Explain new oauth2 settings

MarcialRosales · MarcialRosales · commit 33d1c68a4717 · 2024-09-27T10:32:25.000+02:00
diff --git a/versioned_docs/version-3.13/management/index.md b/versioned_docs/version-3.13/management/index.md
@@ -403,7 +403,7 @@ management.oauth_scopes = <SPACE-SEPARATED LIST OF SCOPES. See below>
 - `oauth_scopes` is a mandatory field which must be set at all times except in the case when OAuth providers automatically grant scopes associated to the `oauth_client_id`. `oauth_scopes` is a list of space-separated strings that indicate which permissions the application is requesting. Most OAuth providers only issue tokens with the scopes requested during the user authentication. RabbitMQ sends this field along with its `oauth_client_id` during the user authentication. If this field is not set, RabbitMQ defaults to `openid profile`.
 
 Given above configuration, when a user visits the management UI, the following two events take place:
-1. RabbitMQ uses the URL found in `auth_oauth2.issuer` followed by the path `/.well-known/openid-configuration` to download the OpenID Provider configuration. It contains information about other endpoints such as the `jwks_uri` (used to download the keys to validate the token's signature) or the `token_endpoint`.
+1. RabbitMQ uses the URL found in `auth_oauth2.issuer` to download the OpenID Provider configuration. Check out the [OAuth 2.0](./oauth2#discovery-endpoint-params) documentation about OpenId discovery endpoint to learn more about it.
 
     :::warning
     If RabbitMQ cannot download the OpenID provider configuration, it shows an error message and OAuth 2.0 authentication is disabled in the management UI.
@@ -505,6 +505,19 @@ RabbitMQ 3.13.1 and earlier versions require the [OpenId Connect Discovery endpo
 There are other two additional scenarios which can trigger a logout. One scenario occurs when the OAuth Token expires. Although RabbitMQ renews the token in the background before it expires, if the token expires, the user is logged out.
 The second scenario is when the management UI session exceeds the maximum allowed time configured on the [Login Session Timeout](#login-session-timeout).
 
+### Configure extra parameters for authorization and token endpoints
+
+There are some OAuth 2.0 providers which require users send extra parameters in the `/authorize` request (**authorization endpoint**) and/or in the `/token` request (**token endpoint**). These parameters are custom parameters. The Management UI already sends all the required parameters required by the OAuth 2.0 Authorization Code flow. 
+
+For instance, Auth0 requires an extra parameter called `audience` in both endpoints, the **authorization** and **token** endpoint. This is how to configure it:
+
+```ini 
+management.oauth_authorization_endpoint_params.audience = some-audience-id 
+management.oauth_token_endpoint_params.audience = some-audience-id 
+```
+
+You can configure as many parameters as you need. 
+
 ### Special attention to CSP header `connect-src` {#csp-header}
 
 To support the OAuth 2.0 protocol, RabbitMQ makes asynchronous REST calls to the [OpenId Connect Discovery endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest). If you override the default [CSP headers](#csp), you have to make sure that the `connect-src` CSP directive whitelists the [OpenId Connect Discovery endpoint](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfigurationRequest).
@@ -600,6 +613,16 @@ the following settings:
 - `resource` : `rabbit_prod`
 - `scopes` : `openid rabbitmq.tag:management rabbitmq.read:*/*`
 
+#### Configure extra parameters for authorization and token endpoints
+
+There are some OAuth 2.0 providers which require users send extra parameters in the `/authorize` request (**authorization endpoint**) and/or in the `/token` request (**token endpoint**). These parameters are custom parameters and specified per resource. The Management UI already sends all the required parameters required by the OAuth 2.0 Authorization Code flow. 
+
+For instance, Auth0 requires an extra parameter called `audience` in both endpoints, the **authorization** and **token** endpoint. This is how to configure it:
+
+```ini 
+management.oauth_resource_servers.2.oauth_authorization_endpoint_params.audience = some-audience-id 
+management.oauth_resource_servers.2.oauth_token_endpoint_params.audience = some-audience-id 
+```
 
 #### Optionally do not expose some resources in the management UI
 
