RabbitMQ integration with Okta for authentication
700 views
Skip to first unread message
Saifeddine Rajhi
Apr 28, 2023, 7:48:29 AM4/28/23
to rabbitmq-users
Hello,
Does anyone managed to integrate rabbitMQ with okta(OIDC - OpenID Connect) for authentication, because I could not even though I followed all possible documents
Thank you in advance
Marcial Rosales
May 3, 2023, 3:29:14 AM5/3/23
to rabbitmq-users
Hi, can you please share which steps you followed? where it failed? which version of rabbitmq?
THANKS
Saifeddine Rajhi
May 4, 2023, 1:47:51 PM5/4/23
to rabbitmq-users
Hello,
[
{rabbit, [
{auth_backends, [rabbit_auth_backend_oauth2]}
]},
{rabbitmq_management, [
{oauth_enabled, true},
{oauth_client_id, "xxxxxxxx"},
{oauth_provider_url, "https://dev-xxxxxx.okta.com/oauth2/xxxxxxxxx"},
{oauth_scopes, "extra_scope"}
]},
{rabbitmq_auth_backend_oauth2, [
{resource_server_id, <<"rabbitmq">>},
{key_config, [
{jwks_url, <<"https://dev-xxxxx.okta.com/oauth2/xxxx/v1/keys">>}
]}
]}
1- I created a Single Page App (SPA) in Okta with Sign-in redirect URIs = http://domain-name:15672/js/oidc-oauth/login-callback.html
2 - Grant type of the app : Client acting on behalf of a user Authorization Code
3- I installed rabbitmq in debian 11 server with plugin oauth2
4- I followed this demo : https://github.com/rabbitmq/rabbitmq-oauth2-tutorial
5- I made advanced.config file as below :
{rabbit, [
{auth_backends, [rabbit_auth_backend_oauth2]}
]},
{rabbitmq_management, [
{oauth_enabled, true},
{oauth_client_id, "xxxxxxxx"},
{oauth_provider_url, "https://dev-xxxxxx.okta.com/oauth2/xxxxxxxxx"},
{oauth_scopes, "extra_scope"}
]},
{rabbitmq_auth_backend_oauth2, [
{resource_server_id, <<"rabbitmq">>},
{key_config, [
{jwks_url, <<"https://dev-xxxxx.okta.com/oauth2/xxxx/v1/keys">>}
]}
]}
].
I tried everything but did not work
I have problem with scope or token probably:
HTTP access denied: Authentication using an OAuth 2/JWT token failed: provided token is invalid
Authentication using an OAuth 2/JWT token failed: provided token is invalid
User 'xxxxx' authentication failed with error:function_clause:
Marcial Rosales
May 5, 2023, 2:44:24 AM5/5/23
to rabbitmq-users
Thanks. Can you paste here the token okta sends to RabbitMQ?
Saifeddine Rajhi
May 5, 2023, 3:22:03 AM5/5/23
to rabbitmq-users
Hello,
I want to thank you for your prompt feedback
I want to thank you for your prompt feedback
I have followed another thread, I found yesterday and I change my config file as below
[
{
rabbit,
[
{auth_backends, [rabbit_auth_backend_oauth2]}
]
},
{
rabbitmq_management,
[
{oauth_enabled, true},
{
rabbit,
[
{auth_backends, [rabbit_auth_backend_oauth2]}
]
},
{
rabbitmq_management,
[
{oauth_enabled, true},
{oauth_client_id, "0oa9efwnr2Zl2Dqt35d7"},
{oauth_provider_url, "https://dev-xxxxxx.okta.com/oauth2/default"},
{oauth_scopes, "openid"}
]
},
{
rabbitmq_auth_backend_oauth2,
[
{resource_server_id, <<"Client_id_okta">>},
{scope_aliases, #{
<<"openid">> => [
<<"Client_id_okta.read:*/*">>,
<<"Client_id_okta.write:*/*">>,
<<"Client_id_okta.configure:*/*">>
]
}
},
{key_config,
[
{jwks_url, <<"https://dev-xxxxx.okta.com/oauth2/default/v1/keys">>}
]}
]}
].
