Oauth2 authentication in relation with AMQP 1.0
372 views
Skip to first unread message
Jeppe Pedersen
Jan 25, 2022, 3:50:40 AM1/25/22
to rabbitmq-users
Hi all,
I have successfully configured rabbitmq (3.9.12) to use oauth2 token authentication and authorization. With a few quirks (more on that in separate posts) this works fine when using an AMQP 0.9.1 client. However then using an AMQP 1.0 client (after enabling the amqp 1.0 plugin in my rabbitmq) the authentication fails. I tried both using a C# client based on AMQP.Net Lite, but I also see the same failure when I simply create a shovel authenticating with an oauth2 token (works fine when the shovel is using 0.9.1, but fails when set to connect with 1.0).
Does the AMQP 1.0 plugin have different requirements to the payload of the JWT token?
My rabbitmq configuration:
auth_backends.1 = rabbit_auth_backend_oauth2
auth_backends.2 = rabbit_auth_backend_internal
auth_oauth2.resource_server_id = somerabbit
auth_oauth2.default_key = F161CA5D07D0E432CF5B5565BD30CDC870A47C8E
auth_oauth2.signing_keys.F161CA5D07D0E432CF5B5565BD30CDC870A47C8E = /etc/rabbitmq/tokensign.pub
auth_oauth2.algorithms.1 = RS256
auth_backends.2 = rabbit_auth_backend_internal
auth_oauth2.resource_server_id = somerabbit
auth_oauth2.default_key = F161CA5D07D0E432CF5B5565BD30CDC870A47C8E
auth_oauth2.signing_keys.F161CA5D07D0E432CF5B5565BD30CDC870A47C8E = /etc/rabbitmq/tokensign.pub
auth_oauth2.algorithms.1 = RS256
My JWT token payload:
{
"sub": "some-device",
"aud": "somerabbit",
"oi_prst": "some-device",
"client_id": "some-device",
"oi_tkn_id": "b9b03510-b78a-4d2c-8891-d66be6e97a93",
"scope": "somerabbit.read:*/*/* somerabbit.write:*/*/*",
"exp": 1643099620,
"iss": "https://localhost:5001/",
"iat": 1643096020
}
"sub": "some-device",
"aud": "somerabbit",
"oi_prst": "some-device",
"client_id": "some-device",
"oi_tkn_id": "b9b03510-b78a-4d2c-8891-d66be6e97a93",
"scope": "somerabbit.read:*/*/* somerabbit.write:*/*/*",
"exp": 1643099620,
"iss": "https://localhost:5001/",
"iat": 1643096020
}
And finally the logging of rabbitmq (edited a bit for readability):
[info] <0.6401.0> accepting AMQP connection <0.6401.0> (172.17.0.1:49700 -> 172.17.0.2:5671)
[dbug] <0.6401.0> Computing username from client's JWT token, client ID: 'some-device', sub: 'some-device'
[dbug] <0.6401.0> User 'some-device' authenticated successfully by backend rabbit_auth_backend_oauth2
[info] <0.6400.0> Supervisor {<0.6400.0>,rabbit_connection_helper_sup}: child channel_sup_sup started (<0.6402.0>): {rabbit_amqp1_0_session_sup_sup,start_link,[]}
[info] <0.6400.0> Supervisor {<0.6400.0>,rabbit_connection_helper_sup}: child collector started (<0.6403.0>): {rabbit_queue_collector,start_link,[<<"AMQP 1.0">>]}
[info] <0.6400.0> Supervisor {<0.6400.0>,rabbit_connection_helper_sup}: child heartbeat_receiver started (<0.6404.0>): {rabbit_heartbeat,start_heartbeat_receiver,[{sslsocket,{gen_tcp,#Port<0.535>,tls_connection,[{option_tracker,<0.706.0>},{session_tickets_tracker,disabled},{session_id_tracker,<0.707.0>}]},[<0.6398.0>,<0.6397.0>]},120,#Fun<rabbit_amqp1_0_reader.2.121301718>,{heartbeat_receiver,unknown}]}
