rabbitmq-server icon indicating copy to clipboard operation
rabbitmq-server copied to clipboard

Published 20 hours ago verified publisher icon rabbitmq

OIDC integration

Open MarcialRosales opened this issue 2 years ago • 4 comments

Proposed Changes

Today RabbitMQ management UI is tightly integrated with UAA, making it difficult to connect to other OAuth 2.0 servers. Additionally, RabbitMQ management ui uses the OAuth 2.0 implicit flow which is no longer recommended from a security standpoint. Instead, the authorization code flow with/without PKCE are the two recommended alternatives.

The goals of this PR are:

  • connect RabbitMQ management ui with other Oauth 2.0 providers other than UAA
  • use authorization code
  • use authorization code with PKCE (out of scope but just to mention that it should be easy to add it given that oidc-client-ts library supports it.)

Types of Changes

What types of changes does your code introduce to this project? Put an x in the boxes that apply

  • [ ] Bug fix (non-breaking change which fixes issue #NNNN)
  • [ ] New feature (non-breaking change which adds functionality)
  • [x] Breaking change (fix or feature that would cause an observable behavior change in existing systems)
  • [ ] Documentation improvements (corrections, new content, etc)
  • [ ] Cosmetic change (whitespace, formatting, etc)
  • [ ] Build system and/or CI

Checklist

Put an x in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask on the mailing list. We're here to help! This is simply a reminder of what we are going to look for before merging your code.

  • [x] I have read the CONTRIBUTING.md document
  • [ ] I have signed the CA (see https://cla.pivotal.io/sign/rabbitmq)
  • [x] I have added tests that prove my fix is effective or that my feature works
  • [x] All tests pass locally with my changes
  • [x] If relevant, I have added necessary documentation to https://github.com/rabbitmq/rabbitmq-website (https://github.com/rabbitmq/rabbitmq-website/tree/oidc-integration)
  • [ ] If relevant, I have added this change to the first version(s) in release-notes that I expect to introduce it

Further Comments

oidc-client-ts library offers many settings which we may or not need to touch when we are connecting RabbitMQ with a new OAuth2 authorization server. We have tested against UAA, keycloak and Oauth0 Idps. In particular for Oauth0 we had to include audience request parameter to the /authorize request otherwise the JWT tokens are delivered as opaque which are of no use to RabbitMQ. This is an example of those situations users of this plugin may encounter. The difficulty lies now on how we can expose those oidc-client-ts's library configuration into RabbitMQ's management plugin configuration. All we can do for now is to wait until we need to expose them. I am sharing this concern with the reviewer.

Manual Acceptance Tests

Setup

To run manual acceptance tests I have used the repo https://github.com/rabbitmq/rabbitmq-oauth2-tutorial . In particular, I use the script make build-uaa ; make start-uaa to launch UAA with pre-configured users and clients.

And to launch RabbitMQ, I run gmake run-broker PLUGINS="rabbitmq_management rabbitmq_auth_backend_oauth2" RABBITMQ_CONFIG_FILE=<CHANGE-TO-rabbitmq-oauth2-tutorial-folder>/conf/uaa/rabbitmq.config

Tests

  • Happy Login with rabbit_admin user
  • Logout
  • Token expiry (edit /conf/uaa/uaa.yml and adjust this configuration value accessTokenValiditySeconds: 600. We should see in the browser console when the token expires and when it expires. We should not be kicked out from the current session.
  • RabbitMQ Session expiry (edit conf/uaa/rabbitmq.config and uncomment %% {login_session_timeout, 3}, to set a TTL of 3 minutes. We should see that after 3 minutes, we are requested to initiate the SSO login.
  • Unhappy Login due to wrong credentials of Oauth client configured in RabbitMQ (Edit conf/uaa/rabbitmq.config and add some characters to the oauth_client_id and/or to oauth_client_secret)
  • Unhappy Login with rabbit_admin2 user which has not got the appropriate credentials for the RabbitMQ server launched with conf/uaa/rabbitmq.config).

Status

  • [x] Support login, logout and refresh token flows with latest UAA
  • [x] Verify on Chrome
  • [x] Verify on Firefox
  • [x] Verify on Safari
  • [x] Verify against key-cloak Idp
  • [x] Verify against Oauth0 Idp
  • [x] Verify against Azure Idp
  • [x] Add/Update tests
  • [x] Update documentation
  • [ ] Support Authorization Code with PKCE
  • [ ] Support configuration of Oauth2 endpoints rather than relying only on OIDC discovery end point

MarcialRosales avatar May 06 '22 12:05 MarcialRosales

This pull request modifies the erlang.mk build only. If it is a deps update or PROJECT_ENV change, remember to sync any changes to the bazel files.

mergify[bot] avatar Jun 02 '22 14:06 mergify[bot]

Thank you for working on this @MarcialRosales!

We've been running an updated version of https://github.com/rabbitmq/rabbitmq-server/pull/2628 (originally https://github.com/rabbitmq/rabbitmq-management/pull/754), but are really looking forward to proper support for OAuth2 / OIDC with this PR.

I've just tried running this PR in our setup with Auth0 and everything worked perfectly fine and as expected. 🥳

davidknezic avatar Jul 10 '22 14:07 davidknezic

Thanks a lot @davidknezic !! Very happy that you have validated the PR.

is Auth0 your Idp in production? or is it IdentifyServer4?

MarcialRosales avatar Jul 11 '22 08:07 MarcialRosales

It's Auth0 🙂

davidknezic avatar Jul 11 '22 21:07 davidknezic