Group and Roles authorization in OAuth in Rabbit MQ 3.11

[Sravani Cheruvu]

Hi team,

We have configured oauth authentication in Rabbit MQ 3.11 Erlang 25

We have implemented roles and groups membership in oauth dashboard and verified the basic functionality .

But we ideally want to configure read / write configure access to users based on their group member ship within the rabbit mq config file , instead of in oauth dashboard.

Please let us know if there is any way we can configure group membership access in rabbit mq config file.

For example , user who is part of a group rmq-vhostname-read-access will have only read access to vhost "vhostname"

how can we have this configuration implemented within rabbit mq config file when oauth is enabled ?

Thanks,

Lakshmi

[Marcial Rosales]

Hi, you can achieve what you are asking within your own IDP. i.e. in your IDP you configure group membership, and then you tag the group with the appropriate scopes for your group. That way, when a user authenticates with your IDP, the user gets all the scopes associated to the group.

Each IDP has its own way of doing these thing so it varies from one to another.

[Sravani Cheruvu]

Hi @Marcial Rosales. I agree with this. But is there any thing that can be done from Rabbit MQ Config file ?

 

Something similar to this :

https://www.rabbitmq.com/oauth2.html#rich-authorization-request

[Marcial Rosales]

Hi, in RabbitMQ you proceed as you have been using it so far, i.e. you just use the appropriate scopes. That's it. 

Rich Authorization Request is another spec on top of OAuth2 to define permissions, not group membership.