在Azure AD中对rabbitmq使用OAuth2时访问被拒绝

hlswsv35  于 2023-06-21  发布在  RabbitMQ
关注(0)|答案(1)|浏览(291)

我尝试在rabbitmq上使用OAuth2与提供商Azure AD(仅用于管理UI)。我使用的是docker镜像rabbitmq:3.11-management。
我在Azure AD上创建了SPA应用程序注册,并使用重定向URL指向管理UI主页。然后我创建了两个应用程序角色:

  1. <client_id>.tag:monitoring
  2. <client_id>.read:*/*

我已在Azure AD上为自己分配了这些应用程序角色。
在rabbitmq方面,我已经把这个配置:

  1. auth_backends.1 = rabbitmq_auth_backend_oauth2
  2. auth_backends.2 = internal
  3. auth_oauth2.https.peer_verification = verify_none #for now
  4. auth_oauth2.https.peer_verification = verify_none
  5. auth_oauth2.resource_server_id=<app_registration_client_id>
  6. auth_oauth2.jwks_url=https://login.microsoftonline.com/<tenant>/discovery/v2.0/keys
  7. auth_oauth2.default_key = <JWT_key> # I have tried doing this in case of issue with jwt key, I have chosen a key from list
  8. auth_oauth2.additional_scopes_key=roles
  9. management.oauth_enabled=true
  10. management.oauth_client_id=<app_registration_client_id>
  11. management.oauth_client_secret=<app_registration_secret> #not used as I have tried to allowPublic access on app registration
  12. management.oauth_provider_url=https://login.microsoftonline.com/<client_id>

当我连接到管理UI时,我有“单击此处登录”按钮,正如所使用的插件所预期的那样,但当我单击时,我没有授权错误。
在rabbitmq日志中,我有以下内容(在调试模式下):

  1. 2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> User '043f5ce4-45da-478a-8c74-f7b799859141' authentication failed with error:undef:
  2. 2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> [{rabbitmq_auth_backend_oauth2,user_login_authentication,
  3. 2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> [<<"043f5ce4-45da-478a-8c74-f7b799859141">>,
  4. 2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> [{password,
  5. 2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> <<"eyJ**********8Kw">>}]],
  6. 2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> []},
  7. 2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> {rabbit_access_control,try_authenticate,3,
  8. 2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> [{file,"rabbit_access_control.erl"},{line,86}]},
  9. 2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> {rabbit_access_control,'-check_user_login/2-fun-0-',4,
  10. 2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> [{file,"rabbit_access_control.erl"},{line,51}]},
  11. 2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> {lists,foldl,3,[{file,"lists.erl"},{line,1350}]},
  12. 2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> {rabbit_access_control,check_user_login,2,
  13. 2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> [{file,"rabbit_access_control.erl"},{line,36}]},
  14. 2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> {rabbit_mgmt_util,is_authorized,7,[{file,"rabbit_mgmt_util.erl"},{line,280}]},
  15. 2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> {cowboy_rest,call,3,[{file,"src/cowboy_rest.erl"},{line,1575}]},
  16. 2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> {cowboy_rest,is_authorized,2,[{file,"src/cowboy_rest.erl"},{line,368}]}]
  17. 2023-06-06 06:04:20.427353+00:00 [warning] <0.15140.0> HTTP access denied: User '043f5ce4-45da-478a-8c74-f7b799859141' authentication failed with internal error. Enable debug logs to see the real error.

我试图查看JWT令牌的内容头,结果是我看到了声明“角色”,我在其中看到了我拥有的角色......
我错过了什么?

dkqlctbz

dkqlctbz1#

所以这里是问题,这是插件名称和模块名称之间的混淆:auth_backends.1 = rabbitmq_auth_backend_oauth2
正确的是:auth_backends.1 = rabbit_auth_backend_oauth2
讨论:https://github.com/rabbitmq/rabbitmq-server/discussions/8512

相关问题