You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
RabbitMQ has been supporting a token format used by Keycloak which carried the tokens in a map whose key is permissions and this map is the value of the token's claim called authorization.
This is an adhoc token layout that it is not necessary to be supported in code but instead via configuration. Should Keycloak ever changed this layout, users can adjust their configuration accordingly without having to make a code change in RabbitMQ.
With the above configuration, RabbitMQ navigates the map structure. First it looks up the claim authorization from the token. It may return a map or a list of maps. If it is a map, it looks up the next keyword in the map. It finds the keyword permissions. It returns this time a list rather than a map. RabbitMQ iterates over the list and if the list's element is a map and has the next keyword, scope, it extracts them and it continues iterating the list.
Users who depend on the token format 1 will have to modify their RabbitMQ configuration to the following:
This format is simpler than the previous format as it only combines map objects as opposed to maps and lists.
If the user is already using auth_oauth2.additional_scopes_key, e.g. auth_oauth2.additional_scopes_key = roles the user can use any of these two configuration layouts:
This sounds really complex for a vendor-specific feature. If Keycloak does change their format, treating "Keycloak v1" and "Keycloak v2" as two different IDPs without this extensive configuration would be much easier.
we already have additional_scopes_key . It is just a matter of separating the key by dots and navigating the maps. I have rejected in the past requests where the scopes were underneath another map ..similar to how Keycloak format works.
I had not invested in this type of flexibility until today when I am refactoring and simplifying the implementation of oauth2 backend. I had forgotten that we had a custom look-up of scopes for keycloak.
With this change we can forget entirely where the scopes are located, pretty much.
It is a much bigger change the feature i am currently working on to support vendors like Azure/Entra and/or OAuth0 and who knows what others in the future.
Is your feature request related to a problem? Please describe.
RabbitMQ has been supporting a token format used by Keycloak which carried the tokens in a map whose key is
permissions
and this map is the value of the token's claim calledauthorization
.This is an adhoc token layout that it is not necessary to be supported in code but instead via configuration. Should Keycloak ever changed this layout, users can adjust their configuration accordingly without having to make a code change in RabbitMQ.
JWT Keycloak format 1: (not supported in code)
Keycloak JWT format 2: (supported in code)
Describe the solution you'd like
Users of keycloak who depend on the token format 2 will have to modify their RabbitMQ configuration to tell RabbitMQ where to get the scope from.
With the above configuration, RabbitMQ navigates the map structure. First it looks up the claim
authorization
from the token. It may return a map or a list of maps. If it is a map, it looks up the next keyword in the map. It finds the keywordpermissions
. It returns this time a list rather than a map. RabbitMQ iterates over the list and if the list's element is a map and has the next keyword,scope
, it extracts them and it continues iterating the list.Users who depend on the token format 1 will have to modify their RabbitMQ configuration to the following:
This format is simpler than the previous format as it only combines map objects as opposed to maps and lists.
If the user is already using
auth_oauth2.additional_scopes_key
, e.g.auth_oauth2.additional_scopes_key = roles
the user can use any of these two configuration layouts:or
Describe alternatives you've considered
No response
Additional context
No response
The text was updated successfully, but these errors were encountered: