Enabling OAuth2 on Management UI

[szuwarek80]

I use the rabbitmq:3.12-management docker image, and I am trying to configure it with the OAuth2.

My OAuth2 is home made server based on the oidc-provider.

My first step was to enable the OAuth2 on backend, I added the following lines to the config file

auth_backends.1 = rabbit_auth_backend_oauth2
auth_oauth2.resource_server_id = rabbitmq
auth_oauth2.jwks_url = https://iam:4000/oidc/jwks
auth_oauth2.verify_aud = false

and it works - great!
Having this configuration, on UI management side, I am using the empty user and jwt token generated with my OAuth2Server, and it also works - great!

The problem started when I tried to configure the OAuth2 on the Management side, so what I did is I added this to the config file:

management.oauth_enabled = true
management.oauth_client_id = rabbit_user_client
management.oauth_client_secret = rabbit_user_client
management.oauth_provider_url = https://localhost:4000/oidc

Authorization flow with PKCE is executed properly, the OAuth2 server generates the response containing the access_token and id_token. But after getting the response the UI Management query GET /api/whoami and it uses the access_token (while I believe it should use the id_token) as the bearer token in the authorization header - in result I have the error on the RabbitMQ server-side - Authentication using an OAuth 2/JWT token failed: provided token is invalid- and I cannot log in into the management.

If I query the GET /api/whoami with the id_token (generated during the authorization flow with PKCE started from the UI) the response is correct.
Why then the access_token is used, or maybe I understand it wrong ?

Thank you in advance

[lukebakken]

Hello!

This question does not appear to be specific to this Docker image, so I suggest asking in one of these community support channels:

• https://groups.google.com/g/rabbitmq-users
• https://github.com/rabbitmq/rabbitmq-server/discussions