RabbitMQ OAuth 2.0 not working with Azure AD

[Sandeep gaddam]

I am trying to use OAuth2 on rabbitmq with provider Azure AD (only for the management UI). I am using RabbitMQ 3.11.26 with three node cluster.

On rabbitmq side, I have put this configuration :

auth_backends.1 = rabbit_auth_backend_oauth2
auth_backends.2 = rabbit_auth_backend_internal
auth_oauth2.https.peer_verification = verify_none
auth_oauth2.resource_server_id=<client_id>
auth_oauth2.jwks_url=https://login.microsoftonline.com/<Tenat ID>/discovery/v2.0/keys
auth_oauth2.additional_scopes_key=roles
management.oauth_enabled=true
management.oauth_client_id=<client ID>
management.oauth_provider_url=https://login.microsoftonline.com/<Tenat ID>

When I connect to management UI I have the 'Click Here to Login' Button as expected with the used plugin but when I click, I have Not Authorized error.

Authentication using an OAuth 2/JWT token failed: {error,{failed_connect,[{to_address,{"login.microsoftonline.com",443}}, {inet,[inet],closed}]}}

JWT content looks good for me. I can see the roles as well.

Please help me to resolve this issue.

[Luke Bakken]

Hello,

It looks as though the TCP connection was abruptly closed. Do you have access to logs from the Azure environment?

[Sandeep gaddam]

Hi Luke,

Thanks for the response.

I dont have access to logs from Azure.

Is there any way to debug it?

Thanks & Regards,

Sandeep

[Luke Bakken]

failed_connect is pretty self-explanatory.

• Has this environment ever worked?
• You are using an old version of RabbitMQ and should upgrade.

[Sandeep gaddam]

Hi Luke,

It is throwing that error from RabbitMQ, but if do ping, traceroute from the server it is working fine to that address. Not sure why it is throwing failed_connect from rabbitMQ.

Regarding the version, 3.11.26 is supported version for Azure AD integration according to the docs.

Thanks & Regards,

Sandeep

[Luke Bakken]

From the RabbitMQ server, please run this command. Save the output to a file and attach the file to your response:

openssl s_client -connect login.microsoftonline.com:443

• What Erlang version are you using?
• What operating system?
• Again - has this environment ever worked?

On Thursday, March 7, 2024 at 9:00:30 AM UTC-8 sandeep...@gmail.com wrote:

Hi Luke,

[Sandeep gaddam]

Hi Luke,

I have attached the output of the command.

PFB.

• What Erlang version are you using? --> 25.3.2.7
• What operating system? --> SUSE Linux Enterprise Server, Version - 15.4
• Again - has this environment ever worked? --> This is first time trying to integrate it with Azure AD.

Thanks & Regards,

Sandeep

[Luke Bakken]

Sandeep,

Please take the time to do some diagnosis yourself - https://www.google.com/search?q=openssl+%22s_client%22+%22no+peer+certificate+available%22

What the output from openssl s_client shows is that the connection is successful, but the server's certificate can't be verified. This is expected, because the openssl command does not use system certificates by default, and, most importantly, neither does Erlang or RabbitMQ.

For some reason, even though you are disabling peer verification, my guess is that the TLS part of the connection is not working to Azure.

On your RabbitMQ server, please do the following:

• Run the erl command. You should be given an interactive shell.
• At the shell, enter the following (note that the period at the end is significant):

ssl:start(), ssl:connect("login.microsoftonline.com", 443, [{verify, verify_none}]).

You should see output like this:

{ok,{sslsocket,{gen_tcp,#Port<0.7>,tls_connection,undefined},
               [<0.137.0>,<0.136.0>]}}

Please capture the complete terminal session to a file and attach it to your next response.

[Luke Bakken]

Finally, I probably won't continue to assist you as I shouldn't be providing community support for RabbitMQ 3.11.

We may learn something interesting from my last set of instructions, which is why I provided them.

At this point, I do not believe this to be a RabbitMQ issue, but something specific to your environment.