[dbug] <0.6401.0> AMQP 1.0 connection.open frame: hostname = localhost, extracted vhost = /, idle_timeout = 60000
[info] <0.6405.0> Supervisor {<0.6405.0>,rabbit_amqp1_0_session_sup}: child writer started (<0.6406.0>): {rabbit_amqp1_0_writer,start_link,[{sslsocket,{gen_tcp,#Port<0.535>,tls_connection,[{option_tracker,<0.706.0>},{session_tickets_tracker,disabled},{session_id_tracker,<0.707.0>}]},[<0.6398.0>,<0.6397.0>]},0,262136,amqp10_framing,<0.6401.0>]}
[info] <0.6408.0> Supervisor {<0.6408.0>,amqp_connection_sup}: child connection_type_sup started (<0.6409.0>): {amqp_connection_type_sup,start_link,[]}
[info] <0.6408.0> Supervisor {<0.6408.0>,amqp_connection_sup}: child connection started (<0.6410.0>): {amqp_gen_connection,start_link,[<0.6409.0>,{amqp_params_direct,<<"some-device">>,none,<<"/">>,rabbit@7d975a8af389,{amqp_adapter_info,{0,0,0,0,0,65535,44049,2},5671,{0,0,0,0,0,65535,44049,1},49700,<<"172.17.0.1:49700 -> 172.17.0.2:5671">>,{'AMQP',"1.0"},[{ssl,true},{ssl_protocol,'tlsv1.2'},{ssl_key_exchange,ecdhe_rsa},{ssl_cipher,aes_256_gcm},{ssl_hash,aead}]},[]}]}
[dbug] <0.6411.0> Authentication using an OAuth 2/JWT token failed: provided token is invalid
[dbug] <0.6411.0> User 'some-device' failed authenticatation by backend rabbit_auth_backend_oauth2
[dbug] <0.6411.0> User 'some-device' failed authenticatation by backend rabbit_auth_backend_internal
[warn] <0.6407.0> Closing session for connection <0.6401.0>:
[warn] <0.6407.0> {auth_failure,"Refused"}
[erro] <0.6407.0> crasher:
[erro] <0.6407.0> initial call: rabbit_amqp1_0_session_process:init/1
[erro] <0.6407.0> pid: <0.6407.0>
[erro] <0.6407.0> registered_name: []
[erro] <0.6407.0> exception exit: {auth_failure,"Refused"}
[erro] <0.6407.0> in function gen_server2:init_it/6 (gen_server2.erl, line 600)
[erro] <0.6407.0> ancestors: [<0.6405.0>,<0.6402.0>,<0.6400.0>,<0.6399.0>,<0.698.0>,
[erro] <0.6407.0> <0.696.0>,<0.695.0>,<0.690.0>,<0.689.0>,rabbit_sup,
[erro] <0.6407.0> <0.222.0>]
[erro] <0.6407.0> message_queue_len: 0
[erro] <0.6407.0> messages: []
[erro] <0.6407.0> links: [<0.6405.0>]
[erro] <0.6407.0> dictionary: [{gen_server_call_timeout,130000}]
[erro] <0.6407.0> trap_exit: true
[erro] <0.6407.0> status: running
[erro] <0.6407.0> heap_size: 1598
[erro] <0.6407.0> stack_size: 29
[erro] <0.6407.0> reductions: 2046
[erro] <0.6407.0> neighbours:
[erro] <0.6407.0>
[erro] <0.6401.0> Error on AMQP 1.0 connection <0.6401.0> (running), channel 0:
[erro] <0.6401.0> <<"Reader error: {error,
{{auth_failure,\"Refused\"},
{child,undefined,channel,
{rabbit_amqp1_0_session_process,start_link,
[{0,<0.6401.0>,<0.6406.0>,
{user,<<\"some-device\">>,[],
[{rabbit_auth_backend_oauth2,
#{<<\"aud\">> => [<<\"somerabbit\">>],
<<\"client_id\">> =>
<<\"some-device\">>,
<<\"exp\">> => 1643099620,
<<\"iat\">> => 1643096020,
<<\"iss\">> =>
<<\"https://localhost:5001/\">>,
<<\"oi_prst\">> =>
<<\"some-device\">>,
<<\"oi_tkn_id\">> =>
<<\"b9b03510-b78a-4d2c-8891-d66be6e97a93\">>,
<<\"scope\">> =>
[<<\"read:*/*/*\">>,
<<\"write:*/*/*\">>],
<<\"sub\">> =>
<<\"some-device\">>}}]},
<<\"/\">>,262136,
{amqp_adapter_info,
{0,0,0,0,0,65535,44049,2},
5671,