{oauth_provider_url, "https://dev-xxxxxx.okta.com/oauth2/default"},
{oauth_scopes, "openid"}
]
},
{
rabbitmq_auth_backend_oauth2,
[
{resource_server_id, <<"Client_id_okta">>},
{scope_aliases, #{
<<"openid">> => [
<<"Client_id_okta.read:*/*">>,
<<"Client_id_okta.write:*/*">>,
<<"Client_id_okta.configure:*/*">>
]
}
},
{key_config,
[
{jwks_url, <<"https://dev-xxxxx.okta.com/oauth2/default/v1/keys">>}
]}
]}
].
Below screen of token from jwt.io
In rabbitMQ server, I have below errors:
2023-05-05 09:14:45.298007+02:00 [debug] <0.800.0> Authentication using an OAuth 2/JWT token failed: {invalid_aud,
2023-05-05 09:14:45.298007+02:00 [debug] <0.800.0> {resource_id_not_found_in_aud,
2023-05-05 09:14:45.298007+02:00 [debug] <0.800.0> <<"xxxxxx">>,
2023-05-05 09:14:45.298007+02:00 [debug] <0.800.0> [<<"everyone">>]}}
2023-05-05 09:14:45.298100+02:00 [debug] <0.800.0> User 'xxxxxxxx' failed authenticatation by backend rabbit_auth_backend_oauth2
2023-05-05 09:14:45.298191+02:00 [warning] <0.800.0> HTTP access denied: Authentication using an OAuth 2/JWT token failed: {invalid_aud,
2023-05-05 09:14:45.298191+02:00 [warning] <0.800.0> {resource_id_not_found_in_aud,
2023-05-05 09:14:45.298191+02:00 [warning] <0.800.0> <<"xxxxxxxxxxxxxxx">>,
2023-05-05 09:14:45.298191+02:00 [warning] <0.800.0> [<<"everyone">>]}}
2023-05-05 09:14:45.298007+02:00 [debug] <0.800.0> {resource_id_not_found_in_aud,
2023-05-05 09:14:45.298007+02:00 [debug] <0.800.0> <<"xxxxxx">>,
2023-05-05 09:14:45.298007+02:00 [debug] <0.800.0> [<<"everyone">>]}}
2023-05-05 09:14:45.298100+02:00 [debug] <0.800.0> User 'xxxxxxxx' failed authenticatation by backend rabbit_auth_backend_oauth2
2023-05-05 09:14:45.298191+02:00 [warning] <0.800.0> HTTP access denied: Authentication using an OAuth 2/JWT token failed: {invalid_aud,
2023-05-05 09:14:45.298191+02:00 [warning] <0.800.0> {resource_id_not_found_in_aud,
2023-05-05 09:14:45.298191+02:00 [warning] <0.800.0> <<"xxxxxxxxxxxxxxx">>,
2023-05-05 09:14:45.298191+02:00 [warning] <0.800.0> [<<"everyone">>]}}
Saifeddine Rajhi
May 5, 2023, 4:09:27 AM5/5/23
to rabbitmq-users
Why this is marked as abuse? It has been marked as abuse.
Report not abuse
I added a line in rabbitmq_auth_backend_oauth2 block
{scope_aliases, #{
<<"openid">> => [
<<"xxxxxxxxxx.read:*/*">>,
<<"xxxxxxxxxx.write:*/*">>,
<<"openid">> => [
<<"xxxxxxxxxx.read:*/*">>,
<<"xxxxxxxxxx.write:*/*">>,
<<"xxxxxxxxxx.configure:*/*">>,
<<"xxxxxxxxxx.tag:management">>
<<"xxxxxxxxxx.tag:management">>
]
}
},
}
},
then in okta created group, I added my okta user x...@xxx.com to that group, I assigned the app that group
Now in rabbitmq logs I have below error:
User 'x...@xxx.com' authenticated successfully by backend rabbit_auth_backend_oauth2
HTTP access denied: user 'x...@xxx.com' - Not management user
I tried to add user in server cli but same error
rabbitmqctl add_user x...@xxx.com
rabbitmqctl set_user_tags "x...@xxx.com" management
Marcial Rosales
May 5, 2023, 5:10:27 AM5/5/23
to rabbitmq-users
Hi, I saw your question in the other thread where I also helped them.
