Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deprecate management.metadata_url and move it to auth_oauth2.discovery_endpoint_path #12237

Closed
MarcialRosales opened this issue Sep 6, 2024 · 1 comment

Comments

@MarcialRosales
Copy link
Contributor

MarcialRosales commented Sep 6, 2024

Is your feature request related to a problem? Please describe.

The majority of OAuth Providers uses the standard path .well-known/openid-configuration for their OpenId Discovery endpoint. However, Okta seems to use a slightly different value .well-known/oauth-authorization-server.

Currently RabbitMQ management ui has a configuration variable called management.oauth_metadata_url which is used in cases like Okta, where the OpenId Discovery endpoint url is not compliant with the path specified by the spec.

The configuration variable management.oauth_metadata_url was introduced after RabbitMQ introduced auth_oauth2.issuer. Thanks to auth_oauth2.issuer RabbitMQ is able to automatically discover all the other endpoints such as jwks_url. However, RabbitMQ in this particular case only accepted the use of /.well-known/openid-configuration path which is appended to the auth_oauth2.issuer to build the OpenId Discovery endpoint url.

How this change may affect existing users?
There are two types of users which. may be affected by this change. One type of user is currently setting auth_oauth2.issuer and auth_oauth2.jwks_url and management.oauth_metadata_url because their identity provider does not use the standard path .well-known/openid-configuration for the OpenId discovery endpoint. These users will have to remove two settings, management.oauth_metadata_url and auth_oauth2.jwks_url , and add auth_oauth2.discovery_endpoint_path . They clearly benefit from this change even though they have to make these changes.
There is a second type of user who does not want RabbitMQ discover the endpoints such as jwks_uri. They still want to set them by hand. These users though would have to remove management.oauth_metadata_url and replace with it two settings: auth_oauth2.issuer and auth_oauth2.discovery_endpoint_path. Setting the issuer does not automatically imply RabbitMQ will try to download the OpenId configuration. If the user configured the jwks_uri RabbitMQ does not need to download the configuration. However, the management UI will still try to download the OpenId configuration to discover the authorization and token endpoints.

Describe the solution you'd like

The solution proposed here is to add a new configuration variable discovery_endpoint_path to auth_oauth2 and to auth_oauth2.oauth_providers.$name.discovery_endpoint_path.

This change was already implemented by #12258 . Once #12258 is fully merged, it does not make sense to support management.oauth_metadata_url.

Describe alternatives you've considered

No response

Additional context

No response

@MarcialRosales MarcialRosales self-assigned this Sep 6, 2024
@MarcialRosales MarcialRosales changed the title Deprecate management.metadata_url and move it to auth_oauth2.openid_configuration_path Deprecate management.metadata_url and move it to auth_oauth2.discoveryendpoint.path Sep 6, 2024
@MarcialRosales MarcialRosales changed the title Deprecate management.metadata_url and move it to auth_oauth2.discoveryendpoint.path Deprecate management.metadata_url and move it to auth_oauth2.discovery_endpoint.path Sep 6, 2024
@MarcialRosales MarcialRosales changed the title Deprecate management.metadata_url and move it to auth_oauth2.discovery_endpoint.path Deprecate management.metadata_url and move it to auth_oauth2.discovery_endpoint_path Sep 27, 2024
@MarcialRosales
Copy link
Contributor Author

MarcialRosales commented Oct 2, 2024

Implemented in #12399

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant