Use auth0.com as OAuth 2.0 server
This guide explains how to set up OAuth 2.0 for RabbitMQ and Auth0 as Authorization Server using the following flows:
- Access management UI via a browser
- Access management HTTP API
- Application authentication and authorization
Prerequisites to follow this guide
- Have an Auth0 account.
- Docker
- A local clone of a GitHub repository that contains all the configuration files and scripts used on this example
Create RabbitMQ API
In Auth0, resources are mapped to Application APIs.
- After logging into the Auth0 account, go to dashboard > Applications > APIs > Create an API.
- Give it the name
rabbitmq
. The important thing here is theidentifier
which must have the name of the resource_server_id we configured in RabbitMQ. Thisidentifier
goes into theaudience
JWT field. In our case, it is calledrabbitmq
. - Choose
RS256
as the signing algorithm. - Enable RBAC.
- Enable Add Permissions in the Access Token.
Configure permissions in RabbitMQ API
-
Edit the API we just created with the name
rabbitmq
. -
Go into Permissions and add the permissions (scope) this api can grant. You are going to add the following scopes:
rabbitmq.read:*/*
rabbitmq.write:*/*
rabbitmq.configure:*/*
rabbitmq.tag:administrator
Create an OAuth client for the Management UI
By default, for every API we create, an Application gets created using the API's identifier
as its name.
An Application requests an OAuth client.
Go to dashboard > Applications, and you should see your application listed. An application gives us a client_id, a client_secret and a http endpoint called Domain where to claim a token.
Create Application rabbitmq-management
An application gives us the client-id and client-secret for the management UI to authenticate on behalf of the end user.
In the settings, choose:
- Application type :
Single Page applications
- Token Endpoint Authentication Method:
None
- Allowed Callback URLs:
http://localhost:15672/js/oidc-oauth/login-callback.html
- Allowed Web Origins:
http://localhost:15672
- Allowed Origins (CORS):
http://localhost:15672
Create a User for Management UI Access
Create user
- Go to User Management > Users.
- Create a user. This is the user you will use to login via the management UI.
Create permissions and grant them
- Go to Roles.
- Create the role called
rabbitmq.tag:administrator
. - Go to Permissions and select all the permissions.
- Go to Users and make sure our user is listed else add our user to the list of users which have this role.
Configure RabbitMQ to authenticate with Auth0
To configure RabbitMQ you need to gather the following information from Auth0:
- Go to dashboard > Applications > Applications.
- Click on the application
rabbitmq-management
. - Take note of the Client ID value
- And take note of the Domain value
- Use the last values in Client ID and Domain fields in the RabbitMQ configuration file
Edit the configuration file conf/auth0/rabbitmq.conf and replace {CLIENT_ID}
and {DOMAIN}
with the
values you gathered above.
Start RabbitMQ
Run the following commands to start RabbitMQ:
export MODE=auth0
make start-rabbitmq
Verify Management UI flows
- Go to management UI
http://localhost:15672
. - Click on the single button, authenticate with your secondary Auth0 user. You should be redirected back to the management UI.
Auth0 issues an access token like this one below. It has in the scope
claim
the requested scopes configured in management.oauth_scopes
, and in the permissions
claim all the scopes you configured for this user in Auth0. RabbitMQ read the scopes from the scope
claim but also from the claim name configured in auth_oauth2.additional_scopes_key
whose value is permissions
.
{
"iss": "https://dev-tm5ebsbbdcbqddcj.us.auth0.com/",
"sub": "auth0|66d980b862efcd9f5144f42a",
"aud": [
"rabbitmq",
"https://dev-tm5ebsbbdcbqddcj.us.auth0.com/userinfo"
],
"iat": 1725533554,
"exp": 1725619954,
"scope": "openid profile rabbitmq.tag:administrator",
"azp": "IC1fqsSjkQq2cVsYyHUuQyq30OAYuUv2",
"permissions": [
"rabbitmq.configure:*/*",
"rabbitmq.read:*/*",
"rabbitmq.tag:administrator",
"rabbitmq.write:*/*"
]
}