GitHub OAuth2 integration with RabbitMQ

[Sudhanshu Joshi]

Hi All,

I am beginner in RabbitMQ and OAuth implementation. I am trying to integrate RabbitMQ with GitHub OAuth such that all the members of one of my GitHub Organization have read/write access to all the resources in RabbitMQ. 

1. I have created an OAuth App in my GitHub account, and I am using this advanced configuration file for the integration mentioned below. The authorization callback url for it is https://localhost:15672

[
  {rabbit, [
   {auth_backends, [rabbit_auth_backend_oauth2]}
  ]},
  {rabbitmq_management, [
     {oauth_enabled, true},
     {oauth_client_id, "XXXXXXXX"},
     {oauth_client_secret, "XXXXXXXXXXXXXXX"},
     {oauth_provider_url, "https://github.com/login/oauth/authorize"}
 ]},
 {rabbitmq_auth_backend_oauth2, [
   {resource_server_id, <<"oauth_client_id">>},
   {extra_scopes_source, <<"roles">>}
 ]}
].

When I go to the RabbitMQ management UI, it gives me this.

2. I use this link to authorize the app to access my GitHub account. 
https://github.com/login/oauth/authorize?client_id=XXXX&redirect_uri=https://localhost:15672&scope=user:email

3. After successful authorization, it redirects me back to my RabbitMQ management UI with a code embedded in the URL. Using this code, I am able to generate an API token by making a post request to the GitHub API with the following body:

https://github.com/login/oauth/access_token

{

  "client_id" : "XXXX",

  "client_secret" : "XXXX",

  "redirect_uri" : "http://localhost:15672/oauth2/github/callback",

  "code" : "code_received_from_step2"

}

And I receive a token of the form like below:

access_token=gho_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&scope=user%3Aemail&token_type=bearer

4. Now when making a curl command to the RabbitMQ HTTP management API using the above generated access code, it does not get authorized.

Can anyone help me out in implementing this use case. Also, I could not find any tutorials for the integration of RabbitMQ with GitHub OAuth. If there is one, can you please point me to it.

Thanks,

Sudhanshu Joshi

   

[Marcial Rosales]

Hi, 

First of all, have you been able to configure your oauth2 client in Github will the RabbitMQ scopes? Scopes are the permissions that RabbitMQ understands (https://github.com/rabbitmq/rabbitmq-oauth2-tutorial#about-permissions). 

If you have configured the scopes for your oauth2 client, can you decode your token and paste it here so that I can see it? you can copy the access_token into jwt.io and you can see what scopes the access token carries.  

The error message you see with the yellow background in RabbitMQ management ui means that the configured oauth_provider_url does not point to an OIDC discovery endpoint. Copy that url into your browser, and append "/.well-known/openid-configuration" to the url. This endpoint called OIDC Discovery Endpoint, should return a json payload with information about other Oauth2 endpoints, supported scopes, etc.

If you want to access the management rest api with a curl command, you need to make sure that you have configured the Oauth2 tokens' signing key in RabbitMQ. Either you configure the signing key or configure the url from where RabbitMQ can download the signing key. The access tokens are digitally signed and RabbitMQ must validate the signature before it can use it to authorize the request.

I recommend you follow the RabbitMq Oauth2 tutorial so that you can get familiar with the basic configuration to access RabbitMQ managment ui via Oauth2. 

[Marcial Rosales]

Hi, I found the OIDC discovery endpoint for Github : https://token.actions.githubusercontent.com/.well-known/openid-configuration 

however, it does not return the authorization endpoint uri which should be https://github.com/login/oauth/authorize . It only provides the jwks_iuri.  

I doubt it will work because the management ui figures out the authorization endpoint uri from the payload returned by the oidc discover endpoint.

With regards scopes in Github, you will not be able to define rabbitmq scopes. However, one suggestion that I have not tried yet, is to use a feature in RabbitMQ Oauth2 called Scopes Aliases . Thru aliases, you can map Github scopes of your choice, here is the full list of scopes in Github, and map them to one or many rabbitmq scopes. 

[Sudhanshu Joshi]

Hi Marcial,

Thanks for your reply.

To answer your first question, if I have been able to configure my OAuth Client with RabbitMQ scopes. I could not do this as I could not find any option to do so in GitHub. I tried the example you have given for Azure AD and there we can define the RabbitMQ scopes for the users or groups, but nothing like that in GitHub.

I have tried to use the "oauth_provider_url" as "https://token.actions.githubusercontent.com/". So in this case, the yellow error message disappears, but when you click on the "Click here to login" button, the console has the error which you mentioned regarding the "authorization_endpoint" missing. I have attached the screenshot also for your reference.

 

I was trying the UI thing to understand the flow. End of the day, my use case is to use the management rest API with a curl command. The members of a specific GitHub organization should be able to access the RabbitMQ REST API with some specific permissions.

If you can point me in the right direction, it would be really helpful.

Meanwhile, I will explore on the points that you have mentioned above.

Thanks again for your reply and looking forward to hear back from you.

Thanks,
Sudhanshu Joshi      

[Sudhanshu Joshi]

Hi Marcial,

So I tried the following things.

1. Configure GitHub's OAuth2.0 token signing key in RabbitMQ. I have attached my "advanced.config" file for the same. I have used this link for obtaining the signing key for GitHub's OAuth2.0 token "https://token.actions.githubusercontent.com/.well-known/jwks". In the config file, I have tried both ways to specify the URL and also by copying the contents of this link into a file named "github.pem" and specifying that location in my config file, as mentioned in my config file. Both didn't work :(

2. For the scope aliases, I have also tried implementing them in my "advanced.config" file. I don't know if there's any specific format for specifying them specially the ones from GitHub. The ones which I have specified did not give any error while starting Rabbit, so I suppose it should be fine.

After doing these changes in my advanced.config file and restarting my docker container, I go to the GitHub's oauth authorize endpoint.
https://github.com/login/oauth/authorize?client_id=github_oauth_app_client_id&redirect_uri=https://localhost:15672/js/oidc-oauth/login-callback.html&scope=user:email

Once I authorize, it redirects me to my redirect_uri along with a temp_code as mentioned below. 

https://localhost:15672/js/oidc-oauth/login-callback.html?code=temp_code

 

And then I use this temp_code to get the access_token from GitHub using the below endpoint and payload.

https://github.com/login/oauth/access_token

{

  "client_id" : "github_oauth_app_client_id",

  "client_secret" : " github_oauth_app_client_secret ",

  "redirect_uri" : "https://localhost:15672/js/oidc-oauth/login-callback.html",

  "code" : "temp_code"

}

And the token which I receive from this POST request, I try to call my RabbitMQ HTTP API but it fails.
curl -H "Authorization: Bearer TOKEN" http://localhost:15672/api/queues

401 {"error":"not_authorized","reason":"Not_Authorized"}

In the docker logs I receive this error.

Thanks.

[Marcial Rosales]

Hi, your advanced.config has some wrong entries. 

This entry is wrong you should remove it :  {oauth2_provider_config, [{signing_key, {file, "/etc/rabbitmq/github.pem"}}]}

If you want to manually configure signing keys, here is an example : https://github.com/rabbitmq/rabbitmq-oauth2-tutorial/blob/main/conf/uaa/rabbitmq.config#L19

but if you configured the jwks_uri , like you did, you don t need to add the signing key. 

Please, make sure that the access token contains a kid header value which matches one of the kids returned by https://token.actions.githubusercontent.com/.well-known/jwks. It should match but just worth checking. Because otherwise rabbitmq will not be able to validate the signature.

If you do not intend to use the management ui but only the rest api, you can ignore all the oauth settings in the management plugin. 

If you still want to use the management ui, then unfortunately and based on your findings, it is not possible to use Github as Authorization server. 

