OAuth2.0 - Provided Token is Invalid

[gaurav-baid]

I am trying to implement OAuth 2.0 for RabbitMQ.
I am getting below error in the log.

2022-07-09 05:57:30.188 [error] <0.1668.0> closing AMQP connection <0.1668.0> (172.28.253.12:3269 -> 172.28.70.135:5671 - managmentservice):
{handshake_error,starting,0,{error,function_clause,'connection.start_ok',[{base64,mime_decode_binary,[<<>>,<<48,130,1,34,48,13,6,9,42,134,72,134,247,13,1,1,1,5,0,3,130,1,15,0,48,130,1,10,2,130,1,1,0,151,151,145,29,61,54,84,64,52,196,218,181,60,142,214,150,33,147,97,187,69,175,87,223,186,198,237,18,115,102,235,63,96,94,207,29,179,55,98,145,93,81,179,210,114,209,5,68,22,173,136,181,78,45,174,183,56,236,224,174,128,126,104,8,245,192,41,64,47,78,69,19,103,212,219,227,133,175,213,140,200,216,170,211,65,64,1,1,242,3,149,218,122,171,68,76,92,150,100,106,34,168,18,183,85,94,121,75,160,192,125,152,234,177,46,78,16,99,37,155,151,41,169,176,234,152,59,85,186,26,215,88,137,20,45,17,63,121,158,222,151,30,204,65,62,130,159,92,28,202,47,77,75,137,189,145,175,62,49,141,186,88,134,116,29,153,157,89,149,14,40,68,46,124,207,169,196,146,33,116,110,103,80,85,84,119,159,85,247,145,151,1,100,111,96,39,27,87,85,218,18,101,226,192,129,44,8,192,173,115,206,243,184,83,208,238,10,44,95,198,61,194,240,88,213,179,161,196,30,171,240,177,232,229,25,148,61,189,168,79,93,230,57,225,10,137,127,26,120,169,216,130,192,128,192>>,16,0,1],[{file,"base64.erl"},{line,232}]},{jose_public_key,pem_dec_entry,2,[{file,"src/jose_public_key.erl"},{line,358}]},{jose_public_key,pem_dec,2,[{file,"src/jose_public_key.erl"},{line,346}]},{jose_public_key,pem_decode,1,[{file,"src/jose_public_key.erl"},{line,164}]},{jose_jwk_pem,from_binary,1,[{file,"src/jwk/jose_jwk_pem.erl"},{line,27}]},{jose_jwk,from_pem,1,[{file,"src/jwk/jose_jwk.erl"},{line,449}]},{uaa_jwt_jwk,from_pem,1,[{file,"src/uaa_jwt_jwk.erl"},{line,37}]},{uaa_jwt,decode_and_verify,1,[{file,"src/uaa_jwt.erl"},{line,52}]}]}}

Looking at the Rabbit repository I am anticipating that it is failing at the time of token validation in the below method.

-spec decode_and_verify(binary()) -> {boolean(), map()} | {error, term()}.
decode_and_verify(Token) ->
case uaa_jwt_jwt:get_key_id(Token) of
{ok, KeyId} ->
case get_jwk(KeyId) of
{ok, JWK} ->
uaa_jwt_jwt:decode_and_verify(JWK, Token);
{error, _} = Err ->
Err
end;
{error, _} = Err ->
Err
end.

The KID was set in the Advanced Rabbit config file along with the public key

In .Net Code I am getting below error
The AMQP operation was interrupted: AMQP close-reason, initiated by Library, code=0, text='End of stream', classId=0, methodId=0, cause=System.IO.EndOfStreamException: Reached the end of the stream. Possible authentication failure.
at RabbitMQ.Client.Impl.InboundFrame.ReadFrom(Stream reader, Byte[] frameHeaderBuffer)
at RabbitMQ.Client.Framing.Impl.Connection.MainLoopIteration()
at RabbitMQ.Client.Framing.Impl.Connection.MainLoop()

[michaelklishin]

Consider using Discussions for questions instead of filing issues.

According to the exception, a public key entry cannot be decoded, perhaps it is not in the PEM format.

We cannot suggest much with the amount of information provided.

[gaurav-baid]

Advanced Config if that helps. I am able to verify the signature on JWT.io with this public key.

%% Set a resource server ID. Will require all scopes to be prefixed with `rabbitmq.`

{rabbitmq_auth_backend_oauth2, [
{resource_server_id, <<"rabbitmq">>},
%% UAA signing key configuration
{key_config, [
{default_key, <<"legacy-token-key">>},
{signing_keys, #{
<<"2C654B8B6E36D7C44E072FDFD8EE8E53">> => {pem, <<"-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAl5eRHT02VEA0xNq1PI7W
liGTYbtFr1ffusbtEnNm6z9gXs8dszdikV1Rs9Jy0QVEFq2ItU4trrc47OCugH5o
CPXAKUAvTkUTZ9Tb4-4-Wv1YzI2KrTQUABAfI-Dldp6q0RMXJZkaiKoErdVXnlLo
MB9mOqxLk4QYyWblympsOqYO1W6GtdYiRQtET95nt6XHsxBPoKfXBzKL01Lib2Rr
z4xjbpYhnQdmZ1ZlQ4oRC58z6nEkiF0bmdQVVR3n1X3kZcBZG9gJxtXVdoSZeLAg
S-wIwK1_zzvO4U9DuCixfxj3C8FjVs6HEHqvwsejlGZQ9vahPXeY54QqJfxp4qdi
CwIDAQAB
-----END PUBLIC KEY-----">>}

[gaurav-baid]

@michaelklishin Did you get chance to look at this further. Any further information if required I can share.
Also we are using Identity Server 4 from Authorization perspective.

