rabbitmq-server
rabbitmq-server copied to clipboard
rabbitmq
Allow configuration of which field retrieves the user name
Hello,
When trying to integrate RabbitMQ with this plugin and Azure Active Directory we had an insurmountable issue, we found out in the code that we were able to define an additional field to retrieve permission scopes (would be nice to add that to the doc, very useful feature !), but it seems the plugin will always look for the client_id field to retrieve the username and deems invalid the token if the field is not there.
Currently, we cannot have this field with Azure AD, however, there is similar fields with the same information, so I am creating this issue to enquire if you would accept to make this a configuration option with a default value to 'client_id'?
@morsok we would if you provide some examples of the token fields used by Azure AD. A doc note PR would also be considered. I assume you are referring to rabbitmq/rabbitmq-auth-backend-oauth2#41.
Hello,
Here is an example token :
{
"aud": "9167ac18-6679-4e44-bbd7-540660c805e6",
"iss": "https://login.microsoftonline.com/7bfa8236-cdfb-45d1-98fe-ee4ce511f142/v2.0",
"iat": 1594039847,
"nbf": 1594039847,
"exp": 1594043747,
"aio": "AVQAq/8QAAAA/zZ25vKpf8jwfbWvJMRI8vVxMsvetq76vzPYuqPpAnSg3YV6mZ7CjDLQ8/yQDyGJZd6XmLPPogolRxJfX3wgaaYMFEkjgcdUFgTMPctaavo=",
"name": "morsok",
"oid": "fd167172-29e7-4663-8bee-13e71d46304b",
"preferred_username": "[email protected]",
"roles": [
"9167ac18-6679-4e44-bbd7-540660c805e6.tag:administrator"
],
"sub": "W0CQeUfsjWu74osDuK2lbkLccmZWBFNwcyiaEerTBRE",
"tid": "7bfa8236-cdfb-45d1-98fe-ee4ce511f142",
"uti": "OBKo-YIHrEmsFfJRm4ReAA",
"ver": "2.0"
}
So in this example, we would set the configuration for the plugin to look for 'name' instead of 'client_id'.
I was indeed referring to rabbitmq/rabbitmq-auth-backend-oauth2#41 which led me to the discovery of the feature, I'll try to submit a doc PR next week if I can then 👍
Hello @moanrose,
Thanks for the reminder, lots to do this summer! I've created rabbitmq/rabbitmq-auth-backend-oauth2#51 for the doc PR. I don't however have the knowledge to do a PR for the additional configuration.
Hi @morsok
I am asking because I am trying to do the exact same thing as you - to get the Rabbit MQ OAuth plugin to work together with tokens issued by Azure Active Directory
It seems however that the missing username field configuration is a showstopper?
I dont't have the necessary Erlang skills for the additional configuration handling either (I would have to learn it first)
Ah I understand, sadly yes the username field was a showstopper.
We'll probably end up using Keycloak federated to Azure AD (which will simplify Rabbitmq user management with the Keycloak GUI as a bonus).
The OAuth plugin currently falls back from client_id to sub then to the passed Username.
See: https://github.com/rabbitmq/rabbitmq-server/blob/bea9306ff99ad8cc13e3620121d24b35cdf0802b/deps/rabbitmq_auth_backend_oauth2/src/rabbit_auth_backend_oauth2.erl#L280-L297
So far, I have been able to configure the scope field in AAD and that did work.
After modding the plugin, I could then configure the plugin to use the scope field. There seems to be a general confusion between extra_scopes_source, additional_rabbitmq_scopes, and additional_scopes_key in the plugin. I'll open a separate issue for that (see #4160).
auth_backends.1 = rabbit_auth_backend_internal
auth_backends.2 = rabbit_auth_backend_oauth2
auth_oauth2.resource_server_id = api://YOUR_GENERATED_GUID
auth_oauth2.jwks_url = https://login.microsoftonline.com/common/discovery/keys
auth_oauth2.additional_scopes_key = roles
This issue is addressed by this PR . We are now able to tell which token's claim or attribute carries the username . @michaelklishin
