When configuring multiple oauth2 resource servers, additional_scopes_key is not taken into account which leads to unauthorized access.
Reproduction steps
Register a resource server using auth_oauth2.resource_servers.$name.additional_scopes_key without specifying auth_oauth2.additional_scopes_key
Grant administrator tag for Management UI (or other RabbitMQ permissions) using this field in the resource server.
Attempting to login to the Management UI results in "Not authorized"
Expected behavior
RabbitMQ should correctly read additional scopes from the additional_scopes_key and grant access to the Management UI
Additional context
By looking at the code for rabbitmq_auth-backend_oauth2 it looks like it reads the property extra_scopes_source, which is correctly mapped for auth_oauth2.additional_scopes_key, but not for auth_oauth2.resource_servers.$name.additional_scopes_key
Describe the bug
When configuring multiple oauth2 resource servers,
additional_scopes_keyis not taken into account which leads to unauthorized access.Reproduction steps
auth_oauth2.resource_servers.$name.additional_scopes_keywithout specifyingauth_oauth2.additional_scopes_keyExpected behavior
RabbitMQ should correctly read additional scopes from the
additional_scopes_keyand grant access to the Management UIAdditional context
By looking at the code for
rabbitmq_auth-backend_oauth2it looks like it reads the propertyextra_scopes_source, which is correctly mapped forauth_oauth2.additional_scopes_key, but not forauth_oauth2.resource_servers.$name.additional_scopes_key