Access denied when using OAuth2 on rabbitmq with Azure AD

huangapple go评论65阅读模式
英文:

Access denied when using OAuth2 on rabbitmq with Azure AD

问题

我正在尝试在 RabbitMQ 上使用 Azure AD 提供程序进行 OAuth2(仅用于管理界面)。我正在使用 Docker 镜像 rabbitmq:3.11-management。

我已在 Azure AD 上创建了一个 SPA 应用程序注册,其中包含一个重定向 URL,指向管理界面的主页。然后,我创建了两个应用程序角色:

  • <client_id>.tag:monitoring
  • <client_id>.read:*/*

我已将这些应用程序角色分配给了自己在 Azure AD 上。

在 RabbitMQ 方面,我已设置以下配置:

auth_backends.1 = rabbitmq_auth_backend_oauth2
auth_backends.2 = internal
auth_oauth2.https.peer_verification = verify_none # 暂时
auth_oauth2.resource_server_id=<app_registration_client_id>
auth_oauth2.jwks_url=https://login.microsoftonline.com/<tenant>/discovery/v2.0/keys
auth_oauth2.default_key = <JWT_key> # 以防 JWT 密钥出现问题,我从列表中选择了一个密钥
auth_oauth2.additional_scopes_key=roles
management.oauth_enabled=true
management.oauth_client_id=<app_registration_client_id>
management.oauth_client_secret=<app_registration_secret> # 没有使用,因为我尝试在应用程序注册上允许公共访问
management.oauth_provider_url=https://login.microsoftonline.com/<client_id>

当我连接到管理界面时,如预期地出现了“单击此处登录”的按钮,但当我单击时,出现了“未授权”的错误。

在 RabbitMQ 日志中,我看到以下内容(调试模式下):

2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> User '043f5ce4-45da-478a-8c74-f7b799859141' authentication failed with error:undef:
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> [{rabbitmq_auth_backend_oauth2,user_login_authentication,
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>      [<<"043f5ce4-45da-478a-8c74-f7b799859141">>,
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>       [{password,
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>            <<"eyJ**********8Kw">>}]],
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>      []},
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>  {rabbit_access_control,try_authenticate,3,
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>      [{file,"rabbit_access_control.erl"},{line,86}]},
...
2023-06-06 06:04:20.427353+00:00 [warning] <0.15140.0> HTTP access denied: User '043f5ce4-45da-478a-8c74-f7b799859141' authentication failed with internal error. Enable debug logs to see the real error.

我尝试查看 JWT 令牌的内容头,并且看到声明 'roles',其中包含我拥有的角色。

我在这里漏掉了什么?

英文:

I am trying to use OAuth2 on rabbitmq with provider Azure AD (only for the management UI). I am using the docker image rabbitmq:3.11-management.

I have created an SPA app registration on Azure AD with a redirection url to the management UI home page. I have then created two app roles :

&lt;client_id&gt;.tag:monitoring
&lt;client_id&gt;.read:*/*

I have assigned those app roles to myself on Azure AD.

On rabbitmq side, I have put this configuration :

  auth_backends.1 = rabbitmq_auth_backend_oauth2

  auth_backends.2 = internal

  auth_oauth2.https.peer_verification = verify_none #for now

  auth_oauth2.https.peer_verification = verify_none

  auth_oauth2.resource_server_id=&lt;app_registration_client_id&gt;
auth_oauth2.jwks_url=https://login.microsoftonline.com/&lt;tenant&gt;/discovery/v2.0/keys

  auth_oauth2.default_key = &lt;JWT_key&gt; # I have tried doing this in case of issue with jwt key, I have chosen a key from list

  auth_oauth2.additional_scopes_key=roles

  management.oauth_enabled=true  

  management.oauth_client_id=&lt;app_registration_client_id&gt; 

  management.oauth_client_secret=&lt;app_registration_secret&gt; #not used as I have tried to allowPublic access on app registration


  management.oauth_provider_url=https://login.microsoftonline.com/&lt;client_id&gt;

When I connect to management UI I have the 'Click Here to Login' Button as expected with the used plugin but when I click, I have Not Authorized error.