[MarcialRosales]

@gaurav-baid As @michaelklishin mentioned , the issue has to do with the public key of your signing key. There is something wrong with it and RabbitMQ fails to parse it. If you attach the whole configuration file and a sample token I can try it. Besides, you probably want to update the default_key to match the single key 2C654B8B6E36D7C44E072FDFD8EE8E53

[gaurav-baid]

@MarcialRosales @michaelklishin Thanks for the quick replies.
The above issue is fixed now and token is getting validated now.
Issue - We were using rabbit version 3.8.5 and after upgrading the rabbit to 3.10 everything worked smoothly.

[mahadevikodavati]

Hallo Team,

I need some kind of help.. i would like use oauth2.0(Keycloak). so i used this git repo(https://github.com/rabbitmq/rabbitmq-oauth2-tutorial/blob/rich_auth_request/use-cases/keycloak.md) and installed the keycloak in my local. then i wrote rabbitmq.config and docker-compose.yml file like below

docker-compose.yml

version: '3'
services:
localRabbitMQ:
image: "rabbitmq:3.11.0-management-alpine"
ports:
- 5672:5672
- 15672:15672
volumes:
- ./enabled_plugins:/etc/rabbitmq/enabled_plugins
- ./plugins:/usr/lib/rabbitmq/plugins
- type: bind
source: ./rabbitmq.config
target: /etc/rabbitmq/rabbitmq.config
- type: bind
source: ./enabled_plugins
target: /etc/enabled_plugins

rabbitmq.config

[
{rabbit, [
{auth_backends, [rabbit_auth_backend_oauth2]},
{log, [
{console, [
{level, debug},
{enabled, true}
]}
]}
]},
{rabbitmq_management, [
{oauth_enable, true},
{oauth_client_id, "rabbitmq-client-code"},
{oauth_client_secret, "X2ZqbZYKHq7WP8vsStr23jx6mtukt14g"},
{oauth_provider_url, "http://0.0.0.0:8080/realms/test"}
]},

{rabbitmq_auth_backend_oauth2, [
    {resource_server_id, "rabbitmq"},
    {key_config, [
      {jwks_url, "http://0.0.0.0:8080/realms/test/protocol/openid-connect/certs"}
    ]}
  ]}

].

enabled_plugins

[rabbitmq_management,rabbitmq_auth_backend_oauth2,rabbitmq_mqtt].

Now the problem is when run the docker compose file.
rabbitmq server is starting. when i open the link http://localhost:15672/. it is not navigating to keycloak server. i am not able to see click here to login button .. please help me on this.

[MarcialRosales]

Hi @215813 , I have just followed the instructions in the tutorial and I could access that management ui and I can see the SSO button.
This is what i did:

1. make start-keycloak. I know you deploy your keycloak server by your own
2. go to http://0.0.0.0:8080 to make sure that keycloak is running
3. export MODE=keycloak
4. make start-rabbitmq
5. make curl-keycloak url=http://localhost:15672/api/overview client_id=mgt_api_client secret=LWOuYqJ8gjKg3D2U8CJZDuID3KiRZVDa to check that RabbitMQ is able to accept keycloak tokens
6. go to the http://localhost:15672 ; click on click here to login which takes me to the keycloak logon page.
   I don't think it is relevant, but you are using an old branch of the tutorial.

One thing I have noticed in your docker compose is that you are binding enabled_plugins twice and you are also binding/mounting ./plugin when this is not needed.

If you do not get the button "click here to login", you should see a message warning that it is not possible to contact keycloak.

[mahadevikodavati]

Hallo @MarcialRosales

Thank you for kind response..I followed the steps given now.. i am not able to see "click here to login button. please find the screen shot and log file.

2022-10-06 08:40:00.628846+00:00 [notice] <0.44.0> Application syslog exited with reason: stopped
2022-10-06 08:40:00.636477+00:00 [notice] <0.228.0> Logging: switching to configured handler(s); following messages may not be visible in this log output
2022-10-06 08:40:00.652967+00:00 [notice] <0.228.0> Logging: configured log handlers are now ACTIVE
2022-10-06 08:40:00.875056+00:00 [info] <0.228.0> ra: starting system quorum_queues
2022-10-06 08:40:00.875133+00:00 [info] <0.228.0> starting Ra system: quorum_queues in directory: /var/lib/rabbitmq/mnesia/rabbit@3914d01d669b/quorum/rabbit@3914d01d669b
2022-10-06 08:40:00.940266+00:00 [info] <0.264.0> ra system 'quorum_queues' running pre init for 0 registered servers
2022-10-06 08:40:00.952278+00:00 [info] <0.265.0> ra: meta data store initialised for system quorum_queues. 0 record(s) recovered
2022-10-06 08:40:00.967893+00:00 [notice] <0.270.0> WAL: ra_log_wal init, open tbls: ra_log_open_mem_tables, closed tbls: ra_log_closed_mem_tables
2022-10-06 08:40:00.974708+00:00 [info] <0.228.0> ra: starting system coordination
2022-10-06 08:40:00.974742+00:00 [info] <0.228.0> starting Ra system: coordination in directory: /var/lib/rabbitmq/mnesia/rabbit@3914d01d669b/coordination/rabbit@3914d01d669b
2022-10-06 08:40:00.976454+00:00 [info] <0.277.0> ra system 'coordination' running pre init for 0 registered servers
2022-10-06 08:40:00.977441+00:00 [info] <0.278.0> ra: meta data store initialised for system coordination. 0 record(s) recovered
2022-10-06 08:40:00.977516+00:00 [notice] <0.283.0> WAL: ra_coordination_log_wal init, open tbls: ra_coordination_log_open_mem_tables, closed tbls: ra_coordination_log_closed_mem_tables
2022-10-06 08:40:00.980304+00:00 [info] <0.228.0>
2022-10-06 08:40:00.980304+00:00 [info] <0.228.0> Starting RabbitMQ 3.11.0-rc.1 on Erlang 25.0.4 [jit]
2022-10-06 08:40:00.980304+00:00 [info] <0.228.0> Copyright (c) 2007-2022 VMware, Inc. or its affiliates.
2022-10-06 08:40:00.980304+00:00 [info] <0.228.0> Licensed under the MPL 2.0. Website: https://rabbitmq.com