{0,0,0,0,0,65535,44049,1},
49700,
<<\"172.17.0.1:49700 -> 172.17.0.2:5671\">>,
{'AMQP',\"1.0\"},
[{ssl,true},
{ssl_protocol,'tlsv1.2'},
{ssl_key_exchange,ecdhe_rsa},
{ssl_cipher,aes_256_gcm},
{ssl_hash,aead}]},
<0.6403.0>}]},
intrinsic,300000,worker,
[rabbit_amqp1_0_session_process]}}}
[{rabbit_amqp1_0_reader,send_to_new_1_0_session,3,
[{file,\"rabbit_amqp1_0_reader.erl\"},{line,723}]},
{rabbit_amqp1_0_reader,handle_1_0_session_frame,3,
[{file,\"rabbit_amqp1_0_reader.erl\"},{line,472}]},
{rabbit_amqp1_0_reader,handle_1_0_frame,4,
[{file,\"rabbit_amqp1_0_reader.erl\"},{line,316}]},
{rabbit_amqp1_0_reader,recvloop,2,
[{file,\"rabbit_amqp1_0_reader.erl\"},{line,118}]},
{rabbit_reader,run,1,[{file,\"rabbit_reader.erl\"},{line,459}]},
{rabbit_reader,start_connection,4,[{file,\"rabbit_reader.erl\"},{line,358}]},
{proc_lib,init_p_do_apply,3,[{file,\"proc_lib.erl\"},{line,226}]}]">>
[info] <0.6401.0> closing AMQP connection <0.6401.0> (172.17.0.1:49700 -> 172.17.0.2:5671)
[dbug] <0.6401.0> Computing username from client's JWT token, client ID: 'some-device', sub: 'some-device'
[dbug] <0.6401.0> User 'some-device' authenticated successfully by backend rabbit_auth_backend_oauth2
[info] <0.6400.0> Supervisor {<0.6400.0>,rabbit_connection_helper_sup}: child channel_sup_sup started (<0.6402.0>): {rabbit_amqp1_0_session_sup_sup,start_link,[]}
[info] <0.6400.0> Supervisor {<0.6400.0>,rabbit_connection_helper_sup}: child collector started (<0.6403.0>): {rabbit_queue_collector,start_link,[<<"AMQP 1.0">>]}
[info] <0.6400.0> Supervisor {<0.6400.0>,rabbit_connection_helper_sup}: child heartbeat_receiver started (<0.6404.0>): {rabbit_heartbeat,start_heartbeat_receiver,[{sslsocket,{gen_tcp,#Port<0.535>,tls_connection,[{option_tracker,<0.706.0>},{session_tickets_tracker,disabled},{session_id_tracker,<0.707.0>}]},[<0.6398.0>,<0.6397.0>]},120,#Fun<rabbit_amqp1_0_reader.2.121301718>,{heartbeat_receiver,unknown}]}
[dbug] <0.6401.0> AMQP 1.0 connection.open frame: hostname = localhost, extracted vhost = /, idle_timeout = 60000
[info] <0.6405.0> Supervisor {<0.6405.0>,rabbit_amqp1_0_session_sup}: child writer started (<0.6406.0>): {rabbit_amqp1_0_writer,start_link,[{sslsocket,{gen_tcp,#Port<0.535>,tls_connection,[{option_tracker,<0.706.0>},{session_tickets_tracker,disabled},{session_id_tracker,<0.707.0>}]},[<0.6398.0>,<0.6397.0>]},0,262136,amqp10_framing,<0.6401.0>]}
[info] <0.6408.0> Supervisor {<0.6408.0>,amqp_connection_sup}: child connection_type_sup started (<0.6409.0>): {amqp_connection_type_sup,start_link,[]}
[info] <0.6408.0> Supervisor {<0.6408.0>,amqp_connection_sup}: child connection started (<0.6410.0>): {amqp_gen_connection,start_link,[<0.6409.0>,{amqp_params_direct,<<"some-device">>,none,<<"/">>,rabbit@7d975a8af389,{amqp_adapter_info,{0,0,0,0,0,65535,44049,2},5671,{0,0,0,0,0,65535,44049,1},49700,<<"172.17.0.1:49700 -> 172.17.0.2:5671">>,{'AMQP',"1.0"},[{ssl,true},{ssl_protocol,'tlsv1.2'},{ssl_key_exchange,ecdhe_rsa},{ssl_cipher,aes_256_gcm},{ssl_hash,aead}]},[]}]}
[dbug] <0.6411.0> Authentication using an OAuth 2/JWT token failed: provided token is invalid
[dbug] <0.6411.0> User 'some-device' failed authenticatation by backend rabbit_auth_backend_oauth2
