SSO & OAuth2 Management UI

287 views
Skip to first unread message

baptist...@gmail.com

unread,
Jan 25, 2023, 9:50:19 AM1/25/23
to rabbitmq-users
Hello guys,

Do you know if there is a way to be automatically logged in when landing on the RabbitMQ Management UI Login page with OAuth2 authentication enabled?

Currently, if I land on this page with a valid JWT in the Authorization header, I still have to click on the "Click here to login" button to log in (though my password is not required), while I would expect to be automatically logged in.

I didn't find anything in the doc that could have helped :) 

Thanks!

Marcial Rosales

unread,
Jan 26, 2023, 6:24:13 AM1/26/23
to rabbitmq-users
Hi, since 11.3.6 the management ui supports two modes to login with OAuth 2.0 protocol. This mode is configured via a new setting called  `management.oauth_initiated_logon_type` (It is explained in https://www.rabbitmq.com/management.html#oauth2-authentication under "Identity-Provider initiated logon" section). 
The default mode is `sp_initiated` which means users comes to RabbitMQ without any token. RabbitMQ instead, takes the user to the configured Idp to authenticate and get a token. 
In the `idp_initiated` mode, users come straight to RabbitMQ's ´/login` endpoint with a token which was signed with the configured signing key in RabbitMQ. if the token is valid and the user has the right permissions, the user is redirected to the overview page. 

The use case you propose is not supported today. In other words, RabbitMQ will not look into the `Authorization` header for a token. 

Could you share more details of your setup? 

baptist...@gmail.com

unread,
Jan 26, 2023, 11:41:15 AM1/26/23
to rabbitmq-users
Hi Marcial,

Thanks for your answers and explanations. 

Actually, I have deployed RabbitMQ behind an instance of OAuth2-Proxy (https://oauth2-proxy.github.io/oauth2-proxy/), which handle Authentication and then passes the request to RabbitMQ Management UI with the JWT available in the Authorization header. The goal is just to try JWT based SSO in a more global context, in order to ease the life of end-users and reduce the number of click they have to do. But again, this is just curiosity/investigation about what could be done or not, I dont't have any real need here!

Thanks again :)

Marcial Rosales

unread,
Jan 27, 2023, 4:18:20 AM1/27/23
to rabbitmq-users
You are welcomed.  

Marcial Rosales

unread,
Apr 17, 2023, 11:02:39 AM4/17/23
to rabbitmq-users
Hi, RabbitMQ 3.12 is about to be released which supports oauth2-proxy use-case. This use case is demonstrated in the OAuth2 tutorial. 
Note: The tutorial deploys 3.12-rc-management


Reply all
Reply to author
Forward
0 new messages