Trying to authenticate RabbitMQ against an OAuth 2 server UAA

[Mohit Darmwal]

I have a working application in Spring Boot where i make connections & authenticate to RabbitMQ with properties defined in application.properties file like below

spring: rabbitmq: host: xx.xx.xx.111 port: 5672 username: user password: password

Now i want authenticate every communication to RabbitMQ against OAuth-2 with access token for read/write actions on queue. For this for now i am trying to use cloud foundry UAA authorization server. I followed following links to achieve above

1. https://www.rabbitmq.com/api-guide.html#oauth2-support
2. https://github.com/rabbitmq/rabbitmq-auth-backend-oauth2#examples

I have enabled following plugin in RabbitMQ

rabbitmq_auth_backend_oauth2,rabbitmq_management

and i have updated local RabbitMQ specific config file */RabbitMQ/advanced.config with following details

[

    % Enable auth backend

    {rabbit, [

        {auth_backends, [rabbit_auth_backend_oauth2, rabbit_auth_backend_internal]}

    ]},

    {rabbitmq_management, [

         {enable_uaa, true},

         {uaa_client_id, "rabbit_client"},

         {uaa_location, "http://localhost:8080/uaa"}

    ]},

    {rabbitmq_auth_backend_oauth2, [

    {resource_server_id, <<"rabbitmq">>},

    {key_config, [

      {default_key, <<"legacy-token-key">>},

      {signing_keys, #{

        <<"legacy-token-key">> => {map, #{<<"kty">> => <<"MAC">>,

                                  <<"alg">> => <<"HS256">>,

                                  <<"use">> => <<"sig">>,

                                  <<"value">> => <<"tokenKey">>}}

      }}

    ]}

  ]}

 

].

I am using UAA symmetric signing key in order to decrypt and verify client-provided tokens at RabbitMQ. Then i have my env ready with all basic client, users setup in UAA and RabbitMQ both. I followed steps to configure client, user and their rights from rabbitmq-auth-backend-oauth2/setup.sh at master · rabbitmq/rabbitmq-auth-backend-oauth2 · GitHub

Now after setting up all above i wrote basic Java program to connect to RabbitMQ with OAuth-2 Authorization as UAA and was able to successfully connect to RabbitMQ as suggested in Link-1.

But when i want to see RabbitMQ Management UI, i access http://localhost:15672/ and there i RabbitMQ Management page as below 

And once click on 'Click Here to log in', it takes me to UAA page it asks me to provide Username and password which i do, but it doesnt accept my credentials, gives error as below

I was able to successfully login into RabbitMQ from Java program with UAA as Authorization server with client as rabbit_client and user as rabbit_super and grant_type as password.

ConnectionFactory connectionFactory = new ConnectionFactory();

CredentialsProvider credentialsProvider =

  new OAuth2ClientCredentialsGrantCredentialsProviderBuilder()

    .tokenEndpointUri("http://localhost:8080/uaa/oauth/token/")

    .clientId("rabbit_client").clientSecret("rabbit_secret")

    .grantType("password")

    .parameter("username", "rabbit_super")

    .parameter("password", "rabbit_super")

    .build();

and when i use the same user and password as rabbit_super and its access_tokon as password on RabbitMQ Management Page where UAA asks me to provide provide details it doesnt work, gives error as

Provided credentials are invalid. Please try again.

so i checked the backend logs for UAA in local and logs details are as below

in uaa_event.log

Audit: IdentityProviderAuthenticationFailure ('rabbit_super'): principal=null, origin=[remoteAddress=0:0:0:0:0:0:0:1, sessionId=<SESSION>], identityZoneId=[uaa], authenticationType=[uaa]

Audit: UserAuthenticationFailure ('rabbit_super'): principal=72e53395-1c54-4136-b239-34845f09ef96, origin=[remoteAddress=0:0:0:0:0:0:0:1, sessionId=<SESSION>], identityZoneId=[uaa]

Audit: PrincipalAuthenticationFailure ('null'): principal=rabbit_super, origin=[0:0:0:0:0:0:0:1], identityZoneId=[uaa]

in uaa.log

ERROR --- SecurityFilterChainPostProcessor$HttpsEnforcementFilter: Uncaught Exception: org.springframework.security.oauth2.common.exceptions.InvalidGrantException: A redirect_uri can only be used by implicit or authorization_code grant types.

I am not sure why error as IdentityProviderAuthenticationFailure ('rabbit_super') is coming, it doesnt understand the user in IdentityZone as UAA. i have set client as rabbit_client in UAA and its grant type as password, client_credentials with below gem command

uaac client add rabbit_client --name rabbit_client --scope 'rabbitmq.*' --authorized_grant_types password,client_credentials --authorities rabbitmq --secret rabbit_secret --redirect_uri 'http://localhost:15672'

Please assist me on this issue, i am struck at this point, not sure why rabbitMQ Management UI doesnt accept rabbit_super and its access_token as password. The OAuth 2 plugin is enabled on the RabbitMQ server side and the same has been configured on local to use the same OAuth 2 UAA server.