/P5QAIHkCls07F0RYzLyIZRKiTcvhhshvJLUrBy0xjYMU0JqcQcykSSmyFNt2yDNQwgJub3Q1V+RWYwR8KYmIz2PtxIKYFkXNkL34n7czzLAwIDAQAB
-----END PUBLIC KEY-----">>}}
}
]}
]}
].

Note the id of the key in the configuration matches what's in the
token (kid field of the header). Then I used a "pem" record just like
in the sample [1], which is enough for the plugin to extract the
information it needs about the public key. We could have kept the
previous signing key configuration, but it would have required a "n"
(modulus) field and a "e" (exponent) field. I see what I can do to
improve the documentation.

[1] https://github.com/rabbitmq/rabbitmq-auth-backend-oauth2/blob/master/demo/rsa_keys/rabbitmq.config

> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
> To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/84e8f7bf-2b4e-4ded-94ca-7b0f92cd809c%40googlegroups.com.

[陈家航]

Hey,

you are right. Now it can work. Thanks a lot!

在 2020年1月15日星期三 UTC+1上午11:35:02，Arnaud Cogoluègnes写道：

> To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/84e8f7bf-2b4e-4ded-94ca-7b0f92cd809c%40googlegroups.com.

[陈家航]

Hello Arnaud,

another question: can we just put more than one resource server in the config file? 

for my project, i need more than one resource server to implement. So i suspect that i can modify the config file like     {resource_server_id,  [<<"rabbitmq">>, <<"another_ressource:id">> } ?

regards 

Jiahang 

在 2020年1月15日星期三 UTC+1上午11:35:02，Arnaud Cogoluègnes写道：

Change your configuration to the following:

> To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/84e8f7bf-2b4e-4ded-94ca-7b0f92cd809c%40googlegroups.com.

[Arnaud Cogoluègnes]

The resource_server_id is a prefix to filter out scopes that are
supposed to be used by the plugin [1]. This means that if
resource_server_id is "rabbitmq", scopes must start with this prefix
to be "found" by the plugin, e.g. "rabbitmq.configure:*/*
rabbitmq.write:*/* rabbitmq.read:*/*". Other values that could be in
the "scope" field but that do not begin with "rabbitmq." will be
ignored.

resource_server_id can be only a string. I don't see much interest in
making it multi-valued: different resource servers just need to use
the same prefix for scope that are meant to be used by RabbitMQ, this
seems reasonable.

It's still possible to specify several signing keys, for example:

[
{rabbit, [
{auth_backends, [rabbit_auth_backend_oauth2, rabbit_auth_backend_internal]},
{auth_mechanisms, ['PLAIN','AMQPPLAIN','EXTERNAL']}
]},
{rabbitmq_auth_backend_oauth2, [
{resource_server_id, <<"rabbitmq">>},
{key_config, [
{default_key, <<"qttCpQ0xTYClgdb-40_Ag6QuneAxDWVwrs5Xl54vk3s">>},
{signing_keys, #{
<<"qttCpQ0xTYClgdb-40_Ag6QuneAxDWVwrs5Xl54vk3s">> => {pem,
<<"-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAiAb+J6Uc+7uulKKaVUOK4LjXeburIYNf0wVMg5QaoPOxr2cVY4QziMD81+LtcIA9bK2PABSO2BEaC2CeLZGbPRfS+uIA6khNpAv1XTAflHYM4YqrHgGVMJObo+5RhpU9IMJ5gGQOqRA5xxX26RTAWllmV1xlt6AgbofudcMKSQQLJONzZYgtlOuqIonmCNpDM/2SgUxLgE1kFHXc1Zbtvb/koV3nyvqEk0BFv7jW9/P5QAIHkCls07F0RYzLyIZRKiTcvhhshvJLUrBy0xjYMU0JqcQcykSSmyFNt2yDNQwgJub3Q1V+RWYwR8KYmIz2PtxIKYFkXNkL34n7czzLAwIDAQAB

-----END PUBLIC KEY-----">>},
<<"legacy-token-key">> => {pem, <<"-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2dP+vRn+Kj+S/oGd49kq
6+CKNAduCC1raLfTH7B3qjmZYm45yDl+XmgK9CNmHXkho9qvmhdksdzDVsdeDlhK
IdcIWadhqDzdtn1hj/22iUwrhH0bd475hlKcsiZ+oy/sdgGgAzvmmTQmdMqEXqV2
B9q9KFBmo4Ahh/6+d4wM1rH9kxl0RvMAKLe+daoIHIjok8hCO4cKQQEw/ErBe4SF
2cr3wQwCfF1qVu4eAVNVfxfy/uEvG3Q7x005P3TcK+QcYgJxav3lictSi5dyWLgG
QAvkknWitpRK8KVLypEj5WKej6CF8nq30utn15FQg0JkHoqzwiCqqeen8GIPteI7
VwIDAQAB
-----END PUBLIC KEY-----">>}

}
}
]}
]}
].

In the configuration file above, 2 public keys are declared (yours and
the one from the demo). The broker then accepts your token and a token
generated by UAA (this works, I tested it).

[1] https://github.com/rabbitmq/rabbitmq-auth-backend-oauth2#resource-server-id-and-scope-prefixes

> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
> To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/7e49769e-b915-41fb-94fa-8575045069e5%40googlegroups.com.