Skip to main content
Version: Next

Use OAuth2 Proxy and Keycloak as OAuth 2.0 server

This guide explains how to set up OAuth 2.0 for RabbitMQ and OAuth2 Proxy as Authorization Server using the following flows:

  • Access the RabbitMQ Management UI using a browser through OAuth2 Proxy
                    [ Keycloak ] 3. authenticate
                      /|\  |
                       |   | 4. token
        2.redirect     |  \|/                                        [ RabbitMQ ]
                [ Oauth2-Proxy ]       ----5. forward with token-->  [  http    ]
                      /|\
                       |
            1. rabbit_admin from a browser

Prerequisites for Using OAuth 2 Proxy and Keycloak

  • Docker
  • make
  • A local clone of a GitHub repository for branch next that contains all the configuration files and scripts used on this example.
  • The following entries in your /etc/hosts file. Without these entries you will get DNS errors in the browser.
localhost keycloak rabbitmq oauth2-proxy
info

make start-keycloak or make start-oauth2-proxy will generate the TLS certificate and private keys necessary. These certificates have an expiration date.

In case of any error messages that hint at expired or invalid certificates, stop Keycloak and oauth-proxy and run make clean-certs to regenerate the certificates and private keys, then restart Keycloak and the proxy

Deploy Keycloak

Deploy Keycloak by running the following command:

make start-keycloak

To access Keycloak Management UI, go to https://keycloak:8443/ and enter admin as username and password.

There is a dedicated Keycloak realm called Test configured as follows:

Start OAuth2 Proxy

To start OAuth2 Proxy, run the following command:

make start-oauth2-proxy

Oauth2 Proxy is configured using Alpha configuration. This type of configuration inserts the access token into the HTTP Authorization header.

Start RabbitMQ

To start RabbitMQ run the following command:

MODE=oauth2-proxy make start-rabbitmq

NOTE: Oauth2 Proxy requires that the aud claim matches the client's id. However, RabbitMQ requires the aud field to match rabbitmq which is the designated resource_server_id. Given that it has been impossible to configure keycloak with both values, rabbitmq.conf has the setting below which disables validation of the audience claim.

auth_oauth2.verify_aud = false

Access management UI

Go to https://oauth2-proxy:8442/, click on the Sign in with Keycloak OIDC link, and enter the credentials rabbit_admin as username and rabbit_admin as password. You should be redirected to RabbitMQ management UI.