## RabbitMQ 3.11.0-rc.1

########## Copyright (c) 2007-2022 VMware, Inc. or its affiliates.

########## Licensed under the MPL 2.0. Website: https://rabbitmq.com

Erlang: 25.0.4 [jit]
TLS Library: OpenSSL - OpenSSL 1.1.1q 5 Jul 2022
Release series support status: supported

Doc guides: https://rabbitmq.com/documentation.html
Support: https://rabbitmq.com/contact.html
Tutorials: https://rabbitmq.com/getstarted.html
Monitoring: https://rabbitmq.com/monitoring.html

Logs: /var/log/rabbitmq/rabbit@3914d01d669b_upgrade.log

Config file(s): /etc/rabbitmq/rabbitmq.config
/etc/rabbitmq/conf.d/10-defaults.conf
/etc/rabbitmq/conf.d/management_agent.disable_metrics_collector.conf

Starting broker...2022-10-06 08:40:00.984878+00:00 [info] <0.228.0>
2022-10-06 08:40:00.984878+00:00 [info] <0.228.0> node : rabbit@3914d01d669b
2022-10-06 08:40:00.984878+00:00 [info] <0.228.0> home dir : /var/lib/rabbitmq
2022-10-06 08:40:00.984878+00:00 [info] <0.228.0> config file(s) : /etc/rabbitmq/rabbitmq.config
2022-10-06 08:40:00.984878+00:00 [info] <0.228.0> : /etc/rabbitmq/conf.d/10-defaults.conf
2022-10-06 08:40:00.984878+00:00 [info] <0.228.0> : /etc/rabbitmq/conf.d/management_agent.disable_metrics_collector.conf
2022-10-06 08:40:00.984878+00:00 [info] <0.228.0> cookie hash : +k1YjWM2MSB12ZQ4eC4QzA==
2022-10-06 08:40:00.984878+00:00 [info] <0.228.0> log(s) : /var/log/rabbitmq/rabbit@3914d01d669b_upgrade.log
2022-10-06 08:40:00.984878+00:00 [info] <0.228.0> :
2022-10-06 08:40:00.984878+00:00 [info] <0.228.0> database dir : /var/lib/rabbitmq/mnesia/rabbit@3914d01d669b
2022-10-06 08:40:04.099951+00:00 [info] <0.228.0> Running boot step pre_boot defined by app rabbit
2022-10-06 08:40:04.100016+00:00 [info] <0.228.0> Running boot step rabbit_global_counters defined by app rabbit
2022-10-06 08:40:04.100219+00:00 [info] <0.228.0> Running boot step rabbit_osiris_metrics defined by app rabbit
2022-10-06 08:40:04.100314+00:00 [info] <0.228.0> Running boot step rabbit_core_metrics defined by app rabbit
2022-10-06 08:40:04.100951+00:00 [info] <0.228.0> Running boot step rabbit_alarm defined by app rabbit
2022-10-06 08:40:04.105507+00:00 [info] <0.297.0> Memory high watermark set to 8895 MiB (9327440691 bytes) of 22238 MiB (23318601728 bytes) total
2022-10-06 08:40:04.109855+00:00 [info] <0.299.0> Enabling free disk space monitoring
2022-10-06 08:40:04.109884+00:00 [info] <0.299.0> Disk free limit set to 50MB
2022-10-06 08:40:04.113109+00:00 [info] <0.228.0> Running boot step code_server_cache defined by app rabbit
2022-10-06 08:40:04.113186+00:00 [info] <0.228.0> Running boot step file_handle_cache defined by app rabbit
2022-10-06 08:40:04.113483+00:00 [info] <0.304.0> Limiting to approx 1048479 file handles (943629 sockets)
2022-10-06 08:40:04.113560+00:00 [info] <0.305.0> FHC read buffering: OFF
2022-10-06 08:40:04.113581+00:00 [info] <0.305.0> FHC write buffering: ON
2022-10-06 08:40:04.114671+00:00 [info] <0.228.0> Running boot step worker_pool defined by app rabbit
2022-10-06 08:40:04.114732+00:00 [info] <0.285.0> Will use 7 processes for default worker pool
2022-10-06 08:40:04.114757+00:00 [info] <0.285.0> Starting worker pool 'worker_pool' with 7 processes in it
2022-10-06 08:40:04.114988+00:00 [info] <0.228.0> Running boot step database defined by app rabbit
2022-10-06 08:40:04.115640+00:00 [info] <0.228.0> Node database directory at /var/lib/rabbitmq/mnesia/rabbit@3914d01d669b is empty. Assuming we need to join an existing cluster or initialise from scratch...
2022-10-06 08:40:04.115689+00:00 [info] <0.228.0> Configured peer discovery backend: rabbit_peer_discovery_classic_config
2022-10-06 08:40:04.115715+00:00 [info] <0.228.0> Will try to lock with peer discovery backend rabbit_peer_discovery_classic_config
2022-10-06 08:40:04.115759+00:00 [info] <0.228.0> All discovered existing cluster peers:
2022-10-06 08:40:04.115772+00:00 [info] <0.228.0> Discovered no peer nodes to cluster with. Some discovery backends can filter nodes out based on a readiness criteria. Enabling debug logging might help troubleshoot.
