Open MarcialRosales opened 2 weeks ago
We are trying to login with rabbit's oauth plugin though Azure Active Directory and getting this error: "The 'resource' request parameter is not supported."
It appears that fixing this error is part of this feature you are actively working on, correct? We will patiently wait for it to become available if so, I just wanted to confirm and also document the exact error we are seeing to make it easier for future discovery of this issue.
@andrewclaus that is correct ! It happens when you use Azure/Entra v2 api. It does not happen with v1 though. But v1 will eventually be deprecated by Microsoft.
Is your feature request related to a problem? Please describe.
Some OAuth providers, like Azure/Entra v.2 endpoints, do not accept the request parameter
resource
in the authorization request. And others like Auth0 requires theaudience
parameter. This is a very common request parameter that the majority of OAuth providers support, but not all.Describe the solution you'd like
RabbitMQ currently sends the following request parameters to the authorization endpoint:
resource
whose default value is theresource_server_id
scope
whose value comes frommanagement.oauth_scopes
ormanagement.oauth_resource_servers.$name.oauth_scopes
and if it is not configured it is defaulted toopenid profile
response_type
whose value comes frommanagement.oauth_response_type
and if it is not configured it is defaulted tocode
client_secret
whose value comes frommanagement.oauth_client_secret
if presentclient_id
whose value comes frommanagement.oauth_client
audience
whose value is theresource_server_id
(Required by Auth0)The best approach going forward is to stop providing default values and instead document the appropriate values for each of the supported OAuth providers.
The schema of
rabbitmq_auth_backend_oauth2
andrabbitmq_management
will change to accommodate these changes.if the user configured a custom signing key, the user can configure the
discovery_endpoint_params
as follows:or the following configuration if there is only one resource configured in RabbitMQ configuration.
Given this configuration entry, RabbitMQ uses the
issuer
followed by the default openid's discovery endpoint path (/.well-known/openid-configuration
) orauth_oauth2.discovery_endpoint_path
variable to discover all the openid endpoints. The returnedjwks_uri
endpoint contains theapp_id
query parameter.Auth0's users must change their RabbitMQ configuration as follows: