Not Authorized - OAuth2 plugin not working on Rabbitmq with Azure AD

[codegeass1]

Describe the bug

I am trying to use OAuth2 on rabbitmq with provider Azure AD (only for the management UI). I am using the docker image rabbitmq:3.11-management.

I have created an SPA app registration on Azure AD with a redirection url to the management UI home page. I have then created two app roles :

<client_id>.tag:monitoring
<client_id>.read:*/*

I have assigned those app roles to myself on Azure AD.

On rabbitmq side, I have put this configuration :

  auth_backends.1 = rabbitmq_auth_backend_oauth2

  auth_backends.2 = internal

  auth_oauth2.https.peer_verification = verify_none #for now

  auth_oauth2.https.peer_verification = verify_none

  auth_oauth2.resource_server_id=<app_registration_client_id>

  auth_oauth2.jwks_url=https://login.microsoftonline.com/<tenant>/discovery/v2.0/keys

  auth_oauth2.default_key = <JWT_key> # I have tried doing this in case of issue with jwt key, I have chosen a key from list

  auth_oauth2.additional_scopes_key=roles

  management.oauth_enabled=true  

  management.oauth_client_id=<app_registration_client_id> 

  management.oauth_client_secret=<app_registration_secret> #not used as I have tried to allowPublic access on app registration


  management.oauth_provider_url=https://login.microsoftonline.com/<client_id>

When I connect to management UI I have the 'Click Here to Login' Button as expected with the used plugin but when I click, I have Not Authorized error:

In rabbitmq logs I have this (in debug mode):

2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> User '043f5ce4-45da-478a-8c74-f7b799859141' authentication failed with error:undef:
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> [{rabbitmq_auth_backend_oauth2,user_login_authentication,
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>      [<<"043f5ce4-45da-478a-8c74-f7b799859141">>,
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>       [{password,
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>            <<"eyJ**********8Kw">>}]],
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>      []},
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>  {rabbit_access_control,try_authenticate,3,
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>      [{file,"rabbit_access_control.erl"},{line,86}]},
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>  {rabbit_access_control,'-check_user_login/2-fun-0-',4,
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>      [{file,"rabbit_access_control.erl"},{line,51}]},
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>  {lists,foldl,3,[{file,"lists.erl"},{line,1350}]},
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>  {rabbit_access_control,check_user_login,2,
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>      [{file,"rabbit_access_control.erl"},{line,36}]},
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>  {rabbit_mgmt_util,is_authorized,7,[{file,"rabbit_mgmt_util.erl"},{line,280}]},
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>  {cowboy_rest,call,3,[{file,"src/cowboy_rest.erl"},{line,1575}]},
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>  {cowboy_rest,is_authorized,2,[{file,"src/cowboy_rest.erl"},{line,368}]}]
2023-06-06 06:04:20.427353+00:00 [warning] <0.15140.0> HTTP access denied: User '043f5ce4-45da-478a-xxxxxxxxxxxxxx' authentication failed with internal error. Enable debug logs to see the real error.

I have tried to see the content headers of the JWT Token and the result is that I see the claim 'roles' and I see in it the roles I have...

What am I missing here ?

Reproduction steps

1. Use Docker image rabbitmq:3.11-management
2. Add configuration on rabbitmq.conf as specified in the bug description.
3. Connect to https://localhost:15671 and Click on "Click here to log in"

Expected behavior

• Being redirected to the Managemnt home page

Additional context

Here is the JWT header :

acr: "1"
aio: "AVQAqXXXXXXXXXXXXXXXX"
amr: (2) ['pwd', 'mfa']
appid: "043f5ce4-xxxxxxxx-xxxxxxxxxxxx"
appidacr: "1"
aud: "043f5ce4-xxxxxxxx-xxxxxxxxxxx" #client_id
exp: 1686042273
family_name: "myLastName"
given_name: "myName"
iat: 1686036886
ipaddr: "<ip_address>"
iss: "https://sts.windows.net/<tenant>/"
name: "My Full Name"
nbf: xxxxxxxxxx
oid: "107143d2XXXXXXXXXX"
onprem_sid: "S-XXXXXXXXXXXX"
rh: "0.xxxxxxxxxxxxxxxxxxx"
roles: (2) ['043f5ce4-45da-478a-xxxxxxxxxxxxx.tag:management', '043f5ce4-45da-478a-xxxxxxxxxxxxx.read:*/*'] 
scp: "User.Read"
sub: "yZAxxxxxxxxxxxxxxxx"
tid: "<tenant>"
unique_name: "xxxxxxxxxx"
upn: "xxxxxxxxx
uti: "xxxxxxxxxx"
ver:  "1.0" 