2022-10-06 08:40:04.117533+00:00 [notice] <0.44.0> Application mnesia exited with reason: stopped
2022-10-06 08:40:04.182922+00:00 [info] <0.228.0> Waiting for Mnesia tables for 30000 ms, 9 retries left
2022-10-06 08:40:04.183043+00:00 [info] <0.228.0> Successfully synced tables from a peer
2022-10-06 08:40:04.188881+00:00 [info] <0.228.0> Feature flags: feature_flags_v2: supported, attempt to enable...
2022-10-06 08:40:04.203896+00:00 [notice] <0.286.0> Feature flags: attempt to enable classic_mirrored_queue_version...
2022-10-06 08:40:04.220865+00:00 [notice] <0.286.0> Feature flags: classic_mirrored_queue_version enabled
2022-10-06 08:40:04.221217+00:00 [notice] <0.286.0> Feature flags: attempt to enable direct_exchange_routing_v2...
2022-10-06 08:40:04.228780+00:00 [info] <0.483.0> Waiting for Mnesia tables for 30000 ms, 9 retries left
2022-10-06 08:40:04.228891+00:00 [info] <0.483.0> Successfully synced tables from a peer
2022-10-06 08:40:04.241285+00:00 [notice] <0.286.0> Feature flags: direct_exchange_routing_v2 enabled
2022-10-06 08:40:04.241640+00:00 [notice] <0.286.0> Feature flags: attempt to enable drop_unroutable_metric...
2022-10-06 08:40:04.258898+00:00 [notice] <0.286.0> Feature flags: drop_unroutable_metric enabled
2022-10-06 08:40:04.259193+00:00 [notice] <0.286.0> Feature flags: attempt to enable empty_basic_get_metric...
2022-10-06 08:40:04.274384+00:00 [notice] <0.286.0> Feature flags: empty_basic_get_metric enabled
2022-10-06 08:40:04.274731+00:00 [notice] <0.286.0> Feature flags: attempt to enable listener_records_in_ets...
2022-10-06 08:40:04.306430+00:00 [notice] <0.286.0> Feature flags: listener_records_in_ets enabled
2022-10-06 08:40:04.307156+00:00 [notice] <0.286.0> Feature flags: attempt to enable stream_queue...
2022-10-06 08:40:04.324594+00:00 [notice] <0.286.0> Feature flags: stream_queue enabled
2022-10-06 08:40:04.324985+00:00 [notice] <0.286.0> Feature flags: attempt to enable stream_single_active_consumer...
2022-10-06 08:40:04.341029+00:00 [notice] <0.286.0> Feature flags: stream_single_active_consumer enabled
2022-10-06 08:40:04.341480+00:00 [notice] <0.286.0> Feature flags: attempt to enable tracking_records_in_ets...
2022-10-06 08:40:04.358710+00:00 [notice] <0.286.0> Feature flags: tracking_records_in_ets enabled
2022-10-06 08:40:04.359300+00:00 [info] <0.228.0> Waiting for Mnesia tables for 30000 ms, 9 retries left
2022-10-06 08:40:04.359521+00:00 [info] <0.228.0> Successfully synced tables from a peer
2022-10-06 08:40:04.367942+00:00 [info] <0.228.0> Waiting for Mnesia tables for 30000 ms, 9 retries left
2022-10-06 08:40:04.368043+00:00 [info] <0.228.0> Successfully synced tables from a peer
2022-10-06 08:40:04.368061+00:00 [info] <0.228.0> Peer discovery backend rabbit_peer_discovery_classic_config does not support registration, skipping registration.
2022-10-06 08:40:04.368078+00:00 [info] <0.228.0> Will try to unlock with peer discovery backend rabbit_peer_discovery_classic_config
2022-10-06 08:40:04.368119+00:00 [info] <0.228.0> Running boot step tracking_metadata_store defined by app rabbit
2022-10-06 08:40:04.368162+00:00 [info] <0.612.0> Setting up a table for connection tracking on this node: tracked_connection
2022-10-06 08:40:04.368191+00:00 [info] <0.612.0> Setting up a table for per-vhost connection counting on this node: tracked_connection_per_vhost
2022-10-06 08:40:04.368222+00:00 [info] <0.612.0> Setting up a table for per-user connection counting on this node: tracked_connection_per_user
2022-10-06 08:40:04.368242+00:00 [info] <0.612.0> Setting up a table for channel tracking on this node: tracked_channel
2022-10-06 08:40:04.368265+00:00 [info] <0.612.0> Setting up a table for channel tracking on this node: tracked_channel_per_user
2022-10-06 08:40:04.368316+00:00 [info] <0.228.0> Running boot step networking_metadata_store defined by app rabbit
2022-10-06 08:40:04.368434+00:00 [info] <0.228.0> Running boot step database_sync defined by app rabbit
