Use https://auth0.com/ as OAuth 2.0 server
Demonstrate how to authenticate using the OAuth 2.0 protocol and Auth0 as Authorization Server using the following flows:
- Access management UI via a browser
- Access management rest api
- Access AMQP protocol
Prerequisites to follow this guide
- Have an account in https://auth0.com/.
- Docker
- git clone https://github.com/rabbitmq/rabbitmq-oauth2-tutorial. This github repository contains all the configuration files and scripts used on this example.
Create RabbitMQ API
In Auth0, resources are mapped to Application APIs.
- Once you have logged onto your account in https://auth0.com/, go to dashboard > Applications > APIs > Create an API.
- Give it the name rabbitmq. The important thing here is theidentifierwhich must have the name of the resource_server_id we configured in RabbitMQ. Thisidentifiergoes into theaudienceJWT field. In our case, it is calledrabbitmq.
- Choose RS256as the signing algorithm.
- Enable RBAC.
- Enable Add Permissions in the Access Token.
Configure permissions in RabbitMQ API
- 
Edit the API we just created with the name rabbitmq.
- 
Go into Permissions and add the permissions (scope) this api can grant. You are going to add the following scopes: - rabbitmq.read:*/*
- rabbitmq.write:*/*
- rabbitmq.configure:*/*
- rabbitmq.tag:administrator
 
Create an OAuth client for the Management UI
By default, for every API we create, an Application gets created using the API's identifier as its name.
An Application requests an OAuth client.
Go to dashboard > Applications, and you should see your application listed. An application gives us a client_id, a client_secret and a http endpoint called Domain where to claim a token.
Create Application rabbitmq-management
An application gives us the client-id and client-secret for the management UI to authenticate on behalf of the end user.
In the settings, choose:
- Application type : Single Page applications
- Token Endpoint Authentication Method:  None
- Allowed Callback URLs: http://localhost:15672/js/oidc-oauth/login-callback.html
- Allowed Web Origins: http://localhost:15672
- Allowed Origins (CORS): http://localhost:15672
Create a User for Management UI Access
Create user
- Go to User Management > Users.
- Create a user. This is the user you will use to login via the management UI.
Create permissions and grant them
- Go to Roles.
- Create the role called rabbitmq.tag:administrator.
- Go to Permissions and select all the permissions.
- Go to Users and make sure our user is listed else add our user to the list of users which have this role.
Configure RabbitMQ to authenticate with Auth0
To configure RabbitMQ you need to gather the following information from Auth0:
- Go to dashboard > Applications > Applications.
- Click on the application rabbitmq-management.
- Take note of the Client ID value
- And take note of the Domain value
- Use the last values in Client ID and Domain fields in the RabbitMQ configuration file
Edit the configuration file conf/auth0/rabbitmq.conf and replace {CLIENT_ID} and {DOMAIN} with the
values you gathered above.
Start RabbitMQ
Run the following commands to start RabbitMQ:
export MODE=auth0
make start-rabbitmq
Verify Management UI flows
- Go to management UI http://localhost:15672.
- Click on the single button, authenticate with your secondary Auth0 user. You should be redirected back to the management UI.
Auth0 issues an access token like this one below. It has in the scope claim
the requested scopes configured in management.oauth_scopes, and in the permissions claim all the scopes you configured for this user in Auth0. RabbitMQ read the scopes from the scope claim but also from the claim name configured in auth_oauth2.additional_scopes_key whose value is permissions.
{
  "iss": "https://dev-tm5ebsbbdcbqddcj.us.auth0.com/",
  "sub": "auth0|66d980b862efcd9f5144f42a",
  "aud": [
    "rabbitmq",
    "https://dev-tm5ebsbbdcbqddcj.us.auth0.com/userinfo"
  ],
  "iat": 1725533554,
  "exp": 1725619954,
  "scope": "openid profile rabbitmq.tag:administrator",
  "azp": "IC1fqsSjkQq2cVsYyHUuQyq30OAYuUv2",
  "permissions": [
    "rabbitmq.configure:*/*",
    "rabbitmq.read:*/*",
    "rabbitmq.tag:administrator",
    "rabbitmq.write:*/*"
  ]
}