OAuth2 integration fails to verify JWT/JWK

[azenakhi]

Project description

Implement message architecture using RabbitMQ as brocker & OAuth2

Issue description

Authentication using an OAuth 2/JWT token failed: provided token is invalid

Use case

(client) : generate Jwt Token from Keycloak or Okta
(client) : sent queue message using Jwt Token
(Server) : RabbitMQ using OuAuth2 plugin validate token then accept message queue from client if token is valid

Tools & Versions

• RabbitMQ : 3.10.0-rc.1-management
• RabbitMQ plugin : rabbitmq_auth_backend_oauth2
• Identity Provider : Keycloak & Okta

RabbitMQ

Advanced config

[
  {rabbit, [
    {auth_backends, [rabbit_auth_backend_oauth2, rabbit_auth_backend_internal]},
    {log, [
        {console, [
          {level, debug},
          {enabled, true}
        ]}
      ]}
  ]},
  {rabbitmq_management, [
    {enable_uaa, false}
  ]},
  {rabbitmq_auth_backend_oauth2, [
    {resource_server_id, <<"rabbitmq">>},
    {key_config, [
      {default_key, <<"a-key-ID">>},
      {signing_keys,
        #{<<"a-key-ID">> => {pem, <<"PUBLIC-KEY">>}
         }
      }]
    }
  ]}
].

Keycloak token format

HEADER:ALGORITHM & TOKEN TYPE

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "a-key-ID"
}

PAYLOAD:DATA

{
  "exp": 1648215668,
  "iat": 1648215608,
  "jti": "JTI ID",
  "iss": "http://keycloak:8080/auth/realms/master",
  "aud": [
    "rabbitmq"
  ],
  "sub": "CLIENT ID",
  "scope": "rabbitmq.write:*/* rabbitmq.tag:administrator email profile rabbitmq.configure:*/* rabbitmq.read:*/*",
  "clientId": "CLIENT ID"
}

Okta token format

HEADER:ALGORITHM & TOKEN TYPE

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "a-key-ID"
}

PAYLOAD:DATA

{
  "ver": 1,
  "jti": "THE JTI",
  "iss": "https://OKTA ISSUER",
  "aud": "api://aud", # Our audience format
  "iat": 1648220736,
  "exp": 1648224336,
  "cid": "CLIENT ID",
  "scp": [
    "rabbitmq.read:*/*",
    "rabbitmq.configure:*/*"
  ],
  "sub": "CLIENT ID"
}

Python client communicate with RabbitMQ using Jwt Tokan

## Code source
#!/usr/bin/env python
import pika
import sys
token=b'<token>'
password=r"#{'password'=>%s}" %(token)
credentials = pika.PlainCredentials('<user>', password)
parameters = pika.ConnectionParameters(host='localhost', port=5672, credentials=credentials)
connection = pika.BlockingConnection(parameters)
channel = connection.channel()
channel.queue_declare(queue='email',  durable=True)
channel.basic_publish(exchange='',
                      routing_key='email',
                      body='Hello World!')
print(" [x] Message sent'")
connection.close()

Trace log client

Traceback (most recent call last):
  File "./app.py", line 11, in <module>
    connection = pika.BlockingConnection(parameters)
  File "/mnt/c/Users/KN6353/source/repos/ot-grpc-okta-poc/Rabbitmq/rabbitmq/env/lib/python3.8/site-packages/pika/adapters/blocking_connection.py", line 360, in __init__
    self._impl = self._create_connection(parameters, _impl_class)
  File "/mnt/c/Users/KN6353/source/repos/ot-grpc-okta-poc/Rabbitmq/rabbitmq/env/lib/python3.8/site-packages/pika/adapters/blocking_connection.py", line 451, in _create_connection   
    raise self._reap_last_connection_workflow_error(error)
pika.exceptions.ProbableAuthenticationError: ConnectionClosedByBroker: (403) 'ACCESS_REFUSED - Login was refused using authentication mechanism PLAIN. For details see the broker logfile.'

