Does Rabbit MQ 3.9.5 support oauth2 authentications ?

[Sravani Cheruvu]

Hi Team,

We are having Rabbit MQ 3.9.5 and Erlang 24.0.5

Currently internal and ldap authentication is enabled and dev.config contains

{auth_backends, [rabbit_auth_backend_internal , rabbit_auth_backend_ldap]}

Now we want to introduce oauth authentication to the current config.

We want to know :

1. Does Rabbit MQ 3.9.5 support oauth authentications ?

2. Can we have oauth , ldap and internal authentication all together in the same setup

3. If we can have multiple authentications , how can we give the order of preference ?

When I configured all the three  auth backends , as 

{auth_backends, [rabbit_auth_backend_oauth, rabbit_auth_backend_internal , rabbit_auth_backend_ldap]}, server is starting up and normally logging in with either internal or ldap users. 

when i removed internal and ldap from list and kept only oauth , then I can see warning : 

Authentication using an OAuth 2 / JWT token failed: provided token is invalid.

please advise.

Thanks,

Lakshmi

[Marcial Rosales]

Hi, RabbitMQ 3.9.5 has limited OAuth2 support. It supports Oauth2 authentication in all its messaging protocols such as AMQP. But the management ui does only support Oauth2 if your Authorization server is Cloud Foundry UAA and only for implicit flow. If you need OAuth2 authentication in the management ui, you should upgrade to 3.11. 

With regards your error, it looks like you have not configured RabbitMq Oauth2 plugin with the signing keys used by Authorization server to sign the tokens. RabbitMQ cannot validate the signature and therefore the token is invalid. 

Please, check our Oauth2 tutorials on how to configure RabbitMQ with signing keys. Although the tutorials are based on the latest versions of RabbitMQ, it is still useful for your case. 

[Marcial Rosales]

With regards your question if you can have multiple authentication backends, the answer is yes. And RabbitMQ follows the same order you used to declare them. 

[Sravani Cheruvu]

Thank you for the response.

We will try in upgraded version.

We are looking for using Azure Active Directory as oauth 2.0 server.  Could you please provide for the related reference documents.

[Marcial Rosales]

Great. If you check the OAuth2 tutorial repository mentioned in my first reply you will see there is an entry for Azure. Here it is https://github.com/rabbitmq/rabbitmq-oauth2-tutorial/blob/main/use-cases/azure.md

You can follow that tutorial to configure RabbitMQ with Azure as OAuth2 server.

[Sravani Cheruvu]

Thank you  Marcial Rosales.

I tried the tutorial and was able to implement oauth in Rabbit MQ 3.11 version.

However ,  we do see few issues ;

1 , After logging in to the management UI , we see that the user name is showing as some encrypted long character string instead of actual user name

2 , User session cache is not getting cleared after sign out. We are able to sign in with password only in incognito mode / private window in browser. How can we ensure that user has to type password every time normally.

Thanks,

Lakshmi

[Marcial Rosales]

Hi , glad that it worked.

1. have you seen this setting in the tutorials? https://github.com/rabbitmq/rabbitmq-oauth2-tutorial/blob/main/conf/keycloak/rabbitmq.conf#L9

It allows you to set up which JWT claims should be used for username. If you are seeing some strange ID is because that is what RabbitMQ is resolving based on the existing configuration. It is also explained here https://www.rabbitmq.com/oauth2.html#preferred-username-claims

2. I have not fully understood what you mean. Can you elaborate a bit more on the steps? 

Thanks

[Sravani Cheruvu]

Hi @Marcial,

As per the documentation  https://www.rabbitmq.com/oauth2.html#preferred-username-claims

I have created a new advanced.config in config folder ,  and added the mentioned code snippet ( in documentation) :

{rabbitmq_auth_backend_oauth2, [ {resource_server_id, <<"rabbitmq">>}, {preferred_username_claims, [<<"user_name">>,<<"email">>]},

Also , gave the file reference in rabbitmq-server file that is used to start the serverand restarted the server.

Even after this change , we are seeing the long encryped string instead of user name in UI Dashboard.

Instead of advanced.config , also tried this to add in normal rabbitmq.conf file - but still no luck.

Do we have to update any property in azure portal?

[Marcial Rosales]

Hi,  You don't need to do anything in Azure provided the token carries at least one claim with the user-friendly name rather than a GUID. 

Please follow these two steps:

1) Enable debug level in RabbitMQ and login using Oauth2 , you should get something like this:

2023-08-21 10:07:40.473154+01:00 [debug] <0.1071.0> Computing username from client's JWT token: [<<"rabbit_admin">>,<<"rabbit_admin">>,
2023-08-21 10:07:40.473154+01:00 [debug] <0.1071.0>  <<"5ea31ffa-89f8-4495-b877-d71362d3bc4c">>,<<"rabbitmq_client_code">>] -> rabbit_admin
2023-08-21 10:07:40.473249+01:00 [debug] <0.1071.0> User 'rabbit_admin' authenticated successfully by backend rabbit_auth_backend_oauth2

RabbitMQ logs the values of all the claims you configured in preferred_username_claims and the claim picked to represent token's  username. 

See what you get in your environment.

 

 

By the way, you can configure the preferred_username_claims using .conf rather than .config.

e.g

auth_oauth2.preferred_username_claims.1 = preferred_username

auth_oauth2.preferred_username_claims.2 = user_name
auth_oauth2.preferred_username_claims.3 = email

 

2) Share the JWT you are getting from Azure . To capture the JWT, follow these steps:

2.1. open inspect developer tools

2.2. go to Application tab

2.3. go to "local storage" > <your server> 

2.4. copy the value of the entry rabbitmq.credentials and share it via a reply to thread