Skip to content

Commit

Permalink
Update management docs with the new setting
Browse files Browse the repository at this point in the history
  • Loading branch information
@MarcialRosales
MarcialRosales committed Sep 27, 2024
1 parent 33d1c68 commit ad2fb91
Show file tree
Hide file tree
Showing 2 changed files with 27 additions and 25 deletions.
27 changes: 26 additions & 1 deletion docs/management/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -375,6 +375,7 @@ To configure OAuth 2.0 in the management UI you need a [minimum configuration](#
* [Allow Basic and OAuth 2 authentication for management HTTP API](#allow-basic-auth-for-http-api)
* [Allow Basic and OAuth 2 authentication for management UI](#allow-basic-auth-for-mgt-ui)
* [Logging out of the management UI](#about-logout-workflow)
* [Configure extra parameters for authorization and token endpoints](#extra-endpoint-params)
* [Special attention to CSP header `connect-src`](#csp-header)
* [Identity-Provider initiated logon](#idp-initiated-logon)
* [Support multiple OAuth 2.0 resources](#support-multiple-resources)
Expand Down Expand Up @@ -403,7 +404,7 @@ management.oauth_scopes = <SPACE-SEPARATED LIST OF SCOPES. See below>
- `oauth_scopes` is a mandatory field which must be set at all times except in the case when OAuth providers automatically grant scopes associated to the `oauth_client_id`. `oauth_scopes` is a list of space-separated strings that indicate which permissions the application is requesting. Most OAuth providers only issue tokens with the scopes requested during the user authentication. RabbitMQ sends this field along with its `oauth_client_id` during the user authentication. If this field is not set, RabbitMQ defaults to `openid profile`.

Given above configuration, when a user visits the management UI, the following two events take place:
1. RabbitMQ uses the URL found in `auth_oauth2.issuer` followed by the path `/.well-known/openid-configuration` to download the OpenID Provider configuration. It contains information about other endpoints such as the `jwks_uri` (used to download the keys to validate the token's signature) or the `token_endpoint`.
1. RabbitMQ uses the URL found in `auth_oauth2.issuer` to download the OpenID Provider configuration. Check out the [OAuth 2.0](./oauth2#discovery-endpoint-params) documentation about OpenId discovery endpoint to learn more about it.

:::warning
If RabbitMQ cannot download the OpenID provider configuration, it shows an error message and OAuth 2.0 authentication is disabled in the management UI.
Expand Down Expand Up @@ -505,6 +506,19 @@ RabbitMQ 3.13.1 and earlier versions require the [OpenId Connect Discovery endpo
There are other two additional scenarios which can trigger a logout. One scenario occurs when the OAuth Token expires. Although RabbitMQ renews the token in the background before it expires, if the token expires, the user is logged out.
The second scenario is when the management UI session exceeds the maximum allowed time configured on the [Login Session Timeout](#login-session-timeout).

### Configure extra parameters for authorization and token endpoints {#extra-endpoint-params}

There are some OAuth 2.0 providers which require extra parameters in the request sent to the **authorization endpoint** and/or to the **token endpoint**. These parameters are custom parameters. The Management UI already sends all the parameters required by the OAuth 2.0 Authorization Code flow.

Here is an example of setting an extra parameter called `audience` for both endpoints, the **authorization** and **token** endpoint:

```ini
management.oauth_authorization_endpoint_params.audience = some-audience-id
management.oauth_token_endpoint_params.audience = some-audience-id
```

You can configure as many parameters as you need.

### Special attention to CSP header `connect-src` {#csp-header}

To support the OAuth 2.0 protocol, RabbitMQ makes asynchronous REST calls to the [OpenId Connect Discovery endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest). If you override the default [CSP headers](#csp), you have to make sure that the `connect-src` CSP directive whitelists the [OpenId Connect Discovery endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest).
Expand Down Expand Up @@ -600,6 +614,17 @@ the following settings:
- `resource` : `rabbit_prod`
- `scopes` : `openid rabbitmq.tag:management rabbitmq.read:*/*`

#### Configure extra parameters for authorization and token endpoints

There are some OAuth 2.0 providers which require extra parameters in the request sent to the **authorization endpoint** and/or to the **token endpoint**. These parameters are custom parameters and specified per resource. The Management UI already sends all the parameters required by the OAuth 2.0 Authorization Code flow.

