英文:
Access denied when using OAuth2 on rabbitmq with Azure AD
问题
我正在尝试在 RabbitMQ 上使用 Azure AD 提供程序进行 OAuth2(仅用于管理界面)。我正在使用 Docker 镜像 rabbitmq:3.11-management。
我已在 Azure AD 上创建了一个 SPA 应用程序注册,其中包含一个重定向 URL,指向管理界面的主页。然后,我创建了两个应用程序角色:
<client_id>.tag:monitoring<client_id>.read:*/*
我已将这些应用程序角色分配给了自己在 Azure AD 上。
在 RabbitMQ 方面,我已设置以下配置:
auth_backends.1 = rabbitmq_auth_backend_oauth2auth_backends.2 = internalauth_oauth2.https.peer_verification = verify_none # 暂时auth_oauth2.resource_server_id=<app_registration_client_id>auth_oauth2.jwks_url=https://login.microsoftonline.com/<tenant>/discovery/v2.0/keysauth_oauth2.default_key = <JWT_key> # 以防 JWT 密钥出现问题,我从列表中选择了一个密钥auth_oauth2.additional_scopes_key=rolesmanagement.oauth_enabled=truemanagement.oauth_client_id=<app_registration_client_id>management.oauth_client_secret=<app_registration_secret> # 没有使用,因为我尝试在应用程序注册上允许公共访问management.oauth_provider_url=https://login.microsoftonline.com/<client_id>
当我连接到管理界面时,如预期地出现了“单击此处登录”的按钮,但当我单击时,出现了“未授权”的错误。
在 RabbitMQ 日志中,我看到以下内容(调试模式下):
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> User '043f5ce4-45da-478a-8c74-f7b799859141' authentication failed with error:undef:2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> [{rabbitmq_auth_backend_oauth2,user_login_authentication,2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> [<<"043f5ce4-45da-478a-8c74-f7b799859141">>,2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> [{password,2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> <<"eyJ**********8Kw">>}]],2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> []},2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> {rabbit_access_control,try_authenticate,3,2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> [{file,"rabbit_access_control.erl"},{line,86}]},...2023-06-06 06:04:20.427353+00:00 [warning] <0.15140.0> HTTP access denied: User '043f5ce4-45da-478a-8c74-f7b799859141' authentication failed with internal error. Enable debug logs to see the real error.
我尝试查看 JWT 令牌的内容头,并且看到声明 'roles',其中包含我拥有的角色。
我在这里漏掉了什么?
英文:
I am trying to use OAuth2 on rabbitmq with provider Azure AD (only for the management UI). I am using the docker image rabbitmq:3.11-management.
I have created an SPA app registration on Azure AD with a redirection url to the management UI home page. I have then created two app roles :
<client_id>.tag:monitoring<client_id>.read:*/*
I have assigned those app roles to myself on Azure AD.
On rabbitmq side, I have put this configuration :
auth_backends.1 = rabbitmq_auth_backend_oauth2auth_backends.2 = internalauth_oauth2.https.peer_verification = verify_none #for nowauth_oauth2.https.peer_verification = verify_noneauth_oauth2.resource_server_id=<app_registration_client_id>auth_oauth2.jwks_url=https://login.microsoftonline.com/<tenant>/discovery/v2.0/keysauth_oauth2.default_key = <JWT_key> # I have tried doing this in case of issue with jwt key, I have chosen a key from listauth_oauth2.additional_scopes_key=rolesmanagement.oauth_enabled=truemanagement.oauth_client_id=<app_registration_client_id>management.oauth_client_secret=<app_registration_secret> #not used as I have tried to allowPublic access on app registrationmanagement.oauth_provider_url=https://login.microsoftonline.com/<client_id>
When I connect to management UI I have the 'Click Here to Login' Button as expected with the used plugin but when I click, I have Not Authorized error.
In rabbitmq logs I have this (in debug mode):
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> User '043f5ce4-45da-478a-8c74-f7b799859141' authentication failed with error:undef:2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> [{rabbitmq_auth_backend_oauth2,user_login_authentication,2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> [<<"043f5ce4-45da-478a-8c74-f7b799859141">>,2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> [{password,2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> <<"eyJ**********8Kw">>}]],2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> []},2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> {rabbit_access_control,try_authenticate,3,2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> [{file,"rabbit_access_control.erl"},{line,86}]},2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> {rabbit_access_control,'-check_user_login/2-fun-0-',4,2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> [{file,"rabbit_access_control.erl"},{line,51}]},2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> {lists,foldl,3,[{file,"lists.erl"},{line,1350}]},2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> {rabbit_access_control,check_user_login,2,2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> [{file,"rabbit_access_control.erl"},{line,36}]},2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> {rabbit_mgmt_util,is_authorized,7,[{file,"rabbit_mgmt_util.erl"},{line,280}]},2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> {cowboy_rest,call,3,[{file,"src/cowboy_rest.erl"},{line,1575}]},2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> {cowboy_rest,is_authorized,2,[{file,"src/cowboy_rest.erl"},{line,368}]}]2023-06-06 06:04:20.427353+00:00 [warning] <0.15140.0> HTTP access denied: User '043f5ce4-45da-478a-8c74-f7b799859141' authentication failed with internal error. Enable debug logs to see the real error.
I have tried to see the content headers of the JWT Token and the result is that I see the claim 'roles' and I see in it the roles I have...
What am I missing here ?
答案1
得分: 0
以下是要翻译的内容:
问题在于插件名称和模块名称之间存在混淆:auth_backends.1 = rabbitmq_auth_backend_oauth2
正确的是:auth_backends.1 = rabbit_auth_backend_oauth2
讨论链接:https://github.com/rabbitmq/rabbitmq-server/discussions/8512
英文:
So here is the issue, it was a confusion between the plugin name and module name: auth_backends.1 = rabbitmq_auth_backend_oauth2
The right one is : auth_backends.1 = rabbit_auth_backend_oauth2
Discussion: https://github.com/rabbitmq/rabbitmq-server/discussions/8512
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论