2022-10-06 08:40:04.368476+00:00 [info] <0.228.0> Running boot step feature_flags defined by app rabbit
2022-10-06 08:40:04.368872+00:00 [info] <0.228.0> Running boot step codec_correctness_check defined by app rabbit
2022-10-06 08:40:04.368906+00:00 [info] <0.228.0> Running boot step external_infrastructure defined by app rabbit
2022-10-06 08:40:04.368923+00:00 [info] <0.228.0> Running boot step rabbit_event defined by app rabbit
2022-10-06 08:40:04.368984+00:00 [info] <0.228.0> Running boot step rabbit_registry defined by app rabbit
2022-10-06 08:40:04.369011+00:00 [info] <0.228.0> Running boot step rabbit_auth_mechanism_amqplain defined by app rabbit
2022-10-06 08:40:04.369085+00:00 [info] <0.228.0> Running boot step rabbit_auth_mechanism_cr_demo defined by app rabbit
2022-10-06 08:40:04.369128+00:00 [info] <0.228.0> Running boot step rabbit_auth_mechanism_plain defined by app rabbit
2022-10-06 08:40:04.369150+00:00 [info] <0.228.0> Running boot step rabbit_exchange_type_direct defined by app rabbit
2022-10-06 08:40:04.369174+00:00 [info] <0.228.0> Running boot step rabbit_exchange_type_fanout defined by app rabbit
2022-10-06 08:40:04.369210+00:00 [info] <0.228.0> Running boot step rabbit_exchange_type_headers defined by app rabbit
2022-10-06 08:40:04.369280+00:00 [info] <0.228.0> Running boot step rabbit_exchange_type_topic defined by app rabbit
2022-10-06 08:40:04.369609+00:00 [info] <0.228.0> Running boot step rabbit_mirror_queue_mode_all defined by app rabbit
2022-10-06 08:40:04.369656+00:00 [info] <0.228.0> Running boot step rabbit_mirror_queue_mode_exactly defined by app rabbit
2022-10-06 08:40:04.369717+00:00 [info] <0.228.0> Running boot step rabbit_mirror_queue_mode_nodes defined by app rabbit
2022-10-06 08:40:04.369776+00:00 [info] <0.228.0> Running boot step rabbit_priority_queue defined by app rabbit
2022-10-06 08:40:04.369791+00:00 [info] <0.228.0> Priority queues enabled, real BQ is rabbit_variable_queue
2022-10-06 08:40:04.369818+00:00 [info] <0.228.0> Running boot step rabbit_queue_location_client_local defined by app rabbit
2022-10-06 08:40:04.369839+00:00 [info] <0.228.0> Running boot step rabbit_queue_location_min_masters defined by app rabbit
2022-10-06 08:40:04.369861+00:00 [info] <0.228.0> Running boot step rabbit_queue_location_random defined by app rabbit
2022-10-06 08:40:04.369895+00:00 [info] <0.228.0> Running boot step kernel_ready defined by app rabbit
2022-10-06 08:40:04.369948+00:00 [info] <0.228.0> Running boot step rabbit_sysmon_minder defined by app rabbit
2022-10-06 08:40:04.370049+00:00 [info] <0.228.0> Running boot step rabbit_epmd_monitor defined by app rabbit
2022-10-06 08:40:04.371712+00:00 [info] <0.621.0> epmd monitor knows us, inter-node communication (distribution) port: 25672
2022-10-06 08:40:04.371808+00:00 [info] <0.228.0> Running boot step guid_generator defined by app rabbit
2022-10-06 08:40:04.374104+00:00 [info] <0.228.0> Running boot step rabbit_node_monitor defined by app rabbit
2022-10-06 08:40:04.374334+00:00 [info] <0.625.0> Starting rabbit_node_monitor
2022-10-06 08:40:04.374654+00:00 [info] <0.228.0> Running boot step delegate_sup defined by app rabbit
2022-10-06 08:40:04.375284+00:00 [info] <0.228.0> Running boot step rabbit_memory_monitor defined by app rabbit
2022-10-06 08:40:04.375500+00:00 [info] <0.228.0> Running boot step rabbit_fifo_dlx_sup defined by app rabbit
2022-10-06 08:40:04.375548+00:00 [info] <0.228.0> Running boot step core_initialized defined by app rabbit
2022-10-06 08:40:04.375596+00:00 [info] <0.228.0> Running boot step upgrade_queues defined by app rabbit
2022-10-06 08:40:04.381221+00:00 [info] <0.228.0> message_store upgrades: 1 to apply
2022-10-06 08:40:04.381427+00:00 [info] <0.228.0> message_store upgrades: Applying rabbit_variable_queue:move_messages_to_vhost_store
2022-10-06 08:40:04.381684+00:00 [info] <0.228.0> message_store upgrades: No durable queues found. Skipping message store migration