[michaelklishin]

rabbitmq_auth_backend_oauth2:user_login_authentication/2 is undefined because the name of the module is rabbit_auth_backend_oauth2, not rabbitmq_auth_backend_oauth2.

This is why for a couple of years now, nodes support short backend names, such as http or oauth2 instead of module names:

auth_backends.1 = oauth2
# ...
auth_oauth2.resource_server_id = a_resource_server_id
auth_oauth2.additional_scopes_key = a_custom_scope_key
auth_oauth2.default_key = id1

Our examples guide uses the advanced.config format
for historical reasons. It also has a GitHub repo to go with it.

[michaelklishin]

You are confusing plugin names and module names. If you configure auth_backends.$N.$value as a short value, the name of the module is looked up for you. If you configure it using a module, it must be an actual existing module, which is not necessarily the same as the name of the plugin.

FWIW the names of the authN/authZ plugins have been using the rabbit_ prefix since 2009 or so.

HTTP, LDAP have aliases for module names but apparently not OAuth 2, which was included into the
RabbitMQ distribution around 2019 or so, about a decade later.

Anyhow, rabbit_auth_backend_oauth2 is the module name you want.

[michaelklishin]

@SirineBeji your code snippet does not have any configuration for the backends. I will try to explain what the problem is one more time.

For RabbitMQ to know that it should use OAuth 2, you must configure it as one of (or the only one) the backends. This is almost always done using rabbitmq.conf.

The values can be:

• One of the known shortcuts (http, ldap, I am quite certain that oauth2 should be supported ,too)
• A name of the module provided by one of the enabled plugins

According to the log, you configured rabbitmq_auth_backend_oauth2 as the name of the module but
that module DOES NOT exist, so the code runs into an "undefined function" exception at runtime.

This is because rabbit_auth_backend_oauth2 (rabbit_ not rabbitmq_) is the name of the module.
You can look it up yourself by searching this repository for a file named rabbit_auth_backend_oauth2.erl.

[michaelklishin]

I put that at first as it was specified in doc but that did not work, there is no rabbit_auth_backend_oauth2, here is the list of plugins : you can see it is rabbitmq_auth_backend_oauth2 and not rabbit_auth_backend_oauth2

The name of the module that implements the authN and authZ backend behavior (interface in Erlang speak) will not necessarily match the name of the plugin. In the OAuth 2 plugin, it does not.

[michaelklishin]

Apparently there is no shortcut for oauth2 and the shortcuts are
specific to the rabbitmq.conf "new style" format.

Well, that's easy to correct.

Those who use the advanced.config with the classic config/Erlang term format must specify rabbit_auth_backend_oauth2 for backend name. That's rabbit_ in the beginning, not rabbitmq_.

[codegeass1]

I was checking the error in the repository, and I was surprised that did not go any further to call any function from that rabbit_auth_backend_oauth2.erl... Thank you for reactivity and thank you for your time, I did not pay attention to the module name assuming it was the plugin name. I spent hours on it :)

Now I see a better error ! I'll check, thank you !

[michaelklishin]

Happy that you managed to figure it out :)

I'm working on some doc improvements and a rabbitmq.conf backend alias as we speak.

[michaelklishin]

@SirineBeji this is not a bug but a result of a misconfiguration. Imagine configuring a class in a JVM-based application and making a mistake in the name. You will get a NoClassDefFoundError at runtime.

This is exactly what you are looking at here, just not in a JVM-based language.

[codegeass1]

This is misconfiguration, thank you for your answer.

[michaelklishin]

rabbitmq/rabbitmq-website@78287d3 should make this kind confusion less likely.