Use the scope in the resource section of the JWT token generated by the Keycloak

[avarf]

Is your feature request related to a problem? Please describe.

When enabling the authorization for a confidential Keycloak client, you can define resources, scopes, policies and permissions for each resource and connect/map users or user groups to those permissions. This is the suggested method of configuring Keycloak and enables us to have a very fine-grained authorization policy.

Based on my understanding, unfortunately, RabbitMQ and rabbitmq_auth_backend_oauth2 plugin expect to find the permissions in the scope at the highest level of a JWT token which matches the client scope.

Describe the solution you'd like

There should be a flag that let RabbitMQ admin to configure the rabbitmq_auth_backend_oauth2 plugin so either the plugin uses the client-scope policies or uses the resource permissions.

Describe alternatives you've considered

No response

Additional context

Current expected token structure:

{
  "scope": [
    "rabbitmq.write:*/*/*",
    "rabbitmq.configure:*/*/*",
    "rabbitmq.read:*/*/*"

  ],
  "extra_scope": "rabbitmq.tag:management",
  "aud": [
    "rabbitmq"
  ]
}

Example RPT token produced by Keycloak:

{
  "authorization": {
    "permissions": [
      {
        "scopes": [
          "read",
          "create",
          "update",
          "execute",
          "delete"
        ],
        "rsid": "354aa847-74d6-4d70-af58-bf899964a437",
        "rsname": "experiment"
      },
      {
        "scopes": [
          "read",
          "create",
          "update",
          "delete"
        ],
        "rsid": "077ddbe7-f60e-40ad-bcdb-70be6de29741",
        "rsname": "node_type"
      }
    ]
  },
  "scope": "email profile",
  "groups": [
    "sys"
  ]
}

[Zerpet]

Transferring from the oauth2 tutorial repo, as this issue is a feature request for the OAuth2 plugin.

[michaelklishin]

It is not clear to me what specifically is being suggested here. That all scopes under authroization.permissions (an array) be combined when Keycloak is used?

[michaelklishin]

Note that this JWT structure seems to be entirely Keycloak-specific.

[michaelklishin]

The OAuth 2 plugin has so many configurable settings already that I am very reluctant to add "one more flag".

When we know the IDP service is Keycloak, the list of scopes can always try to combine the scope values from authorization.permissions when computing the list of presented scopes.

@MarcialRosales any objections?

[michaelklishin]

Discussed internally: Marcial has no objections.