auth_oauth2.preferred_username_claims cannot be set in rabbitmq.conf

[vaceal]

Describe the bug

Hello, using oauth2 plugin with AzureAD, (version 3.12.4)

Adding,

auth_oauth2.preferred_username_claims = name

Result in an error on boot :

2023-11-16 18:25:10.107764+00:00 [error] <0.132.0> You've tried to set auth_oauth2.preferred_username_claims, but there is no setting with that name.
2023-11-16 18:25:10.124931+00:00 [error] <0.132.0> Did you mean one of these?
2023-11-16 18:25:10.295516+00:00 [error] <0.132.0> auth_oauth2.resource_server_id
2023-11-16 18:25:10.295610+00:00 [error] <0.132.0> auth_oauth2.resource_server_type
2023-11-16 18:25:10.295682+00:00 [error] <0.132.0> auth_oauth2.https.peer_verification
2023-11-16 18:25:10.297326+00:00 [error] <0.132.0> Error preparing configuration in phase transform_datatypes:
2023-11-16 18:25:10.297390+00:00 [error] <0.132.0> - Conf file attempted to set unknown variable: auth_oauth2.preferred_username_claims

BOOT FAILED

Error during startup: {error,failed_to_prepare_configuration}

enable_plugin file:

[rabbitmq_management,rabbitmq_peer_discovery_k8s, rabbitmq_auth_backend_oauth2,rabbitmq_prometheus,rabbitmq_shovel,rabbitmq_shovel_management,rabbit_auth_backend_internal].

rabbitmq.conf file:

auth_oauth2.additional_scopes_key = roles
log.console.level = debug
log.console.formatter = json
auth_oauth2.preferred_username_claims = name
auth_backends.1 = rabbit_auth_backend_oauth2
auth_backends.2 = rabbit_auth_backend_internal
auth_oauth2.jwks_url = https://login.microsoftonline.com/XXXXXXXXXX/discovery/v2.0/keys
auth_oauth2.resource_server_id = XXXXXXXX
cluster_formation.k8s.address_type = hostname
cluster_formation.k8s.host = kubernetes.default
cluster_formation.node_cleanup.interval = 30
cluster_formation.node_cleanup.only_log_warning = true
cluster_formation.peer_discovery_backend = rabbit_peer_discovery_k8s
cluster_partition_handling = autoheal
loopback_users = none
management.oauth_client_id = XXXXXXXXXX
management.oauth_enabled = true
management.oauth_provider_url = https://login.microsoftonline.com/XXXXXXXXX
queue_master_locator = min-masters
total_memory_available_override_value = 4GB
vm_memory_high_watermark.relative = 0.7

Reproduction steps

1. In the rabbitmq.conf add the 'auth_oauth2.preferred_username_claims = name' line
2. Start RabbitMQ
3. RabbitMQ will not be able to boot

Expected behavior

As per documentation : https://www.rabbitmq.com/oauth2.html#variables-configurable.

This config should work and I should be able to have a valide display name taken from the token.

Additional context

No response

[lukebakken]

Please ensure that you have enabled the OAuth2 plugin - https://www.rabbitmq.com/oauth2.html#how-it-works

Have you confirmed that RabbitMQ is actually using the enabled_plugins file that you provided?

[vaceal]

Yes, it is enabled. When I removed the line, I am able to authenticate and log on the RabbitMQ Management UI using my AzureAD token.

And Yes, RabbitMQ is using the enabled_plugins files.

Here are my logs

Nov 16, 2023 @ 15:48:44.543 debug Computing username from client's JWT token: [<<"user">>] -> user
Nov 16, 2023 @ 15:48:44.543 debug User 'user' authenticated successfully by backend rabbit_auth_backend_oauth2
Nov 16, 2023 @ 15:48:44.533 debug User 'user' authenticated successfully by backend rabbit_auth_backend_oauth2
Nov 16, 2023 @ 15:48:44.533 debug Computing username from client's JWT token: [<<"user">>] -> user
Nov 16, 2023 @ 15:48:44.521 debug User 'user' authenticated successfully by backend rabbit_auth_backend_oauth2
Nov 16, 2023 @ 15:48:44.521 debug Computing username from client's JWT token: [<<"user">>] -> user
Nov 16, 2023 @ 15:48:44.500 debug User 'user' authenticated successfully by backend rabbit_auth_backend_oauth2
Nov 16, 2023 @ 15:48:44.499 debug Computing username from client's JWT token: [<<"user">>] -> user
Nov 16, 2023 @ 15:48:44.474 debug User 'user' authenticated successfully by backend rabbit_auth_backend_oauth2
Nov 16, 2023 @ 15:48:44.474 debug Computing username from client's JWT token: [<<"user">>] -> user
Nov 16, 2023 @ 15:48:44.461 debug User 'user' authenticated successfully by backend rabbit_auth_backend_oauth2
Nov 16, 2023 @ 15:48:44.461 debug Computing username from client's JWT token: [<<"user">>] -> user
Nov 16, 2023 @ 15:48:44.451 debug User 'user' authenticated successfully by backend rabbit_auth_backend_oauth2
Nov 16, 2023 @ 15:48:44.451 debug Computing username from client's JWT token: [<<"user">>] -> user
Nov 16, 2023 @ 15:48:44.444 debug Computing username from client's JWT token: [<<"user">>] -> user
Nov 16, 2023 @ 15:48:44.444 debug User 'user' authenticated successfully by backend rabbit_auth_backend_oauth2
Nov 16, 2023 @ 15:48:44.431 debug Computing username from client's JWT token: [<<"user">>] -> user
Nov 16, 2023 @ 15:48:44.431 debug User 'user' authenticated successfully by backend rabbit_auth_backend_oauth2

[vaceal]

My apologies here, it seem that I was confused by the description of the key:

List of JWT claims to look for username associated to the token separated by commas.

But in the rabbitmq.conf file this is done my doing:

auth_oauth2.preferred_username_claims.1 = name

The missing .1 fixed it.

The error was misleading, something about expecting an array and not a string would help.

Thanks for your help!