It is not compliant with OIDC protocol. The setting `{oauth_provider_url, "https://github.com/login/oauth/authorize"}`. is wrong .. you are setting there the authorize endpoint and this url is the base uri for oidc discovery endpoint.  Github is the first Authorization server we have found that it is not compliant with oidc. We have to decide whether we want to allow users going into the hassle of configuring all the oidc endpoints, be it authorize, terminate session, token and user_info. You could see that when you configure the proper oidc discovery endpoint url, you did not get the initial error but you got another error complaining that the authorize endpoint was not part of the payload of the discovery endpoint. Which is what I expected.

Assuming you do not want to use the ui, but only the rest api, lets see what you have to do. You have to fix a mistake in your configuration. Your scope_aliases is slightly wrong. 

It should be like this 

  {resource_server_id, <<"github_oauth_app_client_id">>},
    {scope_aliases, #{
      <<"user:email">> => [
        <<"github_oauth_app_client_id.read:*/*">>,
        <<"github_oauth_app_client_id.write:*/*">>,
        <<"github_oauth_app_client_id.configure:*/*">>
      ]
    }},

The scope prefix has to match the resouce_server_id. 

[Sudhanshu Joshi]

Hi Marcial,

Thanks again for all the suggestions.

So, I fixed the mistakes in my configuration file and again tried to use the HTTP API using the same steps as mentioned in my previous messages, but unfortunately it still didn't worked for me and gave the same error as mentioned in my previous message.

2023-04-14 08:59:13.338064+00:00 [debug] <0.639.0> User '' failed authentication by backend rabbit_auth_backend_oauth2
2023-04-14 08:59:13.339244+00:00 [warning] <0.639.0> HTTP access denied: Authentication using an OAuth 2/JWT token failed: provided token is invalid

I have attached my "advanced.config" file your review.

One thing which I am confused about right now is regarding the "kid" header which you mentioned. The access token provided by GitHub are OAuth Bearer tokens and not JWT tokens. So I am not sure what you meant when you said "Please, make sure that the access token contains a kid header value which matches one of the kids returned by https://token.actions.githubusercontent.com/.well-known/jwks." So just experimenting with this, while making a request to RabbitMQ HTTP API, I also included a "kid" header and used the two values that were present in the ./well-known/jwks url, but it didn't work either.

Thanks,

[Marcial Rosales]

Hi, the token is invalid because RabbitMQ cannot verify the signature. Tokens are really JWS (https://auth0.com/docs/secure/tokens/json-web-tokens/json-web-token-structure).

Our OAuth2 tutorial examples (https://github.com/rabbitmq/rabbitmq-oauth2-tutorial) configure RabbitMQ with a signing key. In some scenarios, we do it statically (https://github.com/rabbitmq/rabbitmq-oauth2-tutorial/blob/main/conf/uaa/rabbitmq.conf#L16) and in others dynamically (https://github.com/rabbitmq/rabbitmq-oauth2-tutorial/blob/main/conf/uaa/rabbitmq.conf#L16). 

Can you capture a Github Bearer Token and paste it here ? But the issue you are having now is clear. RabbitMQ cannot validate the signature and that is why the token is invalid.

[Sudhanshu Joshi]

Here is the GitHub Bearer Token.

access_token=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&scope=user%3Aemail&token_type=bearer

Since its not a JWT token, hence I think it cannot be verified by RabbitMQ.

[Marcial Rosales]

If you take the access token `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` and paste it to jwt.io. .. It does not even look a token ! let alone the signature :)

[Marcial Rosales]

It looks like Github cannot be used as a generic Authorization Server. Gihub is playing both roles, a Resource and an Authorization Server.  The Authorization Server issues access tokens that only the Resource, i.e. github app, understands. 

[Sudhanshu Joshi]

:)

Thank you Marcial for confirming this. 

