Use OAuth2 Proxy and Keycloak as OAuth 2.0 server
This guide explains how to set up OAuth 2.0 for RabbitMQ and OAuth2 Proxy as Authorization Server using the following flows:
- Access the RabbitMQ Management UI using a browser through OAuth2 Proxy
[ Keycloak ] 3. authenticate
/|\ |
| | 4. token
2.redirect | \|/ [ RabbitMQ ]
[ Oauth2-Proxy ] ----5. forward with token--> [ http ]
/|\
|
1. rabbit_admin from a browser
Prerequisites for Using OAuth 2 Proxy and Keycloak
- Docker
- make
- A local clone of a GitHub repository for branch
next
that contains all the configuration files and scripts used on this example. - The following entries in your /etc/hosts file. Without these entries you will get DNS errors in the browser.
localhost keycloak rabbitmq oauth2-proxy
make start-keycloak
or make start-oauth2-proxy
will
generate the TLS certificate and private keys necessary. These certificates have an expiration date.
In case of any error messages that hint at expired or invalid certificates, stop Keycloak
and oauth-proxy
and run make clean-certs
to regenerate the certificates and private keys,
then restart Keycloak and the proxy
Deploy Keycloak
Deploy Keycloak by running the following command:
make start-keycloak
To access Keycloak Management UI, go to https://keycloak:8443/ and enter admin
as username and password.
There is a dedicated Keycloak realm called Test
configured as follows:
- rsa signing key
- [rsa provider]https://keycloak:8443/admin/master/console/#/realms/test/keys/providers)
rabbitmq-proxy-client
client
Start OAuth2 Proxy
To start OAuth2 Proxy, run the following command:
make start-oauth2-proxy
Oauth2 Proxy is configured using Alpha configuration. This type of configuration inserts the access token into the HTTP Authorization header.
Start RabbitMQ
To start RabbitMQ run the following command:
MODE=oauth2-proxy make start-rabbitmq
NOTE: Oauth2 Proxy requires that the aud
claim matches the client's id. However, RabbitMQ requires the
aud
field to match rabbitmq
which is the designated resource_server_id
. Given that it has been
impossible to configure keycloak with both values, rabbitmq.conf has
the setting below which disables validation of the audience claim.
auth_oauth2.verify_aud = false
Access management UI
Go to https://oauth2-proxy:8442/, click on the Sign in with Keycloak OIDC link, and enter the credentials
rabbit_admin
as username and rabbit_admin
as password. You should be redirected to RabbitMQ management UI.