Re: [rabbitmq-users] Quick start Authentication with JWT

[Arnaud Cogoluègnes]

Could you share a procedure to reproduce? (RabbitMQ configuration, a
long-lived Keycloak token that we could use to test, some curl
requests). Please also provide the RabbitMQ and Erlang versions you're
using.

Note Keycloak is supported with permissions in the authorization field
(see [1]).

[1] https://github.com/rabbitmq/rabbitmq-auth-backend-oauth2/issues/37

On Tue, Dec 17, 2019 at 8:56 AM Jiahang Chen <janni...@gmail.com> wrote:
>
> Hi,
>
> i need to quick enable JWT to authenticate users by rabbtitmq server.
>
> I get id token (jwt) from keycloak and can i just add the token into headers like headers = {{'Content-Type': 'application/json', "authorization":"Bearer " + <TOKEN>}
> and then use the http api
>
> response = requests.get(url = "http://localhost:15672/api/users", headers = headers}
>
>
> how should i set up the config file? From https://www.rabbitmq.com/management.html i should set management.disable_basic_auth to true, so i just add {disable_basic_auth, true}, to config file. but it seems not working
>
> Pls let me know what should i do.
>
>
>
>
>
>
>
> Regards
>
> --
> You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
> To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/f8becc2e-baf4-4a14-8db1-2f2737d91a18%40googlegroups.com.

[陈家航]

token: 

eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJRYnRLbFEzRnYyTlFEMmxrZWpSWFpNem9CRW5MOFAtV1FpNEVTSGZIc1lNIn0.eyJqdGkiOiJlMTE0NmI2MC04NzU4LTQ2NDEtYWZjOS0yODg0YTZhM2Q2MjIiLCJleHAiOjE1NzY1NzIwNzMsIm5iZiI6MCwiaWF0IjoxNTc2NTcxNzczLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvUzNJX2RlbW8iLCJhdWQiOiJTM0lfYWJsYXVmXzAiLCJzdWIiOiI5OWMwZmFjNy1lYzZmLTRiODUtYmI2ZC1jY2JiZmY4OGI3YTMiLCJ0eXAiOiJJRCIsImF6cCI6IlMzSV9hYmxhdWZfMCIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6ImRkZDdhZDE4LThiMDMtNGEwNi1iY2UxLWI2YmJiODBhNWY2NiIsImFjciI6IjEiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InNhY2h2ZXJzdGFlbmRpZ2VyIn0.XJHmVwXEgfy5lniHZ16xbQ4WIMAZAl_gpVN8Ns_tmddjv_0v9ymKSh5dGXkSWz9sY49in4RtRzg75-HDLS3e4stVhRgdni-4mzJmXM15iQs0vEePZKud9gMqFA38hzEC2VT-Yy3CgaBFwUApkAduHua0VcwOzra_d91qFeC-s7MOUon9ww_5FezZ2JtHstNDKiicSUmn4byIxSmAl0QWrzuxC_ZXI20fcsoDELOQ_koYPOz4qBBud0PbCvfi83ZeckviLVOkkZ-5THW7n2K1dL9iMF8OYJXjPnYBtZOsNnADEagZknJe4cAXb0xkKTb99rrUMn9CmCzKfgFXrTk6nw

[
{rabbit, [
{ssl_listeners, [5671]},
{auth_mechanisms, ['PLAIN','AMQPPLAIN','EXTERNAL']},
{ssl_cert_login_from, common_name},
{ssl_options, [{cacertfile, "C:/Users/chen/Documents/Visual Studio 2015/Projects/keycloak_rabbit_authentifizierung/keycloak_rabbit_authentifizierung/tls-gen-master/basic/result/ca_certificate.pem"},
{certfile, "C:/Users/chen/Documents/Visual Studio 2015/Projects/keycloak_rabbit_authentifizierung/keycloak_rabbit_authentifizierung/tls-gen-master/basic/result/server_certificate.pem"},
{keyfile,"C:/Users/chen/Documents/Visual Studio 2015/Projects/keycloak_rabbit_authentifizierung/keycloak_rabbit_authentifizierung/tls-gen-master/basic/result/server_key.pem" },
{verify, verify_peer},
{disable_basic_auth, true},
{fail_if_no_peer_cert, true}]}
]}
].

rabbitmq version 3.8.0

erlang 22.1

Arnaud Cogoluègnes <acogol...@pivotal.io> 于2019年12月17日周二 上午9:31写道：

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/CAJa4r_hM7wK8dbGHvV3eVTgiAO49qqpBGbzpOZJ6kTHikvnbcA%40mail.gmail.com.

[Jiahang Chen]

token: 

eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJRYnRLbFEzRnYyTlFEMmxrZWpSWFpNem9CRW5MOFAtV1FpNEVTSGZIc1lNIn0.eyJqdGkiOiJlMTE0NmI2MC04NzU4LTQ2NDEtYWZjOS0yODg0YTZhM2Q2MjIiLCJleHAiOjE1NzY1NzIwNzMsIm5iZiI6MCwiaWF0IjoxNTc2NTcxNzczLCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvYXV0aC9yZWFsbXMvUzNJX2RlbW8iLCJhdWQiOiJTM0lfYWJsYXVmXzAiLCJzdWIiOiI5OWMwZmFjNy1lYzZmLTRiODUtYmI2ZC1jY2JiZmY4OGI3YTMiLCJ0eXAiOiJJRCIsImF6cCI6IlMzSV9hYmxhdWZfMCIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6ImRkZDdhZDE4LThiMDMtNGEwNi1iY2UxLWI2YmJiODBhNWY2NiIsImFjciI6IjEiLCJlbWFpbF92ZXJpZmllZCI6ZmFsc2UsInByZWZlcnJlZF91c2VybmFtZSI6InNhY2h2ZXJzdGFlbmRpZ2VyIn0.XJHmVwXEgfy5lniHZ16xbQ4WIMAZAl_gpVN8Ns_tmddjv_0v9ymKSh5dGXkSWz9sY49in4RtRzg75-HDLS3e4stVhRgdni-4mzJmXM15iQs0vEePZKud9gMqFA38hzEC2VT-Yy3CgaBFwUApkAduHua0VcwOzra_d91qFeC-s7MOUon9ww_5FezZ2JtHstNDKiicSUmn4byIxSmAl0QWrzuxC_ZXI20fcsoDELOQ_koYPOz4qBBud0PbCvfi83ZeckviLVOkkZ-5THW7n2K1dL9iMF8OYJXjPnYBtZOsNnADEagZknJe4cAXb0xkKTb99rrUMn9CmCzKfgFXrTk6nw

[
{rabbit, [
{ssl_listeners, [5671]},
{auth_mechanisms, ['PLAIN','AMQPPLAIN','EXTERNAL']},
{ssl_cert_login_from, common_name},
{ssl_options, [{cacertfile, "C:/Users/chen/Documents/Visual Studio 2015/Projects/keycloak_rabbit_authentifizierung/keycloak_rabbit_authentifizierung/tls-gen-master/basic/result/ca_certificate.pem"},
{certfile, "C:/Users/chen/Documents/Visual Studio 2015/Projects/keycloak_rabbit_authentifizierung/keycloak_rabbit_authentifizierung/tls-gen-master/basic/result/server_certificate.pem"},
{keyfile,"C:/Users/chen/Documents/Visual Studio 2015/Projects/keycloak_rabbit_authentifizierung/keycloak_rabbit_authentifizierung/tls-gen-master/basic/result/server_key.pem" },
{verify, verify_peer},
{disable_basic_auth, true},
{fail_if_no_peer_cert, true}]}
]}
].

rabbitmq version 3.8.0

erlang 22.1

在 2019年12月17日星期二 UTC+1上午9:31:39，Arnaud Cogoluègnes写道：

Could you share a procedure to reproduce? (RabbitMQ configuration, a
long-lived Keycloak token that we could use to test, some curl
requests). Please also provide the RabbitMQ and Erlang versions you're
using.

Note Keycloak is supported with permissions in the authorization field
(see [1]).

[1] https://github.com/rabbitmq/rabbitmq-auth-backend-oauth2/issues/37

On Tue, Dec 17, 2019 at 8:56 AM Jiahang Chen <janni...@gmail.com> wrote:
>
> Hi,
>
> i need to quick enable JWT to authenticate users by rabbtitmq server.
>
> I get id token (jwt) from keycloak and can i just add the token into headers like headers = {{'Content-Type': 'application/json', "authorization":"Bearer " +  <TOKEN>}
> and then use the http api
>
> response = requests.get(url = "http://localhost:15672/api/users", headers = headers}
>
>
> how should i set up the config file? From https://www.rabbitmq.com/management.html  i should set management.disable_basic_auth to true, so i just add     {disable_basic_auth, true}, to config file. but it seems not working
>
> Pls let me know what should i do.
>
>
>
>
>
>
>
> Regards
>
> --
> You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.

> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitm...@googlegroups.com.

[Arnaud Cogoluègnes]

The OAuth 2 plugin is not configured in the file you provided. You
must enable it and configure it.

You should read the OAuth 2 plugin documentation [1] and follow the
example [2] to get more familiar with this topic. Even if UAA is not
your target OAuth 2 server, you can use it for the tutorial, it's easy
to start with.

The token you provided:

{
"jti": "e1146b60-8758-4641-afc9-2884a6a3d622",
"exp": 1576572073,
"nbf": 0,
"iat": 1576571773,
"iss": "http://localhost:8080/auth/realms/S3I_demo",
"aud": "S3I_ablauf_0",
"sub": "99c0fac7-ec6f-4b85-bb6d-ccbbff88b7a3",
"typ": "ID",
"azp": "S3I_ablauf_0",
"auth_time": 0,
"session_state": "ddd7ad18-8b03-4a06-bce1-b6bbb80a5f66",
"acr": "1",
"email_verified": false,
"preferred_username": "sachverstaendiger"
}

Does not contain anything RabbitMQ can use for its permissions. You'll
find more about what RabbitMQ expects in the OAuth 2 plugin
documentation and in the link I mentioned [3] for Keycloak.

You should also use RabbitMQ 3.8.2, this is the latest stable version.

[1] https://github.com/rabbitmq/rabbitmq-auth-backend-oauth2/
[2] https://github.com/rabbitmq/rabbitmq-auth-backend-oauth2/#examples
[3] https://github.com/rabbitmq/rabbitmq-auth-backend-oauth2/issues/37

> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
> To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/b339525c-d607-4fc9-a12d-d915e6bb98bb%40googlegroups.com.