Here is an example of setting an extra parameter called `audience` for both endpoints for the resource `some-resource-id`:

```ini
management.oauth_resource_servers.2.id = some-resource-id
management.oauth_resource_servers.2.oauth_authorization_endpoint_params.audience = some-resource-id
management.oauth_resource_servers.2.oauth_token_endpoint_params.audience = some-resource-id
```

#### Optionally do not expose some resources in the management UI

Expand Down
25 changes: 1 addition & 24 deletions versioned_docs/version-3.13/management/index.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -403,7 +403,7 @@ management.oauth_scopes = <SPACE-SEPARATED LIST OF SCOPES. See below>
- `oauth_scopes` is a mandatory field which must be set at all times except in the case when OAuth providers automatically grant scopes associated to the `oauth_client_id`. `oauth_scopes` is a list of space-separated strings that indicate which permissions the application is requesting. Most OAuth providers only issue tokens with the scopes requested during the user authentication. RabbitMQ sends this field along with its `oauth_client_id` during the user authentication. If this field is not set, RabbitMQ defaults to `openid profile`.

Given above configuration, when a user visits the management UI, the following two events take place:
1. RabbitMQ uses the URL found in `auth_oauth2.issuer` to download the OpenID Provider configuration. Check out the [OAuth 2.0](./oauth2#discovery-endpoint-params) documentation about OpenId discovery endpoint to learn more about it.
1. RabbitMQ uses the URL found in `auth_oauth2.issuer` followed by the path `/.well-known/openid-configuration` to download the OpenID Provider configuration. It contains information about other endpoints such as the `jwks_uri` (used to download the keys to validate the token's signature) or the `token_endpoint`.

:::warning
If RabbitMQ cannot download the OpenID provider configuration, it shows an error message and OAuth 2.0 authentication is disabled in the management UI.
Expand Down Expand Up @@ -505,19 +505,6 @@ RabbitMQ 3.13.1 and earlier versions require the [OpenId Connect Discovery endpo
There are other two additional scenarios which can trigger a logout. One scenario occurs when the OAuth Token expires. Although RabbitMQ renews the token in the background before it expires, if the token expires, the user is logged out.
The second scenario is when the management UI session exceeds the maximum allowed time configured on the [Login Session Timeout](#login-session-timeout).

### Configure extra parameters for authorization and token endpoints

There are some OAuth 2.0 providers which require users send extra parameters in the `/authorize` request (**authorization endpoint**) and/or in the `/token` request (**token endpoint**). These parameters are custom parameters. The Management UI already sends all the required parameters required by the OAuth 2.0 Authorization Code flow.

For instance, Auth0 requires an extra parameter called `audience` in both endpoints, the **authorization** and **token** endpoint. This is how to configure it:

```ini
management.oauth_authorization_endpoint_params.audience = some-audience-id
management.oauth_token_endpoint_params.audience = some-audience-id
```

You can configure as many parameters as you need.

### Special attention to CSP header `connect-src` {#csp-header}

To support the OAuth 2.0 protocol, RabbitMQ makes asynchronous REST calls to the [OpenId Connect Discovery endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest). If you override the default [CSP headers](#csp), you have to make sure that the `connect-src` CSP directive whitelists the [OpenId Connect Discovery endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest).
Expand Down Expand Up @@ -613,16 +600,6 @@ the following settings:
- `resource` : `rabbit_prod`
- `scopes` : `openid rabbitmq.tag:management rabbitmq.read:*/*`

#### Configure extra parameters for authorization and token endpoints

There are some OAuth 2.0 providers which require users send extra parameters in the `/authorize` request (**authorization endpoint**) and/or in the `/token` request (**token endpoint**). These parameters are custom parameters and specified per resource. The Management UI already sends all the required parameters required by the OAuth 2.0 Authorization Code flow.

For instance, Auth0 requires an extra parameter called `audience` in both endpoints, the **authorization** and **token** endpoint. This is how to configure it:

```ini
management.oauth_resource_servers.2.oauth_authorization_endpoint_params.audience = some-audience-id
management.oauth_resource_servers.2.oauth_token_endpoint_params.audience = some-audience-id
```

#### Optionally do not expose some resources in the management UI

Expand Down

0 comments on commit ad2fb91

Please sign in to comment.