Thanks to visit codestin.com
Credit goes to github.com

Skip to content
This repository was archived by the owner on Nov 17, 2020. It is now read-only.
/ rabbitmq-auth-backend-oauth2 Public archive

RabbitMQ authorization backend that uses OAuth 2.0 (JWT) tokens

License

Unknown, MPL-2.0 licenses found

Licenses found

Unknown
LICENSE
MPL-2.0
LICENSE-MPL-RabbitMQ
39 stars 18 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

rabbitmq/rabbitmq-auth-backend-oauth2

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

24 Commits
src
src
 
 
test
test
 
 
.gitignore
.gitignore
 
 
.travis.yml
.travis.yml
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
build.config
build.config
 
 
erlang.mk
erlang.mk
 
 
rabbitmq-components.mk
rabbitmq-components.mk
 
 

Repository files navigation

RabbitMQ authorisation Backend for Cloud Foundry UAA

Allows to use access tokens provided by CF UAA to authorize in RabbitMQ. Make requests to /check_token endpoint on UAA server. See https://github.com/cloudfoundry/uaa/blob/master/docs/UAA-APIs.rst#id32

Usage

First, enable the plugin. Then, configure access to UAA:

{rabbitmq_auth_backend_uaa,
  [{uri,      <<"https://your-uaa-server">>},
   {username, <<"uaa-client-id">>},
   {password, <<"uaa-client-secret">>},
   {resource_server_id, <<"your-resource-server-id"}]}

where

  • your-uaa-server is a UAA server host
  • uaa-client-id is a UAA client ID
  • uaa-client-secret is the shared secret
  • your-resource-server-id is a resource server ID (e.g. 'rabbitmq')

To learn more about UAA/OAuth 2 clients, see UAA docs.

Then you can use access_tokens acquired from UAA as username to authenticate in RabbitMQ.

Scopes

Scopes are translated into permission grants to RabbitMQ resources for the provided token.

The current scope format is <permission>:<vhost_pattern>/<name_pattern>[/<routing_key_pattern>] where

  • <permission> is an access permission (configure, read, or write)
  • <vhost_pattern> is a wildcard pattern for vhosts, token has acces to.
  • <name_pattern> is a wildcard pattern for resource name
  • <routing_key_pattern> is an optional wildcard pattern for routing key in topic authorization

Wildcard patterns are strings with optional wildcard symbols * that match any sequence of characters.

Wildcard patterns match as wollowing:

  • * matches any string
  • foo* matches any string starting with a foo
  • *foo matches any string ending with a foo
  • foo*bar matches any string starting with a foo and ending with a bar

There can be multiple wildcards in a pattern:

  • start*middle*end
  • *before*after*

If you want to use special characters like *, %, or / in a wildacrd pattern, the pattern must be URL-encoded.

See the [./test/wildcard_match_SUITE.erl](wildcard matching test suite) for more examples.

Authorization Workflow

Prerequisites

  1. There should be application client registered on UAA server.
  2. Client id and secret should be set in plugin env as username and password
  3. Client authorities should include uaa.resource
  4. RabbitMQ auth_backends should include rabbit_auth_backend_uaa

Authorization

  1. Client authorize with UAA, requesting access_token (using any grant type)
  2. Token scope should contain RabbitMQ resource scopes (e.g. configure:%2F/foo means "configure queue 'foo' in vhost '/'")
  3. Client passes token for a username when connecting to a RabbitMQ node

About

RabbitMQ authorization backend that uses OAuth 2.0 (JWT) tokens

Topics

plugin jwt oauth2 authentication rabbitmq authorization uaa

Resources

Readme

License

Unknown, MPL-2.0 licenses found

Licenses found

Unknown
LICENSE
MPL-2.0
LICENSE-MPL-RabbitMQ

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity
Custom properties

Stars

39 stars

Watchers

21 watching

Forks

18 forks
Report repository

Releases

34 tags

Packages

No packages published

Contributors 15

Languages