jze2
diff --git a/‎Makefile‎
Lines changed: 6 additions & 0 deletions b/‎Makefile‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 22 additions & 1 deletion b/‎README.md‎
Lines changed: 22 additions & 1 deletion
diff --git a/‎bin/deploy-rabbit‎
Lines changed: 16 additions & 5 deletions b/‎bin/deploy-rabbit‎
Lines changed: 16 additions & 5 deletions
diff --git a/‎bin/keycloak/deploy‎
Lines changed: 6 additions & 0 deletions b/‎bin/keycloak/deploy‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎bin/oauth2-proxy/deploy‎
Lines changed: 13 additions & 0 deletions b/‎bin/oauth2-proxy/deploy‎
Lines changed: 13 additions & 0 deletions
diff --git a/‎conf/auth0/rabbitmq.conf‎
Lines changed: 11 additions & 0 deletions b/‎conf/auth0/rabbitmq.conf‎
Lines changed: 11 additions & 0 deletions
@@ -30,6 +30,12 @@ stop-uaa: ## Stop uaa
 stop-keycloak: ## Stop keycloak
 	@docker kill keycloak
 
+start-oauth2-proxy: ## Start oauth2-proxy
+	@bin/oauth2-proxy/deploy
+
+stop-oauth2-proxy: ## Stop oauth2-proxy
+	@docker-compose -f conf/oauth2-proxy/compose.yml down
+
 start-rabbitmq:  ## Run RabbitMQ Server
 	@./bin/deploy-rabbit
 
 
@@ -24,6 +24,7 @@ If you want to understand the details of how to configure RabbitMQ with Oauth2 g
 	- [JMS protocol](#jms-protocol)
 	- [MQTT protocol](#mqtt-protocol)
 	- [AMQP 1.0 protocol](#amqp-10-protocol)
+- [Messaging on Topic Exchanges](#messaging-on-topic-exchanges)
 - Use advanced OAuth 2.0 configuration
 	- [Use custom scope field](#use-custom-scope-field)
 	- [Use multiple asymmetrical signing keys](#use-multiple-asymmetrical-signing-keys)
@@ -34,7 +35,7 @@ If you want to understand the details of how to configure RabbitMQ with Oauth2 g
 	- [KeyCloak](use-cases/keycloak.md)
 	- [https://auth0.com/](use-cases/auth0.md)
 	- [Azure Active Directory](use-cases/azure.md)
-
+	- [Oauth2 proxy](use-cases/oauth2-proxy.md)
 - [Understand the environment](#understand-the-environment)
 	- [RabbitMQ server](#rabbitmq-server)
 	- [UAA server](#uaa-server)
@@ -337,6 +338,26 @@ And send a message. It uses the *client_id*  `jms_producer`, declared in UAA, to
 make start-amqp1_0-publisher
 ```
 
+## Messaging on Topic Exchanges
+
+This section has been dedicated exclusively to explain what scopes you need in order to operate on **Topic Exchanges**.
+
+**NOTE**: None of the users and/or clients declared in any of Authorization servers provided by this tutorial have the
+appropriate scopes to operate on **Topic Exchanges**. In the [MQTT Protocol](#mqtt-protocol) section, the application
+used a hand-crafted token with the scopes to operate on **Topic Exchanges**.
+
+To bind and/or unbind a queue to/from a **Topic Exchange**, you need to have the following scopes:
+
+- **write** permission on the queue and routing key -> `rabbitmq.write:<vhost>/<queue>/<routingkey>`
+> e.g. `rabbitmq.write:*/*/*`
+
+- **read** permission on the exchange and routing key -> `rabbitmq.write:<vhost>/<exchange>/<routingkey>`
+> e.g. `rabbitmq.read:*/*/*`
+
+To publish to a **Topic Exchange**, you need to have the following scope:
+
+- **write** permission on the exchange and routing key -> `rabbitmq.write:<vhost>/<exchange>/<routingkey>`
+> e.g. `rabbitmq.write:*/*/*`
 
 
 ## Use advanced OAuth 2.0 configuration
 
@@ -1,11 +1,10 @@
 #!/usr/bin/env bash
 
-
 SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 
 MODE=${MODE:-uaa}
-CONFIG=${CONFIG:-rabbitmq.config}
-IMAGE_TAG=${IMAGE_TAG:-3.11.9-management}
+CONFIG=${CONFIG:-rabbitmq.conf}
+IMAGE_TAG=${IMAGE_TAG:-3.11-management}
 IMAGE=${IMAGE:-rabbitmq}
 
 function generate-ca-server-client-kpi {
@@ -42,12 +41,24 @@ function deploy {
                   -v $SCRIPT/../conf/${MODE}/certs/basic/server_localhost/cert.pem:/etc/rabbitmq/rabbitmq.crt"
   fi
 
+  SIGNING_KEY_FILE=$SCRIPT/../conf/${MODE}/signing-key/signing-key.pem
+  if [ -f "$SIGNING_KEY_FILE" ]; then
+      EXTRA_MOUNTS="${EXTRA_MOUNTS} -v ${SIGNING_KEY_FILE}:/etc/rabbitmq/signing-key.pem"
+  fi
+
+  MOUNT_RABBITMQ_CONFIG="/etc/rabbitmq/rabbitmq.config"
+
+  if [[ "$CONFIG" == *.conf ]]
+  then
+    MOUNT_RABBITMQ_CONFIG="/etc/rabbitmq/rabbitmq.conf"
+  fi
+
   docker network inspect rabbitmq_net >/dev/null 2>&1 || docker network create rabbitmq_net
   docker rm -f rabbitmq 2>/dev/null || echo "rabbitmq was not running"
-  echo "running RabbitMQ with Idp $MODE and configuration file conf/$MODE/$CONFIG"
+  echo "running RabbitMQ ($IMAGE:$IMAGE_TAG) with Idp $MODE and configuration file conf/$MODE/$CONFIG"
   docker run -d --name rabbitmq --net rabbitmq_net \
       -p 15672:15672 -p 5672:5672 ${EXTRA_PORTS}\
-      -v ${SCRIPT}/../conf/${MODE}/${CONFIG}:/etc/rabbitmq/rabbitmq.config:ro \
+      -v ${SCRIPT}/../conf/${MODE}/${CONFIG}:${MOUNT_RABBITMQ_CONFIG}:ro \
       -v ${SCRIPT}/../conf/enabled_plugins:/etc/rabbitmq/enabled_plugins \
       -v ${SCRIPT}/../conf:/conf ${EXTRA_MOUNTS} ${IMAGE}:${IMAGE_TAG}
 }
 
@@ -9,11 +9,17 @@ docker rm -f keycloak 2>/dev/null || echo "keycloak was not running"
 
 echo "Running keycloack docker image ..."
 
+SIGNING_KEY_FILE=$SCRIPT/../conf/${MODE}/signing-key/signing-key.pem
+if [ -f "$SIGNING_KEY_FILE" ]; then
+    EXTRA_MOUNTS="${EXTRA_MOUNTS} -v ${SIGNING_KEY_FILE}:/etc/rabbitmq/signing-key.pem"
+fi
+
 docker run \
 		--detach \
 		--name keycloak --net rabbitmq_net \
 		--publish 8080:8080 \
 		--env KEYCLOAK_ADMIN=admin \
 		--env KEYCLOAK_ADMIN_PASSWORD=admin \
 		--mount type=bind,source=${ROOT}/conf/keycloak/import/,target=/opt/keycloak/data/import/ \
+		${EXTRA_MOUNTS} \
 		quay.io/keycloak/keycloak:20.0 start-dev --import-realm
@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+ROOT=$SCRIPT/../..
+
+docker network inspect rabbitmq_net >/dev/null 2>&1 || docker network create rabbitmq_net
+docker-compose -f $ROOT/conf/oauth2-proxy/compose.yml down 2>/dev/null || echo "oauth2-proxy was not running"
+
+echo "Running oauth2-proxy docker image ..."
+
+export OAUTH2_PROXY_COOKIE_SECRET=`python -c 'import os,base64; print(base64.b64encode(os.urandom(16)).decode("ascii"))'`
+docker-compose -f $ROOT/conf/oauth2-proxy/compose.yml up
@@ -0,0 +1,11 @@
+auth_backends.1 = rabbit_auth_backend_oauth2
+
+management.oauth_enabled = true
+management.oauth_client_id = REPLACD
+management.oauth_scopes = openid profile rabbitmq.tag:administrator
+management.oauth_provider_url = https://dev-prbc0gw4.us.auth0.com
+
+auth_oauth2.resource_server_id = rabbitmq
+auth_oauth2.preferred_username_claims.1 = user_name
+auth_oauth2.additional_scopes_key = permissions
+auth_oauth2.jwks_url = https://dev-prbc0gw4.us.auth0.com/.well-known/jwks.json