You need to read a bit more the docs, in particular what it is expected from a JWT token. See this section, https://www.rabbitmq.com/oauth2.html#token-validation, where it explains what the audience is and what value should have. Then see the error RabbitMQ is reporting `resource_id_not_found_in_aud`. And then check `aud` claim in your token. See that they do not match. You can disable audience validation though but that should not be the way to do it but to configure Okta to send you the appropriate audience.
Then, It looks like the scopes are carried in the "scp" claim whereas RabbitMQ by default uses "scope" claim. There is a way to configure the name of the claim where to find the scopes (see https://www.rabbitmq.com/oauth2.html#use-different-token-field). The mapping of the scope "openid" to those rabbitmq scopes is your only alternative if Okta does not allow you to create custom scopes. In Github there is no way but in Okta I have not checked.
So, in your configuration you still have to fix the audience and `extra_scopes_source`.
Saifeddine Rajhi
May 5, 2023, 5:31:08 AM5/5/23
to rabbitmq-users
Why this is marked as abuse? It has been marked as abuse.
Report not abuse
Hello Marcial,
Thank you very much for the support. I appreciate it
I think you missed my last message, that error (resource_id_not_found_in_aud) is not there anymore, now aud in token === resource_server_id === auth_okta_client_id
But I am running into another one:
User 'x...@xxx.com' authenticated successfully by backend rabbit_auth_backend_oauth2
HTTP access denied: user 'x...@xxx.com' - Not management user
token in jwt.io
where auth_okta_client_id == okta client id
{ "ver": 1, "jti": "xxxxxxx", "iss": "https://dev-xxxx.okta.com/oauth2/default", "aud": "auth_okta_client_id", "iat": 1683278562, "exp": 1683282162, "cid": "auth_okta_client_id", "uid": "00u3wc7ta8OTWXJSs5d7", "scp": [ "openid" ], "auth_time": 1683278560, "sub": "ma...@domain.com"}
advanced.config file :
[
{
rabbit,
[
{auth_backends, [rabbit_auth_backend_oauth2]}
]
},
{
rabbitmq_management,
[
{oauth_enabled, true},
{
rabbit,
[
{auth_backends, [rabbit_auth_backend_oauth2]}
]
},
{
rabbitmq_management,
[
{oauth_enabled, true},
{oauth_client_id, "auth_okta_client_id"},
{oauth_provider_url, "https://dev-xxxxx.okta.com/oauth2/default"},
{oauth_scopes, "openid"}
]
},
{
rabbitmq_auth_backend_oauth2,
[
{resource_server_id, <<"auth_okta_client_id">>},
{scope_aliases, #{
<<"openid">> => [
<<"auth_okta_client_id.read:*/*">>,
<<"auth_okta_client_id.write:*/*">>,
<<"auth_okta_client_id.configure:*/*">>,
<<"auth_okta_client_id.tag:management">>
]
}
},
{key_config,
[
{jwks_url, <<"https://dev-xxxxxx.okta.com/oauth2/default/v1/keys">>}
]}
]}
].
{oauth_provider_url, "https://dev-xxxxx.okta.com/oauth2/default"},
{oauth_scopes, "openid"}
]
},
{
rabbitmq_auth_backend_oauth2,
[
{resource_server_id, <<"auth_okta_client_id">>},
{scope_aliases, #{
<<"openid">> => [
<<"auth_okta_client_id.read:*/*">>,
<<"auth_okta_client_id.write:*/*">>,
<<"auth_okta_client_id.configure:*/*">>,
<<"auth_okta_client_id.tag:management">>
]
}
},
{key_config,
[
{jwks_url, <<"https://dev-xxxxxx.okta.com/oauth2/default/v1/keys">>}
]}
]}
].
In okta I have Single Page App (SPA)
It has been two weeks, since I try to make it work but it is not simple as it looks, that is why I am here
Marcial Rosales
May 5, 2023, 5:50:03 AM5/5/23
to rabbitmq-users
You have missed one of the two recommendations I made.
