代码之家 › 专栏 › 技术社区 › sirineBEJI

在带有Azure AD的rabbitmq上使用OAuth2时拒绝访问

rabbitmq azure-active-directory oauth-2.0 azure

sirineBEJI · 技术社区 · 2 年前

我正在尝试将rabbitmq上的OAuth2与提供商Azure AD一起使用(仅用于管理UI)。我使用的是docker镜像拉比q:3.11管理。

我已经在Azure AD上创建了一个SPA应用程序注册,并将url重定向到管理UI主页。然后我创建了两个应用程序角色:

<client_id>.tag:monitoring
<client_id>.read:*/*

我已在Azure AD上将这些应用程序角色分配给自己。

在rabbitmq方面,我提出了以下配置:

  auth_backends.1 = rabbitmq_auth_backend_oauth2

  auth_backends.2 = internal

  auth_oauth2.https.peer_verification = verify_none #for now

  auth_oauth2.https.peer_verification = verify_none

  auth_oauth2.resource_server_id=<app_registration_client_id>
auth_oauth2.jwks_url=https://login.microsoftonline.com/<tenant>/discovery/v2.0/keys

  auth_oauth2.default_key = <JWT_key> # I have tried doing this in case of issue with jwt key, I have chosen a key from list

  auth_oauth2.additional_scopes_key=roles

  management.oauth_enabled=true  

  management.oauth_client_id=<app_registration_client_id> 

  management.oauth_client_secret=<app_registration_secret> #not used as I have tried to allowPublic access on app registration


  management.oauth_provider_url=https://login.microsoftonline.com/<client_id>

当我连接到管理UI时,我会使用所用的插件按预期点击此处登录,但当我点击时,我出现了未授权错误。

在rabbitmqlogs中,我有这样的(在调试模式下):

2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> User '043f5ce4-45da-478a-8c74-f7b799859141' authentication failed with error:undef:
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> [{rabbitmq_auth_backend_oauth2,user_login_authentication,
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>      [<<"043f5ce4-45da-478a-8c74-f7b799859141">>,
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>       [{password,
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>            <<"eyJ**********8Kw">>}]],
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>      []},
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>  {rabbit_access_control,try_authenticate,3,
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>      [{file,"rabbit_access_control.erl"},{line,86}]},
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>  {rabbit_access_control,'-check_user_login/2-fun-0-',4,
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>      [{file,"rabbit_access_control.erl"},{line,51}]},
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>  {lists,foldl,3,[{file,"lists.erl"},{line,1350}]},
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>  {rabbit_access_control,check_user_login,2,
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>      [{file,"rabbit_access_control.erl"},{line,36}]},
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>  {rabbit_mgmt_util,is_authorized,7,[{file,"rabbit_mgmt_util.erl"},{line,280}]},
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>  {cowboy_rest,call,3,[{file,"src/cowboy_rest.erl"},{line,1575}]},
2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>  {cowboy_rest,is_authorized,2,[{file,"src/cowboy_rest.erl"},{line,368}]}]
2023-06-06 06:04:20.427353+00:00 [warning] <0.15140.0> HTTP access denied: User '043f5ce4-45da-478a-8c74-f7b799859141' authentication failed with internal error. Enable debug logs to see the real error.

我试图查看JWT令牌的内容标头,结果是我看到了声明“角色”,并在其中看到了我所拥有的角色。。。

我在这里错过了什么?

0 回复 | 直到 2 年前

sirineBEJI 2 年前

所以问题是,插件名称和模块名称之间存在混淆: auth_backends.1 = rabbitmq_auth_backend_oauth2

正确的是: auth_backends.1 = rabbit_auth_backend_oauth2

讨论: https://github.com/rabbitmq/rabbitmq-server/discussions/8512