[Vilius Šumskas]

Hi,

 

I think you are confusing GitHub user level access with app level access. For OAuth integration between GitHub and 3rd party app you should use GitHub App feature https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/authenticating-as-a-github-app . It uses JWT tokens instead of custom resource tokens you are getting.

 

--

    Vilius

 

 

Thanks.

 

On Thursday, April 13, 2023 at 11:59:25 AM UTC+5:30 Sudhanshu Joshi wrote:

Hi Marcial,

 

Thanks for your reply.

 

To answer your first question, if I have been able to configure my OAuth Client with RabbitMQ scopes. I could not do this as I could not find any option to do so in GitHub. I tried the example you have given for Azure AD and there we can define the RabbitMQ scopes for the users or groups, but nothing like that in GitHub.

I have tried to use the "oauth_provider_url" as "https://token.actions.githubusercontent.com/". So in this case, the yellow error message disappears, but when you click on the "Click here to login" button, the console has the error which you mentioned regarding the "authorization_endpoint" missing. I have attached the screenshot also for your reference.

 

 

 

2. I use this link to authorize the app to access my GitHub account. 
https://github.com/login/oauth/authorize?client_id=XXXX&redirect_uri=https://localhost:15672&scope=user:email

 

3. After successful authorization, it redirects me back to my RabbitMQ management UI with a code embedded in the URL. Using this code, I am able to generate an API token by making a post request to the GitHub API with the following body:

https://github.com/login/oauth/access_token

{

  "client_id" : "XXXX",

  "client_secret" : "XXXX",

  "redirect_uri" : "http://localhost:15672/oauth2/github/callback",

  "code" : "code_received_from_step2"

}

And I receive a token of the form like below:

access_token=gho_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&scope=user%3Aemail&token_type=bearer

 

4. Now when making a curl command to the RabbitMQ HTTP management API using the above generated access code, it does not get authorized.

 

Can anyone help me out in implementing this use case. Also, I could not find any tutorials for the integration of RabbitMQ with GitHub OAuth. If there is one, can you please point me to it.

 

Thanks,

Sudhanshu Joshi

 

   

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/502c4a0a-c6ec-4249-8a69-a678cb8f3b72n%40googlegroups.com.

[Marcial Rosales]

Thanks Villius, could you point Joshi in the right direction to configure Github as an OAuth2 Authorization server? 

I have tried to find out which OAuth2 flow Github uses, whether it uses Authorization Code with PKCE, or implicit, or client credentials. RabbitMQ management ui uses the former. But there is no mention to this.

Also, I have tried to find out the OIDC discovery endpoint. But the one I found (https://token.actions.githubusercontent.com/.well-known/openid-configuration) does not really return any endpoint uri such as the endpoint to authorize or exchange a code for a token. 

I have not seen yet a JWT token issued for a Github app, I would imagine it is a digitally signed one using one of the keys returned by https://token.actions.githubusercontent.com/.well-known/jwks.

Thanks Villius

[Sudhanshu Joshi]

Thank you so much Vilius, you were right that I was confused.

I tried the same setup by creating a GitHub app instead of an OAuth App and it worked, at least for the management API's.

And thanks Marcial, all the suggestions which you have given earlier came to use with this one. :)

I'll just lay down the steps so if anyone else gets confused, like I did, it might be helpful.

1. Created a GitHub App with the homepage URL as "http://localhost:15672/" and the callback URL as "http://localhost:15672/js/oidc-oauth/login-callback.html". Once the GitHub App is created, generated a private key for this app.

2. Now using this private key, I fetched the public key. This will be used in the advanced.config file.

openssl rsa -in private-key.pem -pubout -out pubkey.pem

3. Copy the example given here and made a few changes to this. In the payload JSON, added keys "aud" and "scope" like below.