Marcial Rosales
May 5, 2023, 5:53:11 AM5/5/23
to rabbitmq-users
Look at the thread you were following, https://groups.google.com/g/rabbitmq-users/c/P1ZMYLrLW7k/m/y0WMcF7ZAwAJ.
see that they have configured that the scopes are found in the "roles" claim. In your case, the scopes come in the "scp" claim.
Saifeddine Rajhi
May 5, 2023, 6:19:35 AM5/5/23
to rabbitmq-users
Why this is marked as abuse? It has been marked as abuse.
Report not abuse
Thank you very much Marcial
I appreciate your support, it helped me alot
Marcial Rosales
May 5, 2023, 6:31:20 AM5/5/23
to rabbitmq-users
Ok, have you been able to fully authenticate your users thru the browser? or you are only accessing the management rest api?
Saifeddine Rajhi
May 5, 2023, 9:46:43 AM5/5/23
to rabbitmq-users
Why this is marked as abuse? It has been marked as abuse.
Report not abuse
Hello Marcial,
I got access to UI but as admin, I mean I could not change UI view based on scope
{
rabbitmq_auth_backend_oauth2,
[
{resource_server_id, <<"0oa9efwnr2Zl2Dqt35d7">>},
{scope_aliases, #{
<<"openid">> => [
<<"0oa9efwnr2Zl2Dqt35d7.read:*/*">>,
<<"0oa9efwnr2Zl2Dqt35d7.write:*/*">>,
<<"0oa9efwnr2Zl2Dqt35d7.configure:*/*">>,
<<"0oa9efwnr2Zl2Dqt35d7.tag:administrator">>
],
<<"demo">> => [
<<"0oa9efwnr2Zl2Dqt35d7.read:*/*">>,
<<"0oa9efwnr2Zl2Dqt35d7.tag:monitoring">>
]
}},
rabbitmq_auth_backend_oauth2,
[
{resource_server_id, <<"0oa9efwnr2Zl2Dqt35d7">>},
{scope_aliases, #{
<<"openid">> => [
<<"0oa9efwnr2Zl2Dqt35d7.read:*/*">>,
<<"0oa9efwnr2Zl2Dqt35d7.write:*/*">>,
<<"0oa9efwnr2Zl2Dqt35d7.configure:*/*">>,
<<"0oa9efwnr2Zl2Dqt35d7.tag:administrator">>
],
<<"demo">> => [
<<"0oa9efwnr2Zl2Dqt35d7.read:*/*">>,
<<"0oa9efwnr2Zl2Dqt35d7.tag:monitoring">>
]
}},
I have two scopes "opened demo" , So I thought I should see two different UI, but it was not the case
Marcial Rosales
May 5, 2023, 11:18:00 AM5/5/23
to rabbitmq-users
Thanks ! you are doing really well. But i think you should create another custom role like "monitoring" rather than " demo" and another one like "admin" and leave openid without any mapping.
I think all your users have the openid scope. You should notice a difference between administrator and management or monitoring. With the latter you cannot create users.
Marcial Rosales
May 5, 2023, 11:18:54 AM5/5/23
to rabbitmq-users
Would you be kind to create a PR on the oauth2 tutorial repository to include "Okta" as use case. Take as a reference Azure or Keycloak.
Saifeddine Rajhi
May 5, 2023, 11:50:38 AM5/5/23
to rabbitmq-users
Why this is marked as abuse? It has been marked as abuse.
Report not abuse
Thank you I will do for sure once I get it work
{resource_server_id, <<"xxxxxxxxx">>},
{scope_aliases, #{
<<"admin">> => [
<<"xxxxxxxxx.read:*/*">>,
<<"xxxxxxxxx.write:*/*">>,
<<"xxxxxxxxx.configure:*/*">>,
<<"xxxxxxxxx.tag:administrator">>
],
<<"monitiring">> => [
<<"xxxxxxxxx.tag:monitoring">>
]
}},
{extra_scopes_source, <<"scp">>},
In the meanwhile the error stills there even after changes
config file
.....