2022-10-06 08:40:04.381716+00:00 [info] <0.228.0> message_store upgrades: Removing the old message store data
2022-10-06 08:40:04.383451+00:00 [info] <0.228.0> message_store upgrades: All upgrades applied successfully
2022-10-06 08:40:04.389350+00:00 [info] <0.228.0> Running boot step channel_tracking defined by app rabbit
2022-10-06 08:40:04.389401+00:00 [info] <0.228.0> Running boot step rabbit_channel_tracking_handler defined by app rabbit
2022-10-06 08:40:04.389441+00:00 [info] <0.228.0> Running boot step connection_tracking defined by app rabbit
2022-10-06 08:40:04.389462+00:00 [info] <0.228.0> Running boot step rabbit_connection_tracking_handler defined by app rabbit
2022-10-06 08:40:04.389485+00:00 [info] <0.228.0> Running boot step rabbit_definitions_hashing defined by app rabbit
2022-10-06 08:40:04.389557+00:00 [info] <0.228.0> Running boot step rabbit_exchange_parameters defined by app rabbit
2022-10-06 08:40:04.389606+00:00 [info] <0.228.0> Running boot step rabbit_mirror_queue_misc defined by app rabbit
2022-10-06 08:40:04.389699+00:00 [info] <0.228.0> Running boot step rabbit_policies defined by app rabbit
2022-10-06 08:40:04.389997+00:00 [info] <0.228.0> Running boot step rabbit_policy defined by app rabbit
2022-10-06 08:40:04.390033+00:00 [info] <0.228.0> Running boot step rabbit_queue_location_validator defined by app rabbit
2022-10-06 08:40:04.390070+00:00 [info] <0.228.0> Running boot step rabbit_quorum_memory_manager defined by app rabbit
2022-10-06 08:40:04.390094+00:00 [info] <0.228.0> Running boot step rabbit_stream_coordinator defined by app rabbit
2022-10-06 08:40:04.390244+00:00 [info] <0.228.0> Running boot step rabbit_vhost_limit defined by app rabbit
2022-10-06 08:40:04.390275+00:00 [info] <0.228.0> Running boot step rabbit_mgmt_reset_handler defined by app rabbitmq_management
2022-10-06 08:40:04.390293+00:00 [info] <0.228.0> Running boot step rabbit_mgmt_db_handler defined by app rabbitmq_management_agent
2022-10-06 08:40:04.390333+00:00 [info] <0.228.0> Management plugin: using rates mode 'basic'
2022-10-06 08:40:04.390691+00:00 [info] <0.228.0> Running boot step recovery defined by app rabbit
2022-10-06 08:40:04.391463+00:00 [info] <0.228.0> Running boot step empty_db_check defined by app rabbit
2022-10-06 08:40:04.391504+00:00 [info] <0.228.0> Will seed default virtual host and user...
2022-10-06 08:40:04.391562+00:00 [info] <0.228.0> Adding vhost '/' (description: 'Default virtual host', tags: [])
2022-10-06 08:40:04.398645+00:00 [info] <0.667.0> Making sure data directory '/var/lib/rabbitmq/mnesia/rabbit@3914d01d669b/msg_stores/vhosts/628WB79CIFDYO9LJI6DKMI09L' for vhost '/' exists
2022-10-06 08:40:04.399965+00:00 [info] <0.667.0> Setting segment_entry_count for vhost '/' with 0 queues to '2048'
2022-10-06 08:40:04.401852+00:00 [info] <0.667.0> Starting message stores for vhost '/'
2022-10-06 08:40:04.402013+00:00 [info] <0.672.0> Message store "628WB79CIFDYO9LJI6DKMI09L/msg_store_transient": using rabbit_msg_store_ets_index to provide index
2022-10-06 08:40:04.403436+00:00 [info] <0.667.0> Started message store of type transient for vhost '/'
2022-10-06 08:40:04.403542+00:00 [info] <0.676.0> Message store "628WB79CIFDYO9LJI6DKMI09L/msg_store_persistent": using rabbit_msg_store_ets_index to provide index
2022-10-06 08:40:04.404542+00:00 [warning] <0.676.0> Message store "628WB79CIFDYO9LJI6DKMI09L/msg_store_persistent": rebuilding indices from scratch
2022-10-06 08:40:04.405264+00:00 [info] <0.667.0> Started message store of type persistent for vhost '/'
2022-10-06 08:40:04.405415+00:00 [info] <0.667.0> Recovering 0 queues of type rabbit_classic_queue took 4ms
2022-10-06 08:40:04.405446+00:00 [info] <0.667.0> Recovering 0 queues of type rabbit_quorum_queue took 0ms
2022-10-06 08:40:04.405477+00:00 [info] <0.667.0> Recovering 0 queues of type rabbit_stream_queue took 0ms
2022-10-06 08:40:04.407049+00:00 [info] <0.228.0> Created user 'guest'
2022-10-06 08:40:04.408115+00:00 [info] <0.228.0> Successfully set user tags for user 'guest' to [administrator]