In rabbitmq logs I have this (in debug mode):

2023-06-06 06:04:20.426917+00:00 [debug] &lt;0.15140.0&gt; User &#39;043f5ce4-45da-478a-8c74-f7b799859141&#39; authentication failed with error:undef:
2023-06-06 06:04:20.426917+00:00 [debug] &lt;0.15140.0&gt; [{rabbitmq_auth_backend_oauth2,user_login_authentication,
2023-06-06 06:04:20.426917+00:00 [debug] &lt;0.15140.0&gt;      [&lt;&lt;&quot;043f5ce4-45da-478a-8c74-f7b799859141&quot;&gt;&gt;,
2023-06-06 06:04:20.426917+00:00 [debug] &lt;0.15140.0&gt;       [{password,
2023-06-06 06:04:20.426917+00:00 [debug] &lt;0.15140.0&gt;            &lt;&lt;&quot;eyJ**********8Kw&quot;&gt;&gt;}]],
2023-06-06 06:04:20.426917+00:00 [debug] &lt;0.15140.0&gt;      []},
2023-06-06 06:04:20.426917+00:00 [debug] &lt;0.15140.0&gt;  {rabbit_access_control,try_authenticate,3,
2023-06-06 06:04:20.426917+00:00 [debug] &lt;0.15140.0&gt;      [{file,&quot;rabbit_access_control.erl&quot;},{line,86}]},
2023-06-06 06:04:20.426917+00:00 [debug] &lt;0.15140.0&gt;  {rabbit_access_control,&#39;-check_user_login/2-fun-0-&#39;,4,
2023-06-06 06:04:20.426917+00:00 [debug] &lt;0.15140.0&gt;      [{file,&quot;rabbit_access_control.erl&quot;},{line,51}]},
2023-06-06 06:04:20.426917+00:00 [debug] &lt;0.15140.0&gt;  {lists,foldl,3,[{file,&quot;lists.erl&quot;},{line,1350}]},
2023-06-06 06:04:20.426917+00:00 [debug] &lt;0.15140.0&gt;  {rabbit_access_control,check_user_login,2,
2023-06-06 06:04:20.426917+00:00 [debug] &lt;0.15140.0&gt;      [{file,&quot;rabbit_access_control.erl&quot;},{line,36}]},
2023-06-06 06:04:20.426917+00:00 [debug] &lt;0.15140.0&gt;  {rabbit_mgmt_util,is_authorized,7,[{file,&quot;rabbit_mgmt_util.erl&quot;},{line,280}]},
2023-06-06 06:04:20.426917+00:00 [debug] &lt;0.15140.0&gt;  {cowboy_rest,call,3,[{file,&quot;src/cowboy_rest.erl&quot;},{line,1575}]},
2023-06-06 06:04:20.426917+00:00 [debug] &lt;0.15140.0&gt;  {cowboy_rest,is_authorized,2,[{file,&quot;src/cowboy_rest.erl&quot;},{line,368}]}]
2023-06-06 06:04:20.427353+00:00 [warning] &lt;0.15140.0&gt; HTTP access denied: User &#39;043f5ce4-45da-478a-8c74-f7b799859141&#39; authentication failed with internal error. Enable debug logs to see the real error.

I have tried to see the content headers of the JWT Token and the result is that I see the claim 'roles' and I see in it the roles I have...

What am I missing here ?

答案1

得分: 0

以下是要翻译的内容:

问题在于插件名称和模块名称之间存在混淆:auth_backends.1 = rabbitmq_auth_backend_oauth2

正确的是:auth_backends.1 = rabbit_auth_backend_oauth2

讨论链接:https://github.com/rabbitmq/rabbitmq-server/discussions/8512

英文:

So here is the issue, it was a confusion between the plugin name and module name: auth_backends.1 = rabbitmq_auth_backend_oauth2

The right one is : auth_backends.1 = rabbit_auth_backend_oauth2

Discussion: https://github.com/rabbitmq/rabbitmq-server/discussions/8512

huangapple
  • 本文由 发表于 2023年6月6日 13:54:32
  • 转载请务必保留本文链接:https://go.coder-hub.com/76411770.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定