Trace log RabbitMQ

[erro] <0.2011.0> PLAIN login refused: Authentication using an OAuth 2/JWT token failed: provided token is invalid
[info] <0.2011.0> closing AMQP connection <0.2011.0> (172.19.0.1:43138 -> 172.19.0.3:5672)
[dbug] <0.2013.0> Closing all channels from connection '172.19.0.1:43138 -> 172.19.0.3:5672' because it has been closed

Thanks for your help.
Best regards

[michaelklishin]

Can this be turned into an executable example? This error is returned by a function that decodes and validates the token but it's not really possible to tell what specifically failed without having a way to try it
in a node shell.

We don't use issues for troubleshooting, so this belongs to discussion without further evidence.

[azenakhi]

Sorry, Thank for your answer.

But I did not understand your comment ? I gave you a detailed explanation for this issues.

[michaelklishin]

We are asking for a repository we can use to run this. Something is off about your JWT token and we cannot generate exactly the same token as you use. We do not guess on this team.

[lukebakken]

Our OAuth expert, @MarcialRosales, has this to say:

I see two potential issues. It looks like RabbitMQ cannot validate the token which could well be due to how the asymmetric key is inserted into the configuration .. maybe with wrong padding. For the Okta token, he is passing the scopes into the scp field. However, that scp is not a recognized or validated field unless he has configured the extra_scope_source field with the value scp.

[azenakhi]

I tested RabbitMQ with Keycloak and "scope" attribute in the token claims, but I found the same error :

RabbitMQ advanced.config :

[
  {rabbit, [
    {auth_backends, [rabbit_auth_backend_oauth2, rabbit_auth_backend_internal]},
    {log, [
        {console, [
          {level, debug},
          {enabled, true}
        ]}
      ]}
  ]},
  {rabbitmq_management, [
    {enable_uaa, false}
  ]},
  {rabbitmq_auth_backend_oauth2, [
    {resource_server_id, <<"rabbitmq">>},
    {key_config, [
      {default_key, <<"KYujHrfcS_mJksSbahNGJJABP5sX4Vbdp8xwoQDS3tQ">>},
      {signing_keys,
        #{<<"KYujHrfcS_mJksSbahNGJJABP5sX4Vbdp8xwoQDS3tQ">> => {pem, <<"-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEAjBvT5wM3/akhAIAz7DW6Awc1ZO5mec3S7maFDtebmTIHWuukKnLU
VeC6nNXWvBX/JERbNdGmxAEf8NF207hauuu8LYGUhpzo/z2V4fonT1Nv0lQVQH+d
g1SHsfyBcLNg+Mjb1cuudM3zcid8lRlFbHOZ4WKBJDhtG+s4Tj1e/0rKnkYMIJ36
ZmMoyV+Nqp1XbGYlh2rSuT9QmQbFVIzN44LsWG4MnlRXmb95+a7u8Uu/gz0BRwyH
gaJHW9M6r/OZhOgeu2U7ocxRyVLaf5N8JYsQO+DZPLONyAxAHqgkdAdLl3stHTKI
e/lLBYzad601ZktTQCu3Z74E5svHOd1dzwIDAQAB
-----END RSA PUBLIC KEY-----">>}
         }
      }]
    }
  ]}
].

Keycloak token claims

{
  "exp": 1648215668,
  "iat": 1648215608,
  "jti": "JTI ID",
  "iss": "http://keycloak:8080/auth/realms/master",
  "aud": [
    "rabbitmq"
  ],
  "sub": "CLIENT ID",
  "scope": "rabbitmq.write:*/* rabbitmq.tag:administrator email profile rabbitmq.configure:*/* rabbitmq.read:*/*",
  "clientId": "CLIENT ID"
}

[lukebakken]

@azenakhi - please provide the requested information:

could you also include the entire token (the blob, not the decoded json) you are passing in the password field in the python script?

[MarcialRosales]

@azenakhi You cannot do what you suggest. As you know RabbitMq expects the resource_server_id to be part of the aud list and the scopes' prefix. Having the resource_server_id as part of the scope`s prefix allow a token to carry permissions for more than one RabbitMQ resource.

Have you managed RabbitMQ to accept your tokens yet? If not, I would recommend cloning https://github.com/rabbitmq/rabbitmq-oauth2-tutorial and run MODE=asymmetric_key make start-rabbitmq to launch RabbitMQ with Oauth2 configured and run the command in this section which allows you to play with JWT content without any need for an external OAuth2 server. You will need Docker though.

