Users must explicitly configure oauth2's optional request parameters rather than having RabbitMQ provide a default value

[MarcialRosales]

Is your feature request related to a problem? Please describe.

Some OAuth providers, like Azure/Entra v.2 endpoints, do not accept the request parameter resource in the authorization request. And others like Auth0 requires the audience parameter.

Describe the solution you'd like

RabbitMQ currently sends the following request parameters to the authorization endpoint:

• resource whose default value is the resource_server_id
• scope whose value comes from management.oauth_scopes or management.oauth_resource_servers.$name.oauth_scopes and if it is not configured it is defaulted to openid profile
• response_type whose value comes from management.oauth_response_type and if it is not configured it is defaulted to code
• (optional)client_secret whose value comes from management.oauth_client_secret if present
• client_id whose value comes from management.oauth_client
• audience whose value is the resource_server_id (Required by Auth0)

The best approach going forward is to stop providing default values and instead document the appropriate values for each of the supported OAuth providers.

The schema of rabbitmq_auth_backend_oauth2 and rabbitmq_management will change to accommodate these changes.

Setting RabbitMQ OAuth2 for azure :

If the user does not configure the Azure Registered Application for RabbitMQ with a custom signing key, the user does not need to make any further configuration. Just specify the issuer url pointing to the v2.0 api.

if the user configures a custom signing key, the user can configure the discovery_endpoint_params as follows:

auth_oauth2.discovery_endpoint_params.appid = ${resource_server_id}

or the following configuration if there is only one resource configured in RabbitMQ configuration.

auth_oauth2.discovery_endpoint_params.appid = the_resource_server_id

Given this configuration entry, RabbitMQ uses the issuer followed by the default openid's discovery endpoint path (/.well-known/openid-configuration) or auth_oauth2.discovery_endpoint_path variable to discover all the openid endpoints. The returned jwks_uri endpoint contains the app_id query parameter.

Setting RabbitMQ OAuth2 for auth0 :

Auth0's users must change their RabbitMQ configuration as follows:

auth_oauth2.token_endpoint_params.audience = ${resource_server_id}
auth_oauth2.authorization_endpoint_params.audience = ${resource_server_id}

[andrewclaus]

We are trying to login with rabbit's oauth plugin though Azure Active Directory and getting this error: "The 'resource' request parameter is not supported."

It appears that fixing this error is part of this feature you are actively working on, correct? We will patiently wait for it to become available if so, I just wanted to confirm and also document the exact error we are seeing to make it easier for future discovery of this issue.

[MarcialRosales]

@andrewclaus that is correct ! It happens when you use Azure/Entra v2 api. It does not happen with v1 though. But v1 will eventually be deprecated by Microsoft.

[michaelklishin]

@andrewclaus note that it will ship in 4.1.0 in 2025. So perhaps the optimal strategy for now would be to use the v1 API until then or for as long as Microsoft keeps support it.