Skip to content

Deprecate two OAuth2 settings: auth_oauth2.jwks_url and management.metadata_url #12399

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Oct 9, 2024
Merged

Deprecate two OAuth2 settings: auth_oauth2.jwks_url and management.metadata_url #12399

merged 7 commits into from
Oct 9, 2024

Conversation

@MarcialRosales
Copy link
Contributor

@MarcialRosales MarcialRosales commented Sep 27, 2024
edited
Loading

Proposed Changes

Implements these 2 features which essentially deprecate two settings:

This PR adds two new settings while keeping the old ones until 4.2.x when they will be removed.
If the user configures the legacy management.oauth_metadata_url or management.oauth_resource_server.$name.oauth_metadata_url variables, RabbitMQ uses it. Else, the RabbitMQ uses the calculated discover endpoint url which uses issuer and discovery_endpoint_path and discovery_endpoint_params.

RabbitMQ will use the legacy auth_oauth2.jwks_url variable unless auth_oauth2.jwks_uri is not set.
If both are set, RabbitMQ favours the new setting, auth_oauth2.jwks_uri.

IMPORTANT NOTE: This PR depends on #12258. Once that PR is merged, this PR should be rebased and then merged.

This PR is accompanied by a docs PR rabbitmq/rabbitmq-website#2084.

Types of Changes

What types of changes does your code introduce to this project?
Put an x in the boxes that apply

  • Bug fix (non-breaking change which fixes issue #NNNN)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause an observable behavior change in existing systems)
  • Documentation improvements (corrections, new content, etc)
  • Cosmetic change (whitespace, formatting, etc)
  • Build system and/or CI

Release note

It should be mentioned in the release notes that auth_oauth2.jwks_url and management.oauth_metadata_url are deprecated and in 4.2.0 they will be removed.
Any reference to auth_oauth2.jwks_url should be renamed to auth_oauth2.jwks_uri.
Any reference in the legacy schema to rabbitmq_auth_backend_oauth2.key_config.jwks_url should be replaced by rabbitmq_auth_backend_oauth2.jwks_uri.
Any reference to management.oauth_metadata_url should be removed and instead configure the auth_oauth2.discovery_endpoint_path accordingly. There is a section in the docs that cover this in detail. Likewise with
management.oauth_resource_servers.$name.oauth_metadata_url.

cc @pstack2021

@mergify mergify bot added the bazel label Sep 27, 2024
@MarcialRosales MarcialRosales changed the title Deprecate oauth2 settings Deprecate(Remove+Rename) oauth2 settings Sep 27, 2024
@MarcialRosales MarcialRosales changed the base branch from main to make-some-oauth2-settings-optional September 27, 2024 14:13
@MarcialRosales MarcialRosales self-assigned this Sep 27, 2024
@MarcialRosales MarcialRosales mentioned this pull request Sep 27, 2024
Merged
@MarcialRosales MarcialRosales changed the title Deprecate(Remove+Rename) oauth2 settings Deprecate oauth2 settings Oct 1, 2024
@MarcialRosales MarcialRosales force-pushed the deprecate-oauth2-settings branch from d70d6b2 to 2586207 Compare October 2, 2024 08:12
@mergify mergify bot added the make label Oct 2, 2024
This was referenced Oct 2, 2024
Closed
Closed
@michaelklishin michaelklishin changed the title Deprecate oauth2 settings Deprecate two OAuth2 settings: auth_oauth2.jwks_url and management.metadata_url Oct 4, 2024
@michaelklishin
Copy link
Collaborator

michaelklishin commented Oct 4, 2024

@MarcialRosales can you please resolve the conflicts? Thank you.

@MarcialRosales MarcialRosales force-pushed the deprecate-oauth2-settings branch from 5ab8dd0 to 7ea48d7 Compare October 4, 2024 12:32
@MarcialRosales MarcialRosales force-pushed the make-some-oauth2-settings-optional branch from 0ac9e5f to d98eb17 Compare October 8, 2024 06:17
Base automatically changed from make-some-oauth2-settings-optional to main October 8, 2024 12:23
@MarcialRosales MarcialRosales force-pushed the deprecate-oauth2-settings branch from 7ea48d7 to 12134e3 Compare October 8, 2024 18:23
@michaelklishin michaelklishin marked this pull request as ready for review October 8, 2024 23:27
@michaelklishin
Copy link
Collaborator

michaelklishin commented Oct 9, 2024

@MarcialRosales the suite failures in CI seem very repeatable.

@MarcialRosales MarcialRosales force-pushed the deprecate-oauth2-settings branch from 7fb79ac to 987cee6 Compare October 9, 2024 14:43
@MarcialRosales @michaelklishin
Remove management.oauth_metadata_url
b21a222
@MarcialRosales @michaelklishin
Rename jkws_url to jwks_uri
322a9a9
@MarcialRosales @michaelklishin
Deprecate jwks_url but it is still supported
ee8d5f7 
jwks_uri takes precedence when both are set
@MarcialRosales @michaelklishin
Deprecate oauth_metadata_url
c9d5ddf 
If oauth_metadata_url is configured, RabbitMQ uses it.
Else it uses the discovery_endpoint url calculated from
issuer and discovery_endpoint_path
@MarcialRosales @michaelklishin
Resolve merge conflicts
0835c7e
@MarcialRosales @michaelklishin
Fix failing test cases
0c8dadd
@MarcialRosales @michaelklishin
Fix issue
0f1b876
@michaelklishin michaelklishin force-pushed the deprecate-oauth2-settings branch from 987cee6 to 0f1b876 Compare October 9, 2024 15:01
@michaelklishin
Copy link
Collaborator

michaelklishin commented Oct 9, 2024

The forced push was a rebase on top of main to get #12500.

@michaelklishin michaelklishin added this to the 4.1.0 milestone Oct 9, 2024
@michaelklishin michaelklishin merged commit 9893a2b into main Oct 9, 2024
291 checks passed
@michaelklishin michaelklishin deleted the deprecate-oauth2-settings branch October 9, 2024 15:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaelklishin michaelklishin michaelklishin approved these changes

@pstack2021 pstack2021 Awaiting requested review from pstack2021

Assignees

@MarcialRosales MarcialRosales

Labels

make rabbitmq-auth-backend-oauth2

Projects

None yet

Milestone

4.1.0

Development

Successfully merging this pull request may close these issues.

3 participants

@MarcialRosales @michaelklishin