I have a working application in Spring Boot where i make connections & authenticate to RabbitMQ with properties defined in application.properties file like below
spring:
rabbitmq:
host: xx.xx.xx.111
port: 5672
username: user
password: password
Now i want authenticate every communication to RabbitMQ against OAuth-2 with access token for read/write actions on queue. For this for now i am trying to use cloud foundry UAA authorization server. I followed following links to achieve above
- https://www.rabbitmq.com/api-guide.html#oauth2-support
- https://github.com/rabbitmq/rabbitmq-auth-backend-oauth2#examples
I have enabled following plugin in RabbitMQ
rabbitmq_auth_backend_oauth2,rabbitmq_management
and i have updated local RabbitMQ specific config file */RabbitMQ/advanced.config with following details
[
% Enable auth backend
{rabbit, [
{auth_backends, [rabbit_auth_backend_oauth2, rabbit_auth_backend_internal]}
]},
{rabbitmq_management, [
{enable_uaa, true},
{uaa_client_id, "rabbit_client"},
{uaa_location, "http://localhost:8080/uaa"}
]},
{rabbitmq_auth_backend_oauth2, [
{resource_server_id, <<"rabbitmq">>},
{key_config, [
{default_key, <<"legacy-token-key">>},
{signing_keys, #{
<<"legacy-token-key">> => {map, #{<<"kty">> => <<"MAC">>,
<<"alg">> => <<"HS256">>,
<<"use">> => <<"sig">>,
<<"value">> => <<"tokenKey">>}}
}}
]} ]}].
I am using UAA symmetric signing key in order to decrypt and verify client-provided tokens at RabbitMQ. Then i have my env ready with all basic client, users setup in UAA and RabbitMQ both. I followed steps to configure client, user and their rights from configure a user and groups
Now after setting up all above i wrote basic Java program to connect to RabbitMQ with OAuth-2 Authorization as UAA and was able to successfully connect to RabbitMQ as suggested in Link-1.
But when i want to see RabbitMQ Management UI, i access http://localhost:15672/ and there i RabbitMQ Management page as below
And once click on 'Click Here to log in', it takes me to UAA page it asks me to provide Username and password which i do, but it doesnt accept my credentials, gives error as below
I was able to successfully login into RabbitMQ from Java program with UAA as Authorization server with client as rabbit_client and user as rabbit_super and grant_type as password.
CredentialsProvider credentialsProvider =
new OAuth2ClientCredentialsGrantCredentialsProviderBuilder()
.tokenEndpointUri("http://localhost:8080/uaa/oauth/token/")
.clientId("rabbit_client").clientSecret("rabbit_secret")
.grantType("password")
.parameter("username", "rabbit_super")
.parameter("password", "rabbit_super")
.build();
and when i use the same user and password as rabbit_super and its access_tokon as password on RabbitMQ Management Page where UAA asks me to provide provide details it doesnt work, gives error as
Provided credentials are invalid. Please try again.
so i checked the backend logs for UAA in local and logs details are as below
in uaa_event.log
Audit: IdentityProviderAuthenticationFailure ('rabbit_super'): principal=null, origin=[remoteAddress=0:0:0:0:0:0:0:1, sessionId=<SESSION>], identityZoneId=[uaa], authenticationType=[uaa]
Audit: UserAuthenticationFailure ('rabbit_super'): principal=72e53395-1c54-4136-b239-34845f09ef96, origin=[remoteAddress=0:0:0:0:0:0:0:1, sessionId=<SESSION>], identityZoneId=[uaa]
Audit: PrincipalAuthenticationFailure ('null'): principal=rabbit_super, origin=[0:0:0:0:0:0:0:1], identityZoneId=[uaa]
in uaa.log
ERROR --- SecurityFilterChainPostProcessor$HttpsEnforcementFilter: Uncaught Exception:
org.springframework.security.oauth2.common.exceptions.InvalidGrantException: A redirect_uri can only be used by implicit or authorization_code grant types.
I am not sure why error as IdentityProviderAuthenticationFailure ('rabbit_super') is coming, it doesnt understand the user in IdentityZone as UAA. i have set client as rabbit_client in UAA and its grant type as password, client_credentials with below gem command
uaac client add rabbit_client --name rabbit_client --scope 'rabbitmq.*' --authorized_grant_types password,client_credentials --authorities rabbitmq --secret rabbit_secret --redirect_uri 'http://localhost:15672'
Please assist me on this issue, i am struck at this point, not sure why rabbitMQ Management UI doesnt accept rabbit_super and its access_token as password. The OAuth 2 plugin is enabled on the RabbitMQ server side and the same has been configured on local to use the same OAuth 2 UAA server.