代码之家  ›  专栏  ›  技术社区  ›  sirineBEJI

在带有Azure AD的rabbitmq上使用OAuth2时拒绝访问

  •  0
  • sirineBEJI  · 技术社区  · 2 年前

    我正在尝试将rabbitmq上的OAuth2与提供商Azure AD一起使用(仅用于管理UI)。我使用的是docker镜像拉比q:3.11管理。

    我已经在Azure AD上创建了一个SPA应用程序注册,并将url重定向到管理UI主页。然后我创建了两个应用程序角色:

    <client_id>.tag:monitoring
    <client_id>.read:*/*
    

    我已在Azure AD上将这些应用程序角色分配给自己。

    在rabbitmq方面,我提出了以下配置:

      auth_backends.1 = rabbitmq_auth_backend_oauth2
    
      auth_backends.2 = internal
    
      auth_oauth2.https.peer_verification = verify_none #for now
    
      auth_oauth2.https.peer_verification = verify_none
    
      auth_oauth2.resource_server_id=<app_registration_client_id>
    auth_oauth2.jwks_url=https://login.microsoftonline.com/<tenant>/discovery/v2.0/keys
    
      auth_oauth2.default_key = <JWT_key> # I have tried doing this in case of issue with jwt key, I have chosen a key from list
    
      auth_oauth2.additional_scopes_key=roles
    
      management.oauth_enabled=true  
    
      management.oauth_client_id=<app_registration_client_id> 
    
      management.oauth_client_secret=<app_registration_secret> #not used as I have tried to allowPublic access on app registration
    
    
      management.oauth_provider_url=https://login.microsoftonline.com/<client_id>
    

    当我连接到管理UI时,我会使用所用的插件按预期点击此处登录,但当我点击时,我出现了未授权错误。

    在rabbitmqlogs中,我有这样的(在调试模式下):

    2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> User '043f5ce4-45da-478a-8c74-f7b799859141' authentication failed with error:undef:
    2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0> [{rabbitmq_auth_backend_oauth2,user_login_authentication,
    2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>      [<<"043f5ce4-45da-478a-8c74-f7b799859141">>,
    2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>       [{password,
    2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>            <<"eyJ**********8Kw">>}]],
    2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>      []},
    2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>  {rabbit_access_control,try_authenticate,3,
    2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>      [{file,"rabbit_access_control.erl"},{line,86}]},
    2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>  {rabbit_access_control,'-check_user_login/2-fun-0-',4,
    2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>      [{file,"rabbit_access_control.erl"},{line,51}]},
    2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>  {lists,foldl,3,[{file,"lists.erl"},{line,1350}]},
    2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>  {rabbit_access_control,check_user_login,2,
    2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>      [{file,"rabbit_access_control.erl"},{line,36}]},
    2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>  {rabbit_mgmt_util,is_authorized,7,[{file,"rabbit_mgmt_util.erl"},{line,280}]},
    2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>  {cowboy_rest,call,3,[{file,"src/cowboy_rest.erl"},{line,1575}]},
    2023-06-06 06:04:20.426917+00:00 [debug] <0.15140.0>  {cowboy_rest,is_authorized,2,[{file,"src/cowboy_rest.erl"},{line,368}]}]
    2023-06-06 06:04:20.427353+00:00 [warning] <0.15140.0> HTTP access denied: User '043f5ce4-45da-478a-8c74-f7b799859141' authentication failed with internal error. Enable debug logs to see the real error.
    

    我试图查看JWT令牌的内容标头,结果是我看到了声明“角色”,并在其中看到了我所拥有的角色。。。

    我在这里错过了什么?

    0 回复  |  直到 2 年前
        1
  •  0
  •   sirineBEJI    2 年前

    所以问题是,插件名称和模块名称之间存在混淆: auth_backends.1 = rabbitmq_auth_backend_oauth2

    正确的是: auth_backends.1 = rabbit_auth_backend_oauth2

    讨论: https://github.com/rabbitmq/rabbitmq-server/discussions/8512