RabbitMQ oAuth2.0 plugin forward username claim from jwt to amqp message header

[arkadipdigite]

I want to know if there is any possibility to forward the user name claim from JWT to the AMQP message so that the message consumer can verify the username claim.

[michaelklishin]

In AMQP 0-9-1, applications can set the username property which is validated by RabbitMQ. This is a very rarely used feature that does not offer much in terms of security. I suspect it was copied from some JMS-based products back in the spec's original design days in 2005-2006.

If you do not trust some of your applications, you need to authenticate using x.509 certificates, use message signing (in your own code), end-to-end encryption, and similar solutions, not a username comparison.

[arkadipdigite]

I don't want to validate the username, rather just want to forward the username in the message header, so that I don't need to send the user info in the message body.

[michaelklishin]

In the case of AMQP 0-9-1, your applications can set a special message property. AMQP 1.0 allows you to set an application header. Same for STOMP. MQTT does not support arbitrary headers.

[arkadipdigite]

I am not talking about manually putting username header, but using the sub claim to be redirected as header by the broker itself. Is there any plugin for that?

[michaelklishin]

@arkadipdigite there is no such plugin. In theory a channel interceptor plugin could populate a message property (or header) from a token, although I am not sure if an interceptor would have access to the authorization context in order to get the token.

In any case, you are welcome to try to develop one.