rabbitmq-auth-backend-http not accepting valid responses.

[Jesse Kindwall]

We're running a CloudAMQP RabbitMQ cluster in Azure, and I've set up a few http-triggered Azure Functions to act as auth endpoints for the rabbitmq-auth-backend-http plugin.

I'm currently waiting on a response from CloudAMQP support on this issue, but I thought I'd throw it out here in the mean time to see if anyone has any ideas.


RabbitMQ Version: 3.7.4
Erlang Version: 20.1

Plugin Configuration:

(Note: this is the config I gave the support people to use.  They said they enabled just the http plugin first and would enable the cahce plugin once we confirmed the http plugin was working.)
auth_backends.1 = cache
auth_cache.cached_backend = http
auth_cache.cache_ttl = 300000
auth_http.http_method   = post
auth_http.user_path     = https://xxx.azurewebsites.net/api/auth/user?code=xxxxxx
auth_http.vhost_path    = https://xxx.azurewebsites.net/api/auth/vhost?code=xxxxxx
auth_http.resource_path = https://xxx.azurewebsites.net/api/auth/resource?code=xxxxxx
auth_http.topic_path    = https://xxx.azurewebsites.net/api/auth/topic?code=xxxxxx


Made two attempts to connect, one with invalid credentials and one with valid credentials.
Both attempts failed with an authentication failure exception.
I have confirmed that my Azure Function endpoints were called by the plugin and handled their requests correctly.

In the RabbitMQ Logs, I see the following for the two attempts.

=INFO EVENT==== Tue, 24 Apr 2018 20:31:29 GMT ===
2018-04-24 20:31:29.234 [info] <0.1786.0> accepting AMQP connection <0.1786.0> (xx.xx.xx.xx:xx -> xx.xx.xx.xx:xx)

=ERROR EVENT==== Tue, 24 Apr 2018 20:31:32 GMT ===
2018-04-24 20:31:32.709 [error] <0.1786.0> Error on AMQP connection <0.1786.0> (xx.xx.xx.xx:xx -> xx.xx.xx.xx:xx, state: starting):
PLAIN login refused: rabbit_auth_backend_http failed authenticating NormanBobberson: {bad_response,
                                                                 "deny"}


=INFO EVENT==== Tue, 24 Apr 2018 20:31:32 GMT ===
2018-04-24 20:31:32.749 [info] <0.1786.0> closing AMQP connection <0.1786.0> (xx.xx.xx.xx:xx -> xx.xx.xx.xx:xx)

=INFO EVENT==== Tue, 24 Apr 2018 20:31:53 GMT ===
2018-04-24 20:31:53.212 [info] <0.1798.0> accepting AMQP connection <0.1798.0> (xx.xx.xx.xx:xx -> xx.xx.xx.xx:xx)

=ERROR EVENT==== Tue, 24 Apr 2018 20:31:53 GMT ===
2018-04-24 20:31:53.263 [error] <0.1798.0> Error on AMQP connection <0.1798.0> (xx.xx.xx.xx:xx -> xx.xx.xx.xx:xx, state: starting):
PLAIN login refused: rabbit_auth_backend_http failed authenticating NormanBobberson: {bad_response,
                                                                 "allow"}


=INFO EVENT==== Tue, 24 Apr 2018 20:31:53 GMT ===
2018-04-24 20:31:53.294 [info] <0.1798.0> closing AMQP connection <0.1798.0> (xx.xx.xx.xx:xx -> xx.xx.xx.xx:xx)

Originally I was returning the allow/deny responses as json, but I fixed them to only respond in plain text and these log messages along with independent tests with Fiddler confirm that responses are now in plain text, however the plugin is still rejecting plain text "allow" and "deny" responses with bad_response.

[Michael Klishin]

Please take a look at the examples and compare your code with them:

https://github.com/rabbitmq/rabbitmq-auth-backend-http/tree/master/examples

One possible reason is newlines and non-printable characters your endpoint might be returning.

The plugin has been around for years and doesn't do anything particularly clever with response bodies.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

[Jesse Kindwall]

Thanks, while the examples in that link didn't much help, your suggestion to look closer at my response content pointed me in the right direction.  I noticed while looking at my endpoint responses in fiddler that the Conent-Length seemed to be wrong (8 for an "allow" response and 7 for a "deny" response).   Did some digging and realized that AspNet was defaulting to encoding "text/plain" content as UTF-8 with a BOM (3 byte "Byte Order Mark" prepended to the encoded text).  It seems the plugin doesn't recognize the response when encoded with a BOM.  Once I updated my endpoints to force UTF-8 encoding without a BOM, fiddler started showing the expected Content-Length values and the plugin started working.

The puzzling thing is that according to the .NET documaentation, the System.Text.Encoding.UTF8 property defaults to encoding with a BOM, and that's exactly what the .NET web api example on github is using.  So it looks like the github .NET example should be encountering the same issue I was having before I fixed my encoding.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Luke Bakken]

Hi Jesse -

I suspect that the example has had this issue all along. If you have a second to review some code, I'm assuming your fix is something like this - https://github.com/rabbitmq/rabbitmq-auth-backend-http/pull/67

Thanks,

Luke

[Michael Klishin]

Haha, I wouldn't have thought of BOM. Thank you for reporting back, Luke already fixed the example.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Jesse Kindwall]

Yep, that's pretty much the same as my fix.

[Luke Bakken]

Great, thank you for reviewing it.