rabbitmq_auth_backend_oauth2,
[{resource_server_id, <<"xxxxxxxxx">>},
{scope_aliases, #{
<<"admin">> => [
<<"xxxxxxxxx.read:*/*">>,
<<"xxxxxxxxx.write:*/*">>,
<<"xxxxxxxxx.configure:*/*">>,
<<"xxxxxxxxx.tag:administrator">>
],
<<"monitiring">> => [
<<"xxxxxxxxx.tag:monitoring">>
]
}},
{extra_scopes_source, <<"scp">>},
.........
my token in jwt.io
{
"ver": 1,
"jti": "AT.xxxxxx",
"iss": "https://dev-xxxxxx.okta.com/oauth2/default",
"aud": "0oa9efwnr2Zl2Dqt35d7",
"iat": 1683301280,
"exp": 1683304880,
"cid": "xxxxxxxxx",
"uid": "xxxxxxxxx",
"scp": [
"admin",
"monitoring"
],
"auth_time": 1683295425,
"sub": "rabbitmq"
}
"ver": 1,
"jti": "AT.xxxxxx",
"iss": "https://dev-xxxxxx.okta.com/oauth2/default",
"aud": "0oa9efwnr2Zl2Dqt35d7",
"iat": 1683301280,
"exp": 1683304880,
"cid": "xxxxxxxxx",
"uid": "xxxxxxxxx",
"scp": [
"admin",
"monitoring"
],
"auth_time": 1683295425,
"sub": "rabbitmq"
}
Same RabbitMQ UI after connecting to two different accounts
if I understand correctly now it is okta conf not rabbitmq side ?
Marcial Rosales
May 5, 2023, 11:59:26 AM5/5/23
to rabbitmq-users
You are not getting errors, are you? I mean, everything is working fine. Except that the ui does not look as you expect ... am I right ?
Your UI looks the same because you are assigning both scopes to the same user. You should use two different user and each user has only one of the two scopes.
When you login to Okta using a user who only has the scope "monitoring", when that user comes back to the mangement ui , it should not be able to see most of the options available in the right menu, for instance, users.
Marcial Rosales
May 5, 2023, 12:00:33 PM5/5/23
to rabbitmq-users
Also, i believe your user is called "rabbitmq" because that is the name that appears in the claim "sub". Once you use two different users, you should see the name of the user in the top right corner of the management ui.
Saifeddine Rajhi
May 5, 2023, 12:12:28 PM5/5/23
to rabbitmq-users
Why this is marked as abuse? It has been marked as abuse.
Report not abuse
I should check okta docs on how to assign scopes to user, that is the missing piece in the puzzle
Saifeddine Rajhi
May 5, 2023, 12:50:40 PM5/5/23
to rabbitmq-users
Why this is marked as abuse? It has been marked as abuse.
Report not abuse
It seems not possible to set a scope based on group membership in okta/rabbitMQ. I’ve only found a way to set a scope on an API server, which means that everyone using that API server will have the same permissions. This prevents me from differentiating between monitoring and admin user.
Saifeddine Rajhi
May 8, 2023, 3:09:15 AM5/8/23
to rabbitmq-users
Why this is marked as abuse? It has been marked as abuse.
Report not abuse
Dear Marcial,
Thank you very much for the support
It works now
I did also a PR on the repo with okta use case
Saifeddine Rajhi
May 8, 2023, 3:29:28 AM5/8/23
to rabbitmq-users
Why this is marked as abuse? It has been marked as abuse.
Report not abuse
I am unable to push :(
git push --set-upstream origin origin/oauth2-proxy
ERROR: Permission to rabbitmq/rabbitmq-oauth2-tutorial.git denied to seifrajhi.
fatal: Could not read from remote repository.
Please make sure you have the correct access rights
and the repository exists.
git remote -v
origin g...@github.com:rabbitmq/rabbitmq-oauth2-tutorial.git (fetch)
origin g...@github.com:rabbitmq/rabbitmq-oauth2-tutorial.git (push)
Luke Bakken
May 8, 2023, 10:37:25 AM5/8/23
to rabbitmq-users
Why this is marked as abuse? It has been marked as abuse.
Report not abuse
Hello,
Please see these docs for how to create a pull request:
Reply all
Reply to author
Forward
0 new messages