Skip to content

Commit

Permalink
Modify Entra example so that it uses v2.0
Browse files Browse the repository at this point in the history
  • Loading branch information
MarcialRosales committed Oct 3, 2024
1 parent 5adaad3 commit 2966a6d
Showing 1 changed file with 23 additions and 16 deletions.
39 changes: 23 additions & 16 deletions docs/oauth2-examples-entra-id/index.md
Original file line number Diff line number Diff line change
Expand Up @@ -24,13 +24,13 @@ limitations under the License.
Demonstrate how to authenticate using the OAuth 2.0 protocol
and Microsoft Entra ID as Authorization Server using the following flows:

* Access the management UI via a browser
* Access the management UI via a browser.

## Prerequisites to follow this guide

* Have an account in https://portal.azure.com.
* Docker
* Openssl
* Docker.
* Openssl.
* `git clone https://github.com/rabbitmq/rabbitmq-oauth2-tutorial`. This github repository
contains all the configuration files and scripts used on this example.

Expand Down Expand Up @@ -69,14 +69,6 @@ When using **Entra ID as OAuth 2.0 server**, your client app (in our case Rabbit
* Directory (tenant ID)
* Application (client) ID

6. Click on the **Endpoints** tab if it is visible.
7. On the right pane that has just opened, copy the value of **OpenID Connect metadata document** (ex: `https://login.microsoftonline.com/{TENANT_ID}/v2.0/.well-known/openid-configuration`) and open it in your browser.

Note the value of the `jwks_uri` key (ex: `https://login.microsoftonline.com/{TENANT_ID}/discovery/v2.0/keys`), as you will also need it later to configure the `rabbitmq_auth_backend_oauth2` on RabbitMQ side.

![Entra ID JWKS URI](./entra-id-jwks-uri.png)
8. If the **Endpoints** tab is not visible,


## Create OAuth 2.0 roles for your app

Expand Down Expand Up @@ -160,6 +152,21 @@ Now that some roles have been created for your application, you still need to as

9. Repeat the operations for all the roles you want to assign.

## Create scope required by Management ui during authorization

So far we have created the roles and granted the roles to the user who is going to
access the management UI. When this user logs into RabbitMQ management UI, its token
contains the granted roles.

1. Go to **App registrations**.
2. Click on your application.
3. Go to **Manage** option on the left menu and choose the option **Expose an API**.
4. Click on **Add a scope**.
5. Enter a name, eg. `management-ui`. Enter the same name for **Admin consent display name** and a description and save it.
7. The scope is named `api://{Application (client) ID}/{scope_name}`.

RabbitMQ management ui must provide this scope in `management.oauth_scopes` along with `openid profiles` scopes.

## Configure Custom Signing Keys

It is optional to create a signing key for your application. If you create one though, you must append an `appid` query parameter containing the *app ID* to the `jwks_uri`. Otherwise, the standard jwks_uri endpoint will not include the custom signing key and RabbitMQ will not find the signing key to validate the token's signature.
Expand All @@ -181,15 +188,15 @@ Update it with the following values:

```ini
auth_backends.1 = rabbit_auth_backend_oauth2
auth_backends.2 = rabbit_auth_backend_internal

management.oauth_enabled = true
management.oauth_client_id = {PUT YOUR AZURE AD APPLICATION ID}
management.oauth_provider_url = https://login.microsoftonline.com/{YOUR_ENTRA_ID_TENANT_ID}
management.oauth_client_id = {Application(client) ID}
management.oauth_scopes = openid profile api://{Application(client) ID}/rabbitmq

auth_oauth2.resource_server_id = {PUT YOUR AZURE AD APPLICATION ID}
auth_oauth2.resource_server_id = {Application(client) ID}
auth_oauth2.additional_scopes_key = roles
auth_oauth2.jwks_url = {PUT YOUR ENTRA ID JWKS URI VALUE}
auth_oauth2.issuer = https://login.microsoftonline.com/{Directory (tenant) ID}

```

## Start RabbitMQ
Expand Down

0 comments on commit 2966a6d

Please sign in to comment.