Use KeyCloak as OAuth 2.0 server
Let's test the following 3 OAuth flows:
- Access management UI via a browser
- Access management rest api
- Access AMQP protocol
Prerequisites to follow this guide
- Docker
- make
Deploy Key Cloak
-
First, deploy Key Cloak. It comes preconfigured with all the required scopes, users and clients.
-
Run the following command to start Key Cloak server:
make start-keycloak
Key Cloak comes configured with its own signing key. And the rabbitmq.config used by
make start-keycloak
is also configured with the same signing key. -
Access KeyCloak management interface go to http://0.0.0.0:8080/ and enter
admin
as username and password.
There is a dedicated KeyCloak realm called Test
configured as follows:
- You configured an rsa signing key
- And a rsa provider
- And three clients:
rabbitmq-client-code
for the rabbitmq managament UI,mgt_api_client
to access via the management api andproducer
to access via AMQP protocol.
Start RabbitMQ
Run the command below to start RabbitMQ configured with the KeyCloak server we started in the previous section:
export MODE=keycloak
make start-rabbitmq
Access Management api
Access the management api using the client mgt_api_client which has the scope rabbitmq.tag:administrator.
make curl-keycloak url=http://localhost:15672/api/overview client_id=mgt_api_client secret=LWOuYqJ8gjKg3D2U8CJZDuID3KiRZVDa
Access AMQP protocol with PerfTest
To test OAuth 2.0 authentication with AMQP protocol you are going to use RabbitMQ PerfTest tool which uses RabbitMQ Java Client.
First you obtain the token and pass it as a parameter to the make target start-perftest-producer-with-token
.
make start-perftest-producer-with-token PRODUCER=producer TOKEN=$(bin/keycloak/token producer kbOFBXI9tANgKUq8vXHLhT6YhbivgXxn)
NOTE: Initializing an application with a token has one drawback: the application cannot use the connection beyond the lifespan of the token. See the next section where you demonstrate how to refresh the token.
Access AMQP protocol with Pika
In the following information, OAuth 2.0 authentication is tested with the AMQP protocol and the Pika library. These tests specifically demonstrate how to refresh a token on a live AMQP connection.
The sample Python application can be found on GitHub.
To run this sample code proceed as follows:
python3 --version
pip install pika
pip install requests
python3 pika-client/producer.py producer kbOFBXI9tANgKUq8vXHLhT6YhbivgXxn
Note: Ensure you install pika 1.3
Access Management UI
- Go to http://localhost:15672.
- Click on the single button on the page which redirects to Key Cloak to authenticate.
- Enter
rabbit_admin
andrabbit_admin
and you should be redirected back to RabbitMQ Management fully logged in.
Stop keycloak
make stop-keycloak
Notes about setting up KeyCloak
Configure JWT signing Keys
- At the realm level, you go to
Keys > Providers
tab. - Create one of type
rsa
and you enter the private key and certificate of the public key. - In this repository you do not have yet the certificate for the public key but it is easy to generate. Give it priority
101
or greater than the rest of available keys so that it is picked up when you request a token.
IMPORTANT: You cannot hard code the kid hence you have to add the key to RabbitMQ via the command
docker exec -it rabbitmq rabbitmqctl add_uaa_key Gnl2ZlbRh3rAr6Wymc988_5cY7T5GuePd5dpJlXDJUk --pem-file=conf/public.pem
or you have to modify the RabbitMQ configuration so that it says Gnl2ZlbRh3rAr6Wymc988_5cY7T5GuePd5dpJlXDJUk
rather than legacy-token-key
.
Configure Client
For backend applications which uses Client Credentials flow, you can create a Client with:
- Access Type :
public
- Turn off
Standard Flow
,Implicit Flow
, andDirect Access Grants
- With Service Accounts Enabled on. If it is not enabled you do not have the tab
Credentials
- In the
Credentials
tab, you have theclient id
Configure Client scopes
Default Client Scope are scopes automatically granted to every token. Whereas Optional Client Scope are scopes which are only granted if they are explicitly requested during the authorization/token request flow.
Include appropriate aud claim
You must configure a Token Mapper of type Hardcoded claim with the value of rabbitmq's resource_server_id*. You can configure Token Mapper either to a Client scope or to a Client.