2022-10-06 08:40:04.409534+00:00 [info] <0.228.0> Successfully set permissions for 'guest' in virtual host '/' to '.', '.', '.*'
2022-10-06 08:40:04.409566+00:00 [info] <0.228.0> Running boot step rabbit_looking_glass defined by app rabbit
2022-10-06 08:40:04.409596+00:00 [info] <0.228.0> Running boot step rabbit_core_metrics_gc defined by app rabbit
2022-10-06 08:40:04.409730+00:00 [info] <0.228.0> Running boot step background_gc defined by app rabbit
2022-10-06 08:40:04.409798+00:00 [info] <0.228.0> Running boot step routing_ready defined by app rabbit
2022-10-06 08:40:04.409813+00:00 [info] <0.228.0> Running boot step pre_flight defined by app rabbit
2022-10-06 08:40:04.409825+00:00 [info] <0.228.0> Running boot step notify_cluster defined by app rabbit
2022-10-06 08:40:04.409849+00:00 [info] <0.228.0> Running boot step networking defined by app rabbit
2022-10-06 08:40:04.409871+00:00 [info] <0.228.0> Running boot step definition_import_worker_pool defined by app rabbit
2022-10-06 08:40:04.409902+00:00 [info] <0.285.0> Starting worker pool 'definition_import_pool' with 7 processes in it
2022-10-06 08:40:04.410336+00:00 [info] <0.228.0> Running boot step cluster_name defined by app rabbit
2022-10-06 08:40:04.410551+00:00 [info] <0.228.0> Initialising internal cluster ID to 'rabbitmq-cluster-id-XWWutuFgU4QZpjsReGPh3w'
2022-10-06 08:40:04.412529+00:00 [info] <0.228.0> Running boot step direct_client defined by app rabbit
2022-10-06 08:40:04.412631+00:00 [info] <0.228.0> Running boot step rabbit_maintenance_mode_state defined by app rabbit
2022-10-06 08:40:04.412653+00:00 [info] <0.228.0> Creating table rabbit_node_maintenance_states for maintenance mode status
2022-10-06 08:40:04.415903+00:00 [info] <0.228.0> Running boot step rabbit_management_load_definitions defined by app rabbitmq_management
2022-10-06 08:40:04.416015+00:00 [info] <0.716.0> Resetting node maintenance status
2022-10-06 08:40:04.423030+00:00 [warning] <0.742.0> Metrics collection disabled in management agent, management only interface started
2022-10-06 08:40:04.429506+00:00 [info] <0.742.0> Management plugin: HTTP (non-TLS) listener started on port 15672
2022-10-06 08:40:04.429619+00:00 [info] <0.770.0> Statistics database started.
2022-10-06 08:40:04.429690+00:00 [info] <0.769.0> Starting worker pool 'management_worker_pool' with 3 processes in it
2022-10-06 08:40:04.513323+00:00 [info] <0.716.0> Ready to start client connection listeners
2022-10-06 08:40:04.515594+00:00 [info] <0.801.0> started TCP listener on [::]:5672
2022-10-06 08:40:04.640942+00:00 [info] <0.716.0> Server startup complete; 4 plugins started.
2022-10-06 08:40:04.640942+00:00 [info] <0.716.0> * rabbitmq_auth_backend_oauth2
2022-10-06 08:40:04.640942+00:00 [info] <0.716.0> * rabbitmq_management
2022-10-06 08:40:04.640942+00:00 [info] <0.716.0> * rabbitmq_web_dispatch
2022-10-06 08:40:04.640942+00:00 [info] <0.716.0> * rabbitmq_management_agent
completed with 4 plugins.
2022-10-06 08:40:09.803995+00:00 [warning] <0.808.0> HTTP access denied: Authentication using an OAuth 2/JWT token failed: provided token is invalid
2022-10-06 08:40:13.962526+00:00 [warning] <0.809.0> HTTP access denied: Authentication using an OAuth 2/JWT token failed: provided token is invalid
2022-10-06 08:40:15.138742+00:00 [warning] <0.811.0> HTTP access denied: Authentication using an OAuth 2/JWT token failed: provided token is invalid
2022-10-06 08:40:16.708643+00:00 [warning] <0.812.0> HTTP access denied: Authentication using an OAuth 2/JWT token failed: provided token is invalid
2022-10-06 08:40:17.422702+00:00 [warning] <0.813.0> HTTP access denied: Authentication using an OAuth 2/JWT token failed: provided token is invalid
2022-10-06 08:40:18.070311+00:00 [warning] <0.814.0> HTTP access denied: Authentication using an OAuth 2/JWT token failed: provided token is invalid
2022-10-06 08:40:29.478293+00:00 [warning] <0.825.0> HTTP access denied: Authentication using an OAuth 2/JWT token failed: provided token is invalid