[azenakhi]

Thank for your response.
Could you tell me please if RabbitMQ OAuth2 plugin be able to retrieve the public key dynamically (call REST API using issuer endpoint) for verifying the jwt token ? If yes, what is RabbitMQ config ?

[MarcialRosales]

@azenakhi it can. Search for jwks in the docs (https://github.com/rabbitmq/rabbitmq-server/tree/master/deps/rabbitmq_auth_backend_oauth2). There are examples too.

[michaelklishin]

Pretty sure the plugin expects scopes and not scp. What product produces JWTs with that key?

[azenakhi]

A token with claim aud in a string format without brackets [] (array format) has a correct claim specification ?:
Example : "aud" : "rabbitmq" instead of "aud" : ["rabbitmq"] .

[michaelklishin]

aud can be either an array or a string per the JWT RFC, not sure what our tests and examples use but it's likely a string.

[aggarwalsh]

@azenakhi are you able to validate JWT token by rabbitmq now ? I am facing the similar issue

[aggarwalsh]

Also, JWT token's signature has been validated in jwt.io using the public key that i am using in rabbit's advanced.config

[aggarwalsh]

The exact issue in the log is "Authentication using an OAuth 2/JWT token failed: {error,key_not_found}". And this is my advanced config file.
[
%% Enable rabbit_auth_backend_oauth2
{rabbit, [
{auth_backends, [rabbit_auth_backend_oauth2, rabbit_auth_backend_internal]},
{log,[
{console,[
{level,debug},
{enabled,true}
]}
]},
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile,"D:/RabbitMQ/ati-rootcertificate.pem"},
{certfile,"D:/RabbitMQ/certificate-1080.pem"},
{keyfile,"D:/RabbitMQ/certificate-1080_key.pem"},
{verify, verify_none},
{fail_if_no_peer_cert, false},
{password, ""}]},
{config_entry_decoder, [ {passphrase, <<"passphrase">>}]}
]},
{rabbitmq_management, [{listener, [{port, 15671},
{ssl, true},
{ssl_opts, [{cacertfile, "D:/RabbitMQ/rootcertificate.pem"},
{certfile, "D:/RabbitMQ/certificate-14080.pem"},
{keyfile, "D:/RabbitMQ/certificate-14080_key.pem"},
{password, ""}]}]}
]},

%% Set a resource server ID. Will require all scopes to be prefixed with `rabbitmq.`
{rabbitmq_auth_backend_oauth2, [
    {resource_server_id, <<"rabbitmq">>},
   %% UAA signing key configuration
{key_config, [
 {default_key, <<"a-key-ID">>},
  {signing_keys, #{
    <<"a-key-ID">> => {pem, <<"-----BEGIN PUBLIC KEY-----

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA40fWrpnnuccnZJMq7wAA
nW9BSzvjNmyEpj3w15gYNItInEL3Sc7Ssdsdsdsdsdsjpc4o_S4nub6b0-kyvL3F0kybU1WUhps
9b48Ho-YLM7K5Cb79CCLbHRKJUH_90ZSBDjFKW81nb0Lh7Iq6LiamjzRbqHLnwdR
g_EapFr0FRJLuZd4bE4owwjbsdsdsdsdsaKfJqtwvJd47RNw5B_lnr0YRl6E_6r2Ok9AwMf1c
idsdhNu3T_hs6O95oUBnI4Dgw1egQft0NBgpy9cojwPv5J45Jv-0xdxA2c0FAsWN
HLFS59GAYAbri7p0L-PwPKw1A6PH8e07XDTV73PPJrEA9fG84mmRII36XOw-FOBb
1wIDAQAB
-----END PUBLIC KEY-----
">>}
}}
]}
]}
].

[michaelklishin]

Please don't hijack existing discussions.

"Key not found" means that the key ID specified in the token is not listed in the RabbitMQ config.
JWT validation won't validate that, or that the keys in the JWT itself that RabbitMQ needs are present. It will only validate that the JWT "encoding" is correct.

[michaelklishin]

Here is a test that [describes the case where no key with the presented [in the JWT] name is found in the config.

There are very few places in the OAuth 2 plugin or the management one that return this error.

[MarcialRosales]

@aggarwalsh Could you also provide the jwt token you are trying to validate? Make sure the token carries the header "kid": "a-key-ID"