You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
Some OAuth providers, like Azure/Entra v.2 endpoints, do not accept the request parameter resource in the authorization request. And others like Auth0 requires the audience parameter.
Describe the solution you'd like
RabbitMQ currently sends the following request parameters to the authorization endpoint:
resource whose default value is the resource_server_id
scope whose value comes from management.oauth_scopes or management.oauth_resource_servers.$name.oauth_scopes and if it is not configured it is defaulted to openid profile
response_type whose value comes from management.oauth_response_type and if it is not configured it is defaulted to code
(optional)client_secret whose value comes from management.oauth_client_secret if present
client_id whose value comes from management.oauth_client
audience whose value is the resource_server_id (Required by Auth0)
The best approach going forward is to stop providing default values and instead document the appropriate values for each of the supported OAuth providers.
The schema of rabbitmq_auth_backend_oauth2 and rabbitmq_management will change to accommodate these changes.
Setting RabbitMQ OAuth2 for azure :
If the user does not configure the Azure Registered Application for RabbitMQ with a custom signing key, the user does not need to make any further configuration. Just specify the issuer url pointing to the v2.0 api.
if the user configures a custom signing key, the user can configure the discovery_endpoint_params as follows:
Given this configuration entry, RabbitMQ uses the issuer followed by the default openid's discovery endpoint path (/.well-known/openid-configuration) or auth_oauth2.discovery_endpoint_path variable to discover all the openid endpoints. The returned jwks_uri endpoint contains the app_id query parameter.
Setting RabbitMQ OAuth2 for auth0 :
Auth0's users must change their RabbitMQ configuration as follows:
MarcialRosales
changed the title
Make resource parameter in Oauth2 authorize request optional/configurable
Make resource parameter in Oauth2 authorization request optional/configurable
Sep 6, 2024
MarcialRosales
changed the title
Make resource parameter in Oauth2 authorization request optional/configurable
Users must explicitly configure optional oauth2 request parameters rather than having RabbitMQ provide a default value
Sep 6, 2024
MarcialRosales
changed the title
Users must explicitly configure optional oauth2 request parameters rather than having RabbitMQ provide a default value
Users must explicitly configure oauth2's optional request parameters rather than having RabbitMQ provide a default value
Sep 6, 2024
We are trying to login with rabbit's oauth plugin though Azure Active Directory and getting this error: "The 'resource' request parameter is not supported."
It appears that fixing this error is part of this feature you are actively working on, correct? We will patiently wait for it to become available if so, I just wanted to confirm and also document the exact error we are seeing to make it easier for future discovery of this issue.
@andrewclaus that is correct ! It happens when you use Azure/Entra v2 api. It does not happen with v1 though. But v1 will eventually be deprecated by Microsoft.
Is your feature request related to a problem? Please describe.
Some OAuth providers, like Azure/Entra v.2 endpoints, do not accept the request parameter
resource
in the authorization request. And others like Auth0 requires theaudience
parameter.Describe the solution you'd like
RabbitMQ currently sends the following request parameters to the authorization endpoint:
resource
whose default value is theresource_server_id
scope
whose value comes frommanagement.oauth_scopes
ormanagement.oauth_resource_servers.$name.oauth_scopes
and if it is not configured it is defaulted toopenid profile
response_type
whose value comes frommanagement.oauth_response_type
and if it is not configured it is defaulted tocode
client_secret
whose value comes frommanagement.oauth_client_secret
if presentclient_id
whose value comes frommanagement.oauth_client
audience
whose value is theresource_server_id
(Required by Auth0)The best approach going forward is to stop providing default values and instead document the appropriate values for each of the supported OAuth providers.
The schema of
rabbitmq_auth_backend_oauth2
andrabbitmq_management
will change to accommodate these changes.Setting RabbitMQ OAuth2 for azure :
If the user does not configure the Azure Registered Application for RabbitMQ with a custom signing key, the user does not need to make any further configuration. Just specify the
issuer
url pointing to the v2.0 api.if the user configures a custom signing key, the user can configure the
discovery_endpoint_params
as follows:or the following configuration if there is only one resource configured in RabbitMQ configuration.
Given this configuration entry, RabbitMQ uses the
issuer
followed by the default openid's discovery endpoint path (/.well-known/openid-configuration
) orauth_oauth2.discovery_endpoint_path
variable to discover all the openid endpoints. The returnedjwks_uri
endpoint contains theapp_id
query parameter.Setting RabbitMQ OAuth2 for auth0 :
Auth0's users must change their RabbitMQ configuration as follows:
The text was updated successfully, but these errors were encountered: