Use OAuth2 Proxy and Keycloak as OAuth 2.0 server
Let's test the following flow:
- Access the RabbitMQ Management UI using a browser through OAuth2 Proxy
[ Keycloak ] 3. authenticate
/|\ |
| | 4. token
2.redirect | \|/ [ RabbitMQ ]
[ Oauth2-Proxy ] ----5. forward with token--> [ http ]
/|\
|
1. rabbit_admin from a browser
Prerequisites for Using OAuth 2 Proxy and Keycloak
- Docker
- make
Deploy Keycloak
Deploy Keycloak by running the following command:
make start-keycloak
Note: Keycloak is preconfigured with the required scopes, users, and clients. It is configured with its own signing key and the rabbitmq.conf file is also configured with the same signing key.
To access Keycloak Management UI, go to http://0.0.0.0:8080/ and enter admin
as username and password.
There is a dedicated Keycloak realm called Test
configured as follows:
- rsa signing key
- rsa provider
rabbitmq-proxy-client
client
Start RabbitMQ
To start RabbitMQ run the following two commands. The first one tells RabbitMQ to pick up the rabbitmq.conf found under conf/oauth2-proxy/rabbitmq.conf
export MODE=oauth2-proxy
make start-rabbitmq
NOTE: Oauth2 Proxy requires that the aud
claim matches the client's id. However, RabbitMQ requires the
aud
field to match rabbitmq
which is the designated resource_server_id
. Given that it has been
impossible to configure keycloak with both values, rabbitmq.conf has
the setting below which disables validation of the audience claim.
auth_oauth2.verify_aud = false
Start OAuth2 Proxy
To start OAuth2 Proxy, run the following command:
make start-oauth2-proxy
Oauth2 Proxy is configured using Alpha configuration. This type of configuration inserts the access token into the HTTP Authorization header.
Access Management UI
Go to http://0.0.0.0:4180/, click on the Sign in with Keycloak OIDC link, and enter the credentials
rabbit_admin
as username and rabbit_admin
as password. You should be redirected to RabbitMQ management UI.