Use auth0.com as OAuth 2.0 server
This guide explains how to set up OAuth 2.0 for RabbitMQ and Auth0 as Authorization Server using the following flows:
- Access management UI via a browser
- Access management HTTP API
- Application authentication and authorization
Prerequisites to follow this guide
- Have an Auth0 account
- Docker
- A local clone of a GitHub repository for branch
next
that contains all the configuration files and scripts used on this example.
Create RabbitMQ API
In Auth0, resources are mapped to Application APIs.
- After logging into the Auth0 account, go to dashboard > Applications > APIs > Create an API.
- Give it the name
rabbitmq
. The important thing here is theidentifier
which must have the name of the resource_server_id we configured in RabbitMQ. Thisidentifier
goes into theaudience
JWT field. In our case, it is calledrabbitmq
. - Choose
RS256
as the signing algorithm. - Enable RBAC.
- Enable Add Permissions in the Access Token.
Configure permissions in RabbitMQ API
-
Edit the API we just created with the name
rabbitmq
. -
Go into Permissions and add the permissions (scope) this api can grant. You are going to add the following scopes:
rabbitmq.read:*/*
rabbitmq.write:*/*
rabbitmq.configure:*/*
rabbitmq.tag:administrator
Create an OAuth client for the Management UI
By default, for every API we create, an Application gets created using the API's identifier
as its name.
An Application requests an OAuth client.
Go to dashboard > Applications, and you should see your application listed. An application gives us a client_id, a client_secret and a http endpoint called Domain where to claim a token.
Create Application rabbitmq-management
An application gives us the client-id and client-secret for the management UI to authenticate on behalf of the end user.
In the settings, choose:
- Application type :
Single Page applications
- Allowed Callback URLs:
https://localhost:15671/js/oidc-oauth/login-callback.html
- Allowed Web Origins:
https://localhost:15671
- Allowed Origins (CORS):
https://localhost:15671
Create a User for Management UI Access
Create user
- Go to User Management > Users.
- Create a user. This is the user you will use to login via the management UI.
Create permissions and grant them
- Go to Roles.
- Create the role called
rabbitmq.tag:administrator
. - Go to Permissions and select all the permissions.
- Go to Users and make sure our user is listed else add our user to the list of users which have this role.
Configure RabbitMQ to authenticate with Auth0
To configure RabbitMQ you need to gather the following information from Auth0:
- Go to dashboard > Applications > Applications.
- Click on the application
rabbitmq-management
. - Take note of the Client ID value
- And take note of the Domain value
- Use the last values in Client ID and Domain fields in the RabbitMQ configuration file
Clone the configuration file conf/auth0/rabbitmq.conf.tmpl as rabbitmq.conf
(in the same folder as rabbitmq.conf.tmpl
).
Edit rabbitmq.conf
and proceed as follows:
- Replace
{Client ID}
with the values you gathered above. - Same for
{Domain}
Starting with RabbitMQ 4.1.x, you must configure RabbitMQ to include a URI parameter
called audience
whose value matches the value of auth_oauth2.resource_server_id
.
Earlier RabbitMQ versions always sent this URI parameter. If this additional URI parameter is not configured, Auth0 will consider the token invalid and RabbitMQ will display "No authorized" for error.
These two configuration lines
configure the audience
parameter with the value rabbitmq
.
Start RabbitMQ
Run the following commands to start RabbitMQ:
export MODE=auth0
make start-rabbitmq
Verify Management UI flows
- Go to management UI
https://localhost:15671
. - Click on the single button, authenticate with your secondary Auth0 user. You should be redirected back to the management UI.
Auth0 issues an access token like this one below. It has in the scope
claim
the requested scopes configured in management.oauth_scopes
, and in the permissions
claim all the scopes you configured for this user in Auth0. RabbitMQ read the scopes from the scope
claim but also from the claim name configured in auth_oauth2.additional_scopes_key
whose value is permissions
.
{
"iss": "https://dev-tm5ebsbbdcbqddcj.us.auth0.com/",
"sub": "auth0|66d980b862efcd9f5144f42a",
"aud": [
"rabbitmq",
"https://dev-tm5ebsbbdcbqddcj.us.auth0.com/userinfo"
],
"iat": 1725533554,
"exp": 1725619954,
"scope": "openid profile rabbitmq.tag:administrator",
"azp": "IC1fqsSjkQq2cVsYyHUuQyq30OAYuUv2",
"permissions": [
"rabbitmq.configure:*/*",
"rabbitmq.read:*/*",
"rabbitmq.tag:administrator",
"rabbitmq.write:*/*"
]
}