Skip to main content

Use OAuth2 Proxy and Keycloak as OAuth 2.0 server

Let's test the following flow:

  • Access the RabbitMQ Management UI using a browser through OAuth2 Proxy
                    [ Keycloak ] 3. authenticate
/|\ |
| | 4. token
2.redirect | \|/ [ RabbitMQ ]
[ Oauth2-Proxy ] ----5. forward with token--> [ http ]
/|\
|
1. rabbit_admin from a browser

Prerequisites for Using OAuth 2 Proxy and Keycloak

  • Docker
  • make

Deploy Keycloak

Deploy Keycloak by running the following command:

make start-keycloak

Note: Keycloak is preconfigured with the required scopes, users, and clients. It is configured with its own signing key and the rabbitmq.conf file is also configured with the same signing key.

To access Keycloak Management UI, go to http://0.0.0.0:8080/ and enter admin as username and password.

There is a dedicated Keycloak realm called Test configured as follows:

Start RabbitMQ

To start RabbitMQ run the following two commands. The first one tells RabbitMQ to pick up the rabbitmq.conf found under conf/oauth2-proxy/rabbitmq.conf

export MODE=oauth2-proxy
make start-rabbitmq

NOTE: Oauth2 Proxy requires that the aud claim matches the client's id. However, RabbitMQ requires the aud field to match rabbitmq which is the designated resource_server_id. Given that it has been impossible to configure keycloak with both values, rabbitmq.conf has the setting below which disables validation of the audience claim.

auth_oauth2.verify_aud = false

Start OAuth2 Proxy

To start OAuth2 Proxy, run the following command:

make start-oauth2-proxy

Oauth2 Proxy is configured using Alpha configuration. This type of configuration inserts the access token into the HTTP Authorization header.

Access Management UI

Go to http://0.0.0.0:4180/, click on the Sign in with Keycloak OIDC link, and enter the credentials rabbit_admin as username and rabbit_admin as password. You should be redirected to RabbitMQ management UI.