'aud': ['rabbitmq',app_id],

'scope': f'{app_id}.write:*/* {app_id}.configure:*/* {app_id}.read:*/* {app_id}.tag:management'

And in the last, where we are creating the encoded_jwt, add an optional header named "kid" like below. I have taken the value of "kid" from one of the kids mentioned in here.

encoded_jwt = jwt_instance.encode(payload, signing_key, alg='RS256', optional_headers={"kid": "78167F727DEC5D801DD1C8784C704A1C880EC0E1"})

4. My advanced.config file is attached for reference. I don't think the scope aliases would be needed, but just kept them for now.

5. That's it. We restart the rabbitmq container. Generate a JWT by running the python file created in step-3. And using the JWT generated, make a POST request with the Authorization Header as "Bearer JWT token". And it worked.

Thank you again Vilius and Marcial.

[Vilius Šumskas]

Glad you have sorted this out. I‘ve only ever done GitHub App integration with software which provides scope/app_id/etc. in the integrated manner, but THIS will be useful to me too some point in the future.

 

 

Thanks.

 

On Thursday, April 13, 2023 at 11:59:25 AM UTC+5:30 Sudhanshu Joshi wrote:

Hi Marcial,

 

Thanks for your reply.

 

To answer your first question, if I have been able to configure my OAuth Client with RabbitMQ scopes. I could not do this as I could not find any option to do so in GitHub. I tried the example you have given for Azure AD and there we can define the RabbitMQ scopes for the users or groups, but nothing like that in GitHub.

I have tried to use the "oauth_provider_url" as "https://token.actions.githubusercontent.com/". So in this case, the yellow error message disappears, but when you click on the "Click here to login" button, the console has the error which you mentioned regarding the "authorization_endpoint" missing. I have attached the screenshot also for your reference.

 

 

 

2. I use this link to authorize the app to access my GitHub account. 
https://github.com/login/oauth/authorize?client_id=XXXX&redirect_uri=https://localhost:15672&scope=user:email

 

3. After successful authorization, it redirects me back to my RabbitMQ management UI with a code embedded in the URL. Using this code, I am able to generate an API token by making a post request to the GitHub API with the following body:

https://github.com/login/oauth/access_token

{

  "client_id" : "XXXX",

  "client_secret" : "XXXX",

  "redirect_uri" : "http://localhost:15672/oauth2/github/callback",

  "code" : "code_received_from_step2"

}

And I receive a token of the form like below:

access_token=gho_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX&scope=user%3Aemail&token_type=bearer

 

4. Now when making a curl command to the RabbitMQ HTTP management API using the above generated access code, it does not get authorized.

 

Can anyone help me out in implementing this use case. Also, I could not find any tutorials for the integration of RabbitMQ with GitHub OAuth. If there is one, can you please point me to it.

 

Thanks,

Sudhanshu Joshi

 

   

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/502c4a0a-c6ec-4249-8a69-a678cb8f3b72n%40googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/5b5c9d9c-4bf8-43d9-b64b-9aa5abc16c36n%40googlegroups.com.

[Marcial Rosales]

I am glad it has worked. I was trying to help you set up Oauth2 to work with the management ui, in order words, use OAuth2 authorization code flow to get a token on behalf of a user via Github. But in your case, you are accessing RabbitMQ's management rest api or one of its messaging protocols like AMQP using a token that you have, more or less, crafted yourself, right? I mean, it is not issued by Github itself.  

That is exactly what the Oauth2 tutorial uses on this section. Because Rich Authorization Request spec is not widely accepted by most Idps, the tutorial issues itself a token signed with a private key and RabbitMq is configured with the matching public key.

Best

 

[Sudhanshu Joshi]

Yes Marcial, you are correct.

I am generating the token myself which is signed by a private key generated by the GitHub App and my RabbitMQ is configured with the matching public key.

Thanks

[Saifeddine Rajhi]

hello everyone,

I want to do the same but with Okta instead of GitHub

I read the thread and I have few questions

what is "github_app_client_id" in config file

And do I need a python code to generate token ?? and if yeshow to automatically call that code in login process 

thank you in advance