diff options
author | Michael Klishin <klishinm@vmware.com> | 2021-04-16 16:41:55 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-04-16 16:41:55 +0300 |
commit | 55e5b71391fab77436e896e95af85933f7e5272d (patch) | |
tree | d14516d12718c1cf9c8cc687e78605475850e61d | |
parent | ac6b4ddc3afba282b690cb52e91e7780f75691db (diff) | |
parent | 05cb5f8fa686834d6a6fde3afcc8756e5493ba6f (diff) | |
download | rabbitmq-server-git-55e5b71391fab77436e896e95af85933f7e5272d.tar.gz |
Merge pull request #2980 from skapin/patch-1
Set correct field for extra scope and improve doc
-rw-r--r-- | deps/rabbitmq_auth_backend_oauth2/README.md | 22 |
1 files changed, 18 insertions, 4 deletions
diff --git a/deps/rabbitmq_auth_backend_oauth2/README.md b/deps/rabbitmq_auth_backend_oauth2/README.md index b58c28db96..bb698ecc09 100644 --- a/deps/rabbitmq_auth_backend_oauth2/README.md +++ b/deps/rabbitmq_auth_backend_oauth2/README.md @@ -38,11 +38,12 @@ To use this plugin 1. UAA should be configured to produce encrypted JWT tokens containing a set of RabbitMQ permission scopes 2. All RabbitMQ nodes must be [configured to use the `rabbit_auth_backend_oauth2` backend](https://www.rabbitmq.com/access-control.html) 3. All RabbitMQ nodes must be configure with a resource service ID (`resource_server_id`) that matches the scope prefix (e.g. `rabbitmq` in `rabbitmq.read:*/*`). +4. The token **must** has a value in`aud` that match `resource_server_id` value. ### Authorization Flow 1. Client authorize with OAuth 2.0 provider, requesting an `access_token` (using any grant type desired) -2. Token scope returned by OAuth 2.0 provider must include RabbitMQ resource scopes that follow a convention used by this plugin: `configure:%2F/foo` means "configure permissions for 'foo' in vhost '/'") +2. Token scope returned by OAuth 2.0 provider must include RabbitMQ resource scopes that follow a convention used by this plugin: `configure:%2F/foo` means "configure permissions for 'foo' in vhost '/'") (`scope` field can be changed using `extra_scopes_source` in **advanced.config** file. 3. Client passes the token as password when connecting to a RabbitMQ node. **The username field is ignored**. 4. The translated permissions are stored as part of the authenticated connection state and used the same way permissions from RabbitMQ's internal database would be used. @@ -130,7 +131,7 @@ In that case, the configuration will look like this: {rabbitmq_auth_backend_oauth2, [ {resource_server_id, <<"my_rabbit_server">>}, {key_config, [ - {jwks_url, "https://my-jwt-issuer/jwks.json"} + {jwks_url, <<"https://my-jwt-issuer/jwks.json">>} ]} ]}, ]. @@ -191,18 +192,31 @@ be `my_rabbit.read:*/*`. ### Using a different token field for the Scope -By default the plugin will look for the `scope` key in the token, you can configure the plugin to also look in other fields using the `additional_rabbitmq_scopes` setting. +By default the plugin will look for the `scope` key in the token, you can configure the plugin to also look in other fields using the `extra_scopes_source` setting. Values format accepted are scope as **string** or **list** + ```erlang [ {rabbitmq_auth_backend_oauth2, [ {resource_server_id, <<"my_rabbit_server">>}, - {additional_rabbitmq_scopes, <<"my_custom_scope_key">>}, + {extra_scopes_source, <<"my_custom_scope_key">>}, ... ]} ]}, ]. ``` +Token sample: +``` +{ + "exp": 1618592626, + "iat": 1618578226, + "aud" : ["my_id"], + ... + "scope_as_string": "my_id.configure:*/* my_id.read:*/* my_id.write:*/*", + "scope_as_list": ["my_id.configure:*/*", "my_id.read:*/*", my_id.write:*/*"], + ... + } +``` ### Using Tokens with Clients |