0

I am following the suggested documentation for using Keycloak as authentication means with rabbitmq. However I always get the following access denied error:

(530) "NOT_ALLOWED - access to vhost '/' refused for user '05c4b0ae-9c07-4ab6-b3a1-c1e9e5e36759'"

I believe the keycloak scopes (even though they are present in the JWT) are not visible on rabbit as seen here. Clients can authenticate but they are not allowed to read/write on rabbitmq.

rabbitmq-1 | 2025年02月21日 13:59:04.992226+00:00 [debug] <0.699.0> Computing username from client's JWT token: [<<"05c4b0ae-9c07-4ab6-b3a1-c1e9e5e36759">>] -> 05c4b0ae-9c07-4ab6-b3a1-c1e9e5e36759
rabbitmq-1 | 2025年02月21日 13:59:04.992305+00:00 [debug] <0.699.0> User '05c4b0ae-9c07-4ab6-b3a1-c1e9e5e36759' authenticated successfully by backend rabbit_auth_backend_oauth2
rabbitmq-1 | 2025年02月21日 13:59:04.994004+00:00 [debug] <0.699.0> Matching virtual host '/' against the following scopes:
rabbitmq-1 | 2025年02月21日 13:59:04.994058+00:00 [error] <0.699.0> Error on AMQP connection <0.699.0> (192.168.48.1:39816 -> 192.168.48.2:5672, user: '05c4b0ae-9c07-4ab6-b3a1-c1e9e5e36759', state: opening): 
rabbitmq-1 | 2025年02月21日 13:59:04.994058+00:00 [error] <0.699.0> access to vhost '/' refused for user '05c4b0ae-9c07-4ab6-b3a1-c1e9e5e36759'

Decoded token field (after authenticating with keycloak) looks like:

 "scope": "email rabbitmq.read:*/* rabbitmq.configure:*/* rabbitmq.write:*/* profile",

So I know that the JWT includes required fields.

I am using files from this example.

Tried default conf for rabbit with no luck, also tried minifying a little bit with no results:

auth_backends.1 = rabbit_auth_backend_oauth2
log.default.level = debug
auth_oauth2.resource_server_id = rabbit_prod
auth_oauth2.preferred_username_claims.1 = user_name
auth_oauth2.additional_scopes_key = scope
auth_oauth2.issuer = https://omitted/realms/prod

What am I missing?

Thanks in advance!

Reproduction steps:

  1. Import Keycloak realm settings. Tried multiple.
  2. Modify resource_server_id to include appropriate aud claim (works since I can authenticate)
  3. Run RabbitMQ with docker (tried latest image and also 4.0.2-management as seen on examples)
  4. Run provided Pika client.
asked Feb 21, 2025 at 14:57

0

Know someone who can answer? Share a link to this question via email, Twitter, or Facebook.

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.