diff options
| author | Anh Thi Lan Nguyen <lananhnt@outlook.com.vn> | 2021-12-10 16:17:11 +0700 |
|---|---|---|
| committer | mergify-bot <noreply@mergify.com> | 2021-12-19 11:51:13 +0000 |
| commit | 228f949a0c0846097146a9ec0223335c18a6d6fe (patch) | |
| tree | 438a39fe610fcd0e874e5513831c5502a8bd0a04 | |
| parent | ca08d152b07d669b551f1fd08602ae032e30b93b (diff) | |
| download | rabbitmq-server-git-228f949a0c0846097146a9ec0223335c18a6d6fe.tar.gz | |
Update README.md
- Update new configuration document
- Add configurable "depth" for key server verification
(cherry picked from commit a9bc1c0ce9a7e32e709a3e4f351c8d112b3b5b7d)
4 files changed, 46 insertions, 2 deletions
diff --git a/deps/rabbitmq_auth_backend_oauth2/README.md b/deps/rabbitmq_auth_backend_oauth2/README.md index bb698ecc09..b29208996f 100644 --- a/deps/rabbitmq_auth_backend_oauth2/README.md +++ b/deps/rabbitmq_auth_backend_oauth2/README.md @@ -139,6 +139,42 @@ In that case, the configuration will look like this: NOTE: `jwks_url` takes precedence over `signing_keys` if both are provided. +### Variables Configurable in rabbitmq.conf + +| Key | Documentation +|------------------------------------------|----------- +| `auth_oauth2.resource_server_id` | The Resource Server ID. Please see below for more details +| `auth_oauth2.additional_scopes_key` | Configure the plugin to also look in other fields (maps to `additional_rabbitmq_scopes` in the old format) +| `auth_oauth2.default_key` | ID of the default signing key +| `auth_oauth2.signing_keys` | Paths to signing key files +| `auth_oauth2.jwks_url` | The URL of key server. According to the JWT Specification key server URL must be https. +| `auth_oauth2.https.cacertfile` | Path to a file containing PEM-encoded CA certificates. The CA certificates are used during key server authentication +| `auth_oauth2.https.depth` | Maximum number of non-self-issued intermediate certificates that can follow the peer certificate in a valid certification path. Default is 10. Please see: https://www.erlang.org/doc/man/ssl.html#type-allowed_cert_chain_length for more details +| `auth_oauth2.https.peer_verification` | Identify if the verification should be performed towards key server. Available values: `verify_none`, `verify_peer`. Default is `verify_none`. It is recommended to configure `verify_peer` +| `auth_oauth2.algorithms` | Restrict the usable algorithms + +For example: + +Configure with key files +``` +auth_oauth2.resource_server_id = new_resource_server_id +auth_oauth2.additional_scopes_key = my_custom_scope_key +auth_oauth2.default_key = id1 +auth_oauth2.signing_keys.id1 = test/config_schema_SUITE_data/certs/key.pem +auth_oauth2.signing_keys.id2 = test/config_schema_SUITE_data/certs/cert.pem +auth_oauth2.algorithms.1 = HS256 +auth_oauth2.algorithms.2 = RS256 +``` +Configure with key server +``` +auth_oauth2.resource_server_id = new_resource_server_id +auth_oauth2.jwks_url = https://my-jwt-issuer/jwks.json +auth_oauth2.https.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem +auth_oauth2.https.peer_verification = verify_peer +auth_oauth2.https.depth = 5 +auth_oauth2.algorithms.1 = HS256 +auth_oauth2.algorithms.2 = RS256 +``` ### Resource Server ID and Scope Prefixes OAuth 2.0 (and thus UAA-provided) tokens use scopes to communicate what set of permissions particular diff --git a/deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema b/deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema index a5aa983d76..5748bf5642 100644 --- a/deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema +++ b/deps/rabbitmq_auth_backend_oauth2/priv/schema/rabbitmq_auth_backend_oauth2.schema @@ -93,7 +93,12 @@ "rabbitmq_auth_backend_oauth2.key_config.cacertfile", [{datatype, file}, {validators, ["file_accessible"]}]}. -{validator, "https_uri", "invalid https uri", +{mapping, + "auth_oauth2.https.depth", + "rabbitmq_auth_backend_oauth2.key_config.depth", + [{datatype, integer}]}. + +{validator, "https_uri", "According to the JWT Specification, Key Server URL must be https.", fun(Uri) -> string:nth_lexeme(Uri, 1, "://") == "https" end}. {mapping, diff --git a/deps/rabbitmq_auth_backend_oauth2/src/uaa_jwt.erl b/deps/rabbitmq_auth_backend_oauth2/src/uaa_jwt.erl index 2d3b0e7b66..e9cc5541c5 100644 --- a/deps/rabbitmq_auth_backend_oauth2/src/uaa_jwt.erl +++ b/deps/rabbitmq_auth_backend_oauth2/src/uaa_jwt.erl @@ -73,7 +73,8 @@ fetch_keys(JwksUrl) -> UaaEnv = application:get_env(?APP, key_config, []), PeerVerification = proplists:get_value(peer_verification, UaaEnv, verify_none), CaCertFile = proplists:get_value(cacertfile, UaaEnv), - SslOpts = [{verify, PeerVerification}, {cacertfile, CaCertFile}], + Depth = proplists:get_value(depth, UaaEnv, 10), + SslOpts = [{verify, PeerVerification}, {cacertfile, CaCertFile}, {depth, Depth}], httpc:request(get, {JwksUrl, []}, [{ssl, SslOpts}], []). -spec decode_and_verify(binary()) -> {boolean(), map()} | {error, term()}. diff --git a/deps/rabbitmq_auth_backend_oauth2/test/config_schema_SUITE_data/rabbitmq_auth_backend_oauth2.snippets b/deps/rabbitmq_auth_backend_oauth2/test/config_schema_SUITE_data/rabbitmq_auth_backend_oauth2.snippets index b43356b617..13969db284 100644 --- a/deps/rabbitmq_auth_backend_oauth2/test/config_schema_SUITE_data/rabbitmq_auth_backend_oauth2.snippets +++ b/deps/rabbitmq_auth_backend_oauth2/test/config_schema_SUITE_data/rabbitmq_auth_backend_oauth2.snippets @@ -8,6 +8,7 @@ auth_oauth2.jwks_url = https://my-jwt-issuer/jwks.json auth_oauth2.https.cacertfile = test/config_schema_SUITE_data/certs/cacert.pem auth_oauth2.https.peer_verification = verify_none + auth_oauth2.https.depth = 5 auth_oauth2.algorithms.1 = HS256 auth_oauth2.algorithms.2 = RS256", [ @@ -25,6 +26,7 @@ {jwks_url, "https://my-jwt-issuer/jwks.json"}, {cacertfile, "test/config_schema_SUITE_data/certs/cacert.pem"}, {peer_verification, verify_none}, + {depth, 5}, {algorithms, [<<"HS256">>, <<"RS256">>]} ] } |