[dbug] <0.6411.0> User 'some-device' failed authenticatation by backend rabbit_auth_backend_internal
[warn] <0.6407.0> Closing session for connection <0.6401.0>:
[warn] <0.6407.0> {auth_failure,"Refused"}
[erro] <0.6407.0> crasher:
[erro] <0.6407.0> initial call: rabbit_amqp1_0_session_process:init/1
[erro] <0.6407.0> pid: <0.6407.0>
[erro] <0.6407.0> registered_name: []
[erro] <0.6407.0> exception exit: {auth_failure,"Refused"}
[erro] <0.6407.0> in function gen_server2:init_it/6 (gen_server2.erl, line 600)
[erro] <0.6407.0> ancestors: [<0.6405.0>,<0.6402.0>,<0.6400.0>,<0.6399.0>,<0.698.0>,
[erro] <0.6407.0> <0.696.0>,<0.695.0>,<0.690.0>,<0.689.0>,rabbit_sup,
[erro] <0.6407.0> <0.222.0>]
[erro] <0.6407.0> message_queue_len: 0
[erro] <0.6407.0> messages: []
[erro] <0.6407.0> links: [<0.6405.0>]
[erro] <0.6407.0> dictionary: [{gen_server_call_timeout,130000}]
[erro] <0.6407.0> trap_exit: true
[erro] <0.6407.0> status: running
[erro] <0.6407.0> heap_size: 1598
[erro] <0.6407.0> stack_size: 29
[erro] <0.6407.0> reductions: 2046
[erro] <0.6407.0> neighbours:
[erro] <0.6407.0>
[erro] <0.6401.0> Error on AMQP 1.0 connection <0.6401.0> (running), channel 0:
[erro] <0.6401.0> <<"Reader error: {error,
{{auth_failure,\"Refused\"},
{child,undefined,channel,
{rabbit_amqp1_0_session_process,start_link,
[{0,<0.6401.0>,<0.6406.0>,
{user,<<\"some-device\">>,[],
[{rabbit_auth_backend_oauth2,
#{<<\"aud\">> => [<<\"somerabbit\">>],
<<\"client_id\">> =>
<<\"some-device\">>,
<<\"exp\">> => 1643099620,
<<\"iat\">> => 1643096020,
<<\"iss\">> =>
<<\"https://localhost:5001/\">>,
<<\"oi_prst\">> =>
<<\"some-device\">>,
<<\"oi_tkn_id\">> =>
<<\"b9b03510-b78a-4d2c-8891-d66be6e97a93\">>,
<<\"scope\">> =>
[<<\"read:*/*/*\">>,
<<\"write:*/*/*\">>],
<<\"sub\">> =>
<<\"some-device\">>}}]},
<<\"/\">>,262136,
{amqp_adapter_info,
{0,0,0,0,0,65535,44049,2},
5671,
{0,0,0,0,0,65535,44049,1},
49700,
<<\"172.17.0.1:49700 -> 172.17.0.2:5671\">>,
{'AMQP',\"1.0\"},
[{ssl,true},
{ssl_protocol,'tlsv1.2'},
{ssl_key_exchange,ecdhe_rsa},
{ssl_cipher,aes_256_gcm},
{ssl_hash,aead}]},
<0.6403.0>}]},
intrinsic,300000,worker,
[rabbit_amqp1_0_session_process]}}}
[{rabbit_amqp1_0_reader,send_to_new_1_0_session,3,
[{file,\"rabbit_amqp1_0_reader.erl\"},{line,723}]},
{rabbit_amqp1_0_reader,handle_1_0_session_frame,3,
[{file,\"rabbit_amqp1_0_reader.erl\"},{line,472}]},
{rabbit_amqp1_0_reader,handle_1_0_frame,4,
[{file,\"rabbit_amqp1_0_reader.erl\"},{line,316}]},
{rabbit_amqp1_0_reader,recvloop,2,
[{file,\"rabbit_amqp1_0_reader.erl\"},{line,118}]},
{rabbit_reader,run,1,[{file,\"rabbit_reader.erl\"},{line,459}]},
{rabbit_reader,start_connection,4,[{file,\"rabbit_reader.erl\"},{line,358}]},
{proc_lib,init_p_do_apply,3,[{file,\"proc_lib.erl\"},{line,226}]}]">>
[info] <0.6401.0> closing AMQP connection <0.6401.0> (172.17.0.1:49700 -> 172.17.0.2:5671)
Wes Peng
Jan 25, 2022, 5:48:53 AM1/25/22
to rabbitm...@googlegroups.com
I doubt this is a bug. Maybe you can submit an issue.
regards.
regards.
Jeppe Pedersen
Jan 28, 2022, 2:49:49 AM1/28/22
to rabbitmq-users
Reply all
Reply to author
Forward
0 new messages