i am referring this point in the tutoiral

Access Management UI
Go to http://localhost:15672/, click on the single button on the page which redirects to Key Cloak to authenticate. Enter rabbit_admin and rabbit_admin and you should be redirected back to RabbitMQ Management fully logged in.

[MarcialRosales]

Hi @215813 , There are a few odd things.

1. you are using rabbitmq:3.11.0-rc.1 however the tutorial's repo uses rabbitmq:3.11 . Maybe pull the latest and use the main branch. btw, i have just removed old branches to avoid any confusion
2. did you capture those logs using all the configuration and scripts from the tutorial? or your own? I ask you because it is very ood you get the standard login page as opposed to the SSO logon page.

[mahadevikodavati]

Now i changed and wrote Docker file

dockerfile:

FROM rabbitmq:3.11-management-alpine

COPY rabbitmq.config /etc/rabbitmq
COPY enabled_plugins /etc/rabbitmq

RUN ls /etc/rabbitmq
RUN cat /etc/rabbitmq/rabbitmq.config
RUN cat /etc/rabbitmq/enabled_plugins

rabbitmq.config

[
{rabbit, [
{auth_backends, [rabbit_auth_backend_oauth2]},
{log, [
{console, [
{level, debug},
{enabled, true}
]}
]}
]},
{rabbitmq_management, [
{oauth_enable, true},
{oauth_client_id, "rabbitmq-client-code"},
{oauth_client_secret, "X2ZqbZYKHq7WP8vsStr23jx6mtukt14g"},
{oauth_provider_url, "http://0.0.0.0:8080/realms/test"}
]},
{rabbitmq_auth_backend_oauth2, [
{resource_server_id, <<"rabbitmq">>},
{key_config, [
{default_key, <<"Gnl2ZlbRh3rAr6Wymc988_5cY7T5GuePd5dpJlXDJUk">>},
{signing_keys,
#{<<"Gnl2ZlbRh3rAr6Wymc988_5cY7T5GuePd5dpJlXDJUk">> => {pem, <<"-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2dP+vRn+Kj+S/oGd49kq
6+CKNAduCC1raLfTH7B3qjmZYm45yDl+XmgK9CNmHXkho9qvmhdksdzDVsdeDlhK
IdcIWadhqDzdtn1hj/22iUwrhH0bd475hlKcsiZ+oy/sdgGgAzvmmTQmdMqEXqV2
B9q9KFBmo4Ahh/6+d4wM1rH9kxl0RvMAKLe+daoIHIjok8hCO4cKQQEw/ErBe4SF
2cr3wQwCfF1qVu4eAVNVfxfy/uEvG3Q7x005P3TcK+QcYgJxav3lictSi5dyWLgG
QAvkknWitpRK8KVLypEj5WKej6CF8nq30utn15FQg0JkHoqzwiCqqeen8GIPteI7
VwIDAQAB
-----END PUBLIC KEY-----">>}
}
}]
}
]}
].

running the docker file with the below commands:
docker build -t rabbitmq .

docker run --rm -it --hostname my-rabbit -p 5672:5672 -p 15672:15672 rabbitmq

Even though i am not able to see sso login button

[mahadevikodavati]

@MarcialRosales can you pls help me on this? i am not able to find the solution

[MarcialRosales]

hi @215813 , please try to use the configuration provided in the tutorial and once you get it working you can move on.
There is a mistake in your configuration.
You have {oauth_enable, true},
when it is {oauth_enabled, true},

[michaelklishin]

"Not management user" means the user record is not tagged with administrator or management.
I do not know why this may be.

[mahadevikodavati]

Thank you so much .. it is working fine now..

[MarcialRosales]

I am glad that it works @215813 . But I insist, the tutorial and all its configuration files and scripts are designed to work. Your user failed because, as you know, it did not have the appropriate scopes.

[mahadevikodavati]

Hello @MarcialRosales

I changed the configurations in rabbitmq to use jwks_url with Keycloak (oauth 2.0). Strange i am getting below error.

My configuration is like below

advanced.config

[
{rabbit, [
{auth_backends, [rabbit_auth_backend_oauth2]},
{log, [
{console, [
{level, debug},
{enabled, true}
]}
]}
]},
{rabbitmq_management, [
{oauth_enabled, true},
{oauth_client_id, "rabbitmq-client-code"},
{oauth_client_secret, "X2ZqbZYKHq7WP8vsStr23jx6mtukt14g"},
{oauth_provider_url, "https://xxxxxxx.xxxx"}
]},
{rabbitmq_auth_backend_oauth2, [
{resource_server_id, <<"rabbitmq">>},
{key_config, [
{jwks_url, <<"https://rxxxxxxxx/openapi/v3/auth/realms/RMV/protocol/openid-connect/certs">>}
]}

]}
].

rabbitmq.conf

loopback_users.guest = false
log.console = true
load_definitions = /etc/rabbitmq/definitions.json
auth_oauth2.resource_server_id = rabbitmq
auth_oauth2.jwks_url = https://xxxxxxx/openapi/v3/auth/realms/RMV/protocol/openid-connect/certs

auth_oauth2.https.peer_verification = verify_peer
auth_oauth2.https.depth = 5
auth_oauth2.https.fail_if_no_peer_cert = true
auth_oauth2.https.hostname_verification = wildcard
auth_oauth2.algorithms.1 = RS256

ssl_options.fail_if_no_peer_cert = true
ssl_options.verify = verify_peer
log.connection.level = debug

log.console.level = debug
auth_backends.1 = rabbit_auth_backend_oauth2

Docker file
FROM rabbitmq:3.11.0-management-alpine
COPY definitions.json /etc/rabbitmq
COPY rabbitmq.conf /etc/rabbitmq
COPY advanced.config /etc/rabbitmq

COPY enabled_plugins /etc/rabbitmq
COPY conf /conf

RUN ls /etc/rabbitmq
RUN cat /etc/rabbitmq/rabbitmq.conf
RUN cat /etc/rabbitmq/advanced.config
RUN cat /etc/rabbitmq/definitions.json
RUN cat /etc/rabbitmq/enabled_plugins

Kindly help me

[MarcialRosales]

Hi @215813 . I would like to suggest you to use the official RabbitMQ image rather than building a custom one. Here is an example https://github.com/rabbitmq/rabbitmq-oauth2-tutorial/blob/main/bin/deploy-rabbit#L21-L25.

Back to your issue. Make sure keycloak is running in the address {oauth_provider_url, "https://xxxxxxx.xxxx"}. The management ui shows that error when it cannot get a 200 OK response to the uri: <oauth_provider_url>/.well-known/openid-configuration .

Make sure that RabbitMQ docker container can reach keycloak.