search

rabbitmq / rabbitmq-server

Open source RabbitMQ: core server and tier 1 (built-in) plugins
https://www.rabbitmq.com/
Other
12.14k stars 3.9k forks source link

Deprecate `management.metadata_url` and move it to `auth_oauth2.discovery_endpoint_path` #12237

Open MarcialRosales opened 3 weeks ago

MarcialRosales commented 3 weeks ago

Is your feature request related to a problem? Please describe.

The majority of OAuth Providers uses the standard path .well-known/openid-configuration for their OpenId Discovery endpoint. However, Okta seems to use a slightly different value .well-known/oauth-authorization-server.

Currently RabbitMQ management ui has a configuration variable called management.oauth_metadata_url which is used in cases like Okta, where the OpenId Discovery endpoint url is not compliant with the path specified by the spec.

The configuration variable management.oauth_metadata_url was introduced after RabbitMQ introduced auth_oauth2.issuer. Thanks to auth_oauth2.issuer RabbitMQ is able to automatically discover all the other endpoints such as jwks_url. However, RabbitMQ in this particular case only accepted the use of /.well-known/openid-configuration path which is appended to the auth_oauth2.issuer to build the OpenId Discovery endpoint url.

How this change may affect existing users? There are two types of users which. may be affected by this change. One type of user is currently setting auth_oauth2.issuer and auth_oauth2.jwks_url and management.oauth_metadata_url because their identity provider does not use the standard path .well-known/openid-configuration for the OpenId discovery endpoint. These users will have to remove two settings, management.oauth_metadata_url and auth_oauth2.jwks_url , and add auth_oauth2.discovery_endpoint_path . They clearly benefit from this change even though they have to make these changes. There is a second type of user who does not want RabbitMQ discover the endpoints such as jwks_uri. They still want to set them by hand. These users though would have to remove management.oauth_metadata_url and replace with it two settings: auth_oauth2.issuer and auth_oauth2.discovery_endpoint_path. Setting the issuer does not automatically imply RabbitMQ will try to download the OpenId configuration. If the user configured the jwks_uri RabbitMQ does not need to download the configuration. However, the management UI will still try to download the OpenId configuration to discover the authorization and token endpoints.

Describe the solution you'd like

The solution proposed here is to add a new configuration variable discovery_endpoint_path to auth_oauth2 and to auth_oauth2.oauth_providers.$name.discovery_endpoint_path.

This change was already implemented by #12258 . Once #12258 is fully merged, it does not make sense to support management.oauth_metadata_url.

Describe alternatives you've considered

No response

Additional context

No response

MarcialRosales commented 14 hours ago

Implemented on https://github.com/rabbitmq/rabbitmq-server/pull/12399