bin/tls-gen

In order see the [rabbitmq-auth-backend-oauth2](https://github.com/rabbitmq/rabbitmq-server/tree/main/deps/rabbitmq_auth_backend_oauth2) plugin in action we need an OAuth 2.0 **Authorization server** running and RabbitMQ server configured accordingly. To get up and running quickly, we are going to use UAA as Authorization Server. In the next section, we will see how to set up UAA and RabbitMQ. If you are new to OAuth 2.0, it is a good starting point. If you already know OAuth 2.0 and you want to learn how to configure RabbitMQ to talk to one of OAuth 2.0 server tested on this tutorial, you can jump straight to them. They are [KeyCloak](use-cases/keycloak.md), [https://auth0.com/](use-cases/auth0.md) and [Azure Active Directory](use-cases/azure.md) in addition to UAA which we will use it in the next sections.

RabbitMQ support two types of two signing keys used to digitally sign the JWT tokens.

The two types are **symmetrical** and **asymmetrical** signing keys. The Authorization server is who digitally signs the JWT tokens and RabbitMQ has to be configured to validate any of the two types of digital signatures.

Given that asymmetrical keys are the most widely used option, we are going to focus on how to

Since RabbitMQ 3.10 the Management UI uses *Authorization Code flow with PKCE**. Because RabbitMQ is a single-page

web application, it cannot safely store credentials such as the `client_id` and `client_secret` required by

RabbitMQ to authenticate with the Authorization Server in order to get a token for the end-user. Therefore, we

should configure the RabbitMQ OAuth client in the Authorization Server so that it does not require `client_secret`.

This type of OAuth clients/applications are known as **public** or **non-confidential**. In UAA they are configured as `allowpublic: true`.

Nevertheless, should your Authorization Server require a `client_secret` , we can configure it via `management.oauth_client_secret`.

**Note**: **This feature has not been released yet. It is only available in the development docker image

pivotalrabbitmq/rabbitmq:oidc_idp_initiated_login-otp-max-bazel **

function generate-ca-server-client-kpi {

NAME=$1

if [ -d "$NAME" ]; then

echo "SSL Certificates already present under $NAME. Skip SSL generation"

return

fi

if [ ! -d "$SCRIPT/tls-gen" ]; then

git clone https://github.com/michaelklishin/tls-gen $SCRIPT/tls-gen

fi

echo "Generating CA and Server PKI under $NAMER ..."

mkdir -p $NAME

cp -r $SCRIPT/tls-gen/* $NAME

CUR_DIR=$(pwd)

cd $NAME/basic

make CN=localhost

make PASSWORD=$PASSWORD

make verify

make info

cd $CUR_DIR

}

function deploy {

if [ "${MODE}" == "azure" ]; then

generate-ca-server-client-kpi $SCRIPT/../conf/${MODE}/certs

EXTRA_PORTS="-p 15671:15671"

EXTRA_MOUNTS="-v $SCRIPT/../conf/${MODE}/certs/basic/testca/cacert.pem:/etc/rabbitmq/rabbitmq-ca.crt \

fi

docker network inspect rabbitmq_net >/dev/null 2>&1 || docker network create rabbitmq_net

docker rm -f rabbitmq 2>/dev/null || echo "rabbitmq was not running"

echo "running RabbitMQ with Idp $MODE and configuration file conf/$MODE/$CONFIG"

docker run -d --name rabbitmq --net rabbitmq_net \

-p 15672:15672 -p 5672:5672 ${EXTRA_PORTS}\

-v ${SCRIPT}/../conf/${MODE}/${CONFIG}:/etc/rabbitmq/rabbitmq.config:ro \

-v ${SCRIPT}/../conf/enabled_plugins:/etc/rabbitmq/enabled_plugins \

-v ${SCRIPT}/../conf:/conf ${EXTRA_MOUNTS} ${IMAGE}:${IMAGE_TAG}

}

deploy

% {oauth_client_secret, "REPLACE"},

{oauth_client_id, "0e4305ff-3df1-4695-b2c7-ef804cf9c105"},

%{oauth_client_secret, "PUT YOUR AZURE AD APPLICATION SECRET"},

{oauth_provider_url, "https://login.microsoftonline.com/b39138ca-3cee-4b4a-a4d6-cd83d9dd62f0"}

{resource_server_id, <<"0e4305ff-3df1-4695-b2c7-ef804cf9c105">>},

{jwks_url, <<"https://login.microsoftonline.com/b39138ca-3cee-4b4a-a4d6-cd83d9dd62f0/discovery/v2.0/keys">>}