|
1123 | 1123 | # log.file.rotation.compress = true |
1124 | 1124 |
|
1125 | 1125 |
|
| 1126 | +# |
| 1127 | +# OAuth 2 |
| 1128 | +# |
| 1129 | + |
| 1130 | +## Relevant doc guide: https://www.rabbitmq.com/docs/oauth2 |
| 1131 | + |
| 1132 | +## Enable OAuth 2 as an authentication backend |
| 1133 | +## |
| 1134 | +# auth_backends.1 = oauth2 |
| 1135 | + |
| 1136 | +## OAuth 2 resource server identifier. This value must match the 'aud' field |
| 1137 | +## in JWT tokens presented by clients. |
| 1138 | +## |
| 1139 | +# auth_oauth2.resource_server_id = rabbitmq |
| 1140 | + |
| 1141 | +## OAuth 2 provider issuer URL. RabbitMQ will use this to discover |
| 1142 | +## IDP endpoints, such as JWKS URI for downloading signing keys |
| 1143 | +## |
| 1144 | +# auth_oauth2.issuer = https://my-oauth2-provider.com/realm/rabbitmq |
| 1145 | + |
| 1146 | +## JWKS endpoint URL. Optional if issuer is configured. |
| 1147 | +## This URL MUST use HTTPS, by design. |
| 1148 | +## |
| 1149 | +# auth_oauth2.jwks_uri = https://my-oauth2-provider.com/jwks.json |
| 1150 | + |
| 1151 | +## Configure which JWT claims should be used for extracting the username. |
| 1152 | +## |
| 1153 | +# auth_oauth2.preferred_username_claims.1 = user_name |
| 1154 | +# auth_oauth2.preferred_username_claims.2 = preferred_username |
| 1155 | + |
| 1156 | +## Configure additional fields to look for scopes in the token |
| 1157 | +## |
| 1158 | +# auth_oauth2.additional_scopes_key = extra_scope |
| 1159 | + |
| 1160 | +## Custom scope prefix instead of resource_server_id |
| 1161 | +## |
| 1162 | +# auth_oauth2.scope_prefix = api:// |
| 1163 | + |
| 1164 | +## Map custom scopes to RabbitMQ scopes |
| 1165 | +## |
| 1166 | +# auth_oauth2.scope_aliases.admin = rabbitmq.tag:administrator |
| 1167 | +# auth_oauth2.scope_aliases.developer = rabbitmq.tag:management rabbitmq.read:*/* rabbitmq.write:*/* rabbitmq.configure:*/* |
| 1168 | + |
| 1169 | +## Disable audience validation (not recommended) |
| 1170 | +## |
| 1171 | +# auth_oauth2.verify_aud = false |
| 1172 | + |
| 1173 | +## Enable OAuth 2 in the management UI |
| 1174 | +## |
| 1175 | +# management.oauth_enabled = true |
| 1176 | + |
| 1177 | +## Controls OAuth client ID for the management UI |
| 1178 | +## |
| 1179 | +# management.oauth_client_id = rabbitmq-management |
| 1180 | + |
| 1181 | +## Allows disable Basic HTTP Authentication. Opt-in to use JWT tokens exclusively. |
| 1182 | +## |
| 1183 | +# management.oauth_disable_basic_auth = true |
| 1184 | + |
| 1185 | +## The scopes RabbitMq should claim during the management UI authorization flow. |
| 1186 | +## Defaults to "openid profile" |
| 1187 | +## |
| 1188 | +# management.oauth_scopes = openid profile rabbitmq.tag:management |
| 1189 | + |
| 1190 | +## TLS settings for connecting to OAuth 2 endpoints. |
| 1191 | +## |
| 1192 | + |
| 1193 | +## A trusted CA (and intermediary) certificate bundle to use |
| 1194 | +# auth_oauth2.https.cacertfile = /path/to/ca_certificate.pem |
| 1195 | + |
| 1196 | +## Whether peer certificate chain verification is enabled. |
| 1197 | +# auth_oauth2.https.peer_verification = verify_peer |
| 1198 | + |
| 1199 | +## Use in environments where certificates use wildcard hostnames (e.g. "*.eng.megacorp.local") |
| 1200 | +# auth_oauth2.https.hostname_verification = wildcard |
| 1201 | + |
| 1202 | +## Controls the start of the authentication flow. |
| 1203 | +## |
| 1204 | +## Defaults to "sp_initiated", which does not require clients to provide |
| 1205 | +## a token. This is the most standard flow. |
| 1206 | +## |
| 1207 | +## "idp_initiated" means that the flow will be initiated by an SSO service |
| 1208 | +## of sorts and clients must provide a token. |
| 1209 | +# management.oauth_initiated_logon_type = sp_initiated |
| 1210 | + |
1126 | 1211 | # |
1127 | 1212 | # LDAP |
1128 | 1213 | # |
|
0 commit comments