Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make it possible to configure OpenId Connect endpoints rather than discover them dynamically via OpenId Connect Discovery endpoint #11103

Closed
MarcialRosales opened this issue Apr 26, 2024 · 0 comments
Closed

Make it possible to configure OpenId Connect endpoints rather than discover them dynamically via OpenId Connect Discovery endpoint #11103

MarcialRosales opened this issue Apr 26, 2024 · 0 comments
Assignees
@lukebakken @MarcialRosales
Labels
enhancement rabbitmq-auth-backend-oauth2
Milestone
3.13.4

Comments

@MarcialRosales
Copy link
Contributor

MarcialRosales commented Apr 26, 2024
edited
Loading

Is your feature request related to a problem? Please describe.

This feature addresses two possible problems users may encounter:
a) their Identity Provider does not expose the OpenId Connect Discovery endpoint at all, or it is missing key endpoints such as end_session_endpoint
b) the Identity Provider does not support CORS when accessing the OpenId Connect Discovery endpoint.

Update: Most likely, the second problem (b) will be addressed on a separate feature request. It is far more involved than anticipated. The idea was to pre-configure the management ui (i.e. oidc-client library) with all the endpoints so that the management ui did not have to hit the openid discovery endpoint. However, the management is still hitting that endpoint to check whether it is reachable before enabling oauth 2.0. The management should use a. pre-flight request rather than a standard request to check if the idp is reachable and at the same time check whether it supports CORS. I am not sure whether the management ui should also check for the other endpoints like the token_endpoint. If the identity provider does not support CORS in any of the OpenID connect endpoints then it is a game-over and RabbitMQ cannot be integrated with that Idp, at least, for the management ui.

Describe the solution you'd like

For these 2 cases, it should be possible to configure (via rabbitmq.conf) all or some of the OpenId Connect endpoints. For instance, if the configuration has the variable auth_oauth2.issuer RabbitMQ would try to connect to the OpenId Connect Discovery endpoint to discover the other endpoints unless all the endpoints required by RabbitMQ are already set via the appropriate configuration variables. In that case, RabbitMQ would not contact the OpenId Connect Discovery endpoint.

The solution described above is what RabbitMQ oauth2 backend plugin supports for two OpenId Connect endpoints: token_endpoint and jwks_uri endpoint. However, the management plugin needs at least two more endpoints. They are authorization_endpoint and end_session_endpoint.

This feature is only for edge case scenarios as the majority of users of the management UI with OAuth 2.0 authentication rely on OpenId Connect Discovery endpoint.

Describe alternatives you've considered

No response

Additional context

No response
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lukebakken lukebakken

@MarcialRosales MarcialRosales

Labels
enhancement rabbitmq-auth-backend-oauth2
Projects
None yet
Milestone
3.13.4
Development

No branches or pull requests
3 participants
@michaelklishin @lukebakken @MarcialRosales