Login via OIDC issues - invalid credentials

[SeWieland]

Hi together!

I'm currently stuck on getting a basic authentication via OIDC working (only for the management UI).
I'm sure I'm just missing something very basic here...

Relevant rabbitmq.conf entries:

auth_backends.1 = rabbit_auth_backend_oauth2
auth_backends.2 = internal
auth_oauth2.resource_server_id = rabbitmq
auth_oauth2.preferred_username_claims.1 = preferred_username
auth_oauth2.preferred_username_claims.2 = email
auth_oauth2.additional_scopes_key = rabbitmq_permissions
management.disable_basic_auth = true
management.oauth_enabled = true
management.oauth_client_id = rabbitmq
management.oauth_provider_url = https://keyclaok.example.com/realms/MyRealm
management.oauth_scopes = openid profile

My load definition:

{
    "vhosts": [
      {
        "name": "myvhost"
      }
    ]
}

The token that is generated for the rabbitmq client:

header:

{
  "alg": "RS256",
  "typ": "JWT",
  "kid": "Lk3S_brheRda-lmg2WdxA6GZaDFw5lTT4xKaL6ShFjI"
}

payload:

{
  "exp": 1690277469,
  "iat": 1690277169,
  "auth_time": 1690272270,
  "jti": "fb2f80ac-1229-415d-987c-491557044c7c",
  "iss": "https://keyclaok.example.com/realms/MyRealm",
  "aud": [
    "rabbitmq",
    "account"
  ],
  "sub": "c4eb19f9-70b6-4741-bd1f-18476106b116",
  "typ": "Bearer",
  "azp": "rabbitmq",
  "session_state": "367f1ed8-5a79-4713-ac23-b8d8c1d6fe7f",
  "acr": "0",
  "scope": "openid profile email",
  "sid": "367f1ed8-5a79-4713-ac23-b8d8c1d6fe7f",
  "email_verified": true,
  "rabbitmq_permissions": [
    "rabbitmq.tag:administrator",
    "rabbitmq.configure:myvhost/*/*",
    "role_RABBITMQ_MYVHOST_ADMIN",
    "rabbitmq.tag:management",
    "rabbitmq.read:myvhost/*/*",
    "rabbitmq.write:myvhost/*/*"
  ],
  "name": "Shawn Schwierig",
  "preferred_username": "sschwierig",
  "given_name": "Shawn",
  "locale": "de",
  "family_name": "Schwierig",
  "email": "[email protected]"
}

Plus a valid signature.

The log on the rabbitmq node just states:

<0.34508.0> HTTP access denied: user 'rabbitmq' - invalid credentials

Note that I definitely expected at least the user to be 'sschwierig' here, not 'rabbitmq'..

Any help is highly appreciated!

[SeWieland]

I finally found the issue: I forgot to set the correct JWKS url.

However, the log messages were not really helpful...

The following config works as intended:

auth_backends.1 = rabbit_auth_backend_oauth2
auth_backends.2 = internal
auth_oauth2.resource_server_id = rabbitmq
auth_oauth2.preferred_username_claims.1 = preferred_username
auth_oauth2.preferred_username_claims.2 = email
auth_oauth2.additional_scopes_key = rabbitmq_permissions
auth_oauth2.jwks_url = https://keyclaok.example.com/realms/MyRealm/protocol/openid-connect/certs
management.disable_basic_auth = true
management.oauth_enabled = true
management.oauth_client_id = rabbitmq
management.oauth_provider_url = https://keyclaok.example.com/realms/MyRealm
management.oauth_scopes = openid profile