Combine SSL Auth Mechanism with OAuth2 backend for permissions

[inseroaj]

Community Support Policy

• I have read RabbitMQ's Community Support Policy

RabbitMQ version used

4.1.1

How is RabbitMQ deployed?

Community Docker image

Steps to reproduce the behavior in question

We would like to have AMQP clients authenticate towards RabbitMQ using client certificates, but maintain the registered users and permissions with an OIDC provider.
Using the rabbitmq_auth_mechanism_ssl plugin, clients can authenticate with certificates.
Using the rabbitmq_auth_backend_oauth2 plugin, clients can authenticate using OAuth 2 tokens.

The SSL auth mechanism will look up the authenticated user in the configured auth backend, but since the OAuth2 backend requires a token, these do not seem to combine well. No requests are made to the oauth2 backend when a client is authenticated using a client certificate through the SSL auth mechanism.

Since we use the same client certificates for authenticating towards other systems, we would like to keep the user management centralized in the OIDC provider, and avoid registering the users in RabbitMQ as well. For this to work, RabbitMQ must request the client permissions from the OIDC provider, based on the username derived from the client certificate.

Is there any easy configurable way to combine the SSL auth mechanism with the OAuth2 backend, to achieve this ?
Or is the only option to use a proxy for token retrieval (only use the OAuth2 backend plugin), or write a custom RabbitMQ auth backend plugin that requests the permissions from the OIDC provider ?

[michaelklishin]

By using x.509 certificate and the EXTERNAL mechanism for authentication, you give up on using all other (built-in) mechanisms. The credential values are ignored by design.

I don't understand the benefit of combining these two approaches but they were never meant to be combined in any way. Just use OAuth 2, the identity will come from the token and not from the certificate.

[inseroaj]

The purpose is to let the clients authenticate solely using a client certificate, and not provide a token.
This is possible with the SSL auth mechanism, but the permissions of the authenticated client are looked up in the internal auth backend in RabbitMQ, based on the distinguished name of the certificate.
We would like to store the permissions only in the OIDC provider, but that would require RabbitMQ to retrieve the permissions from there, rather than the internal database.
How to achieve that without requiring a token in addition to the client certificate based auth ?

[lukebakken]

How to achieve that without requiring a token in addition to the client certificate based auth ?

You might be able to do something by using a custom HTTP auth backend for the authz (authorization) part of the workflow, and doing the OAuth2 bits in the custom backend. I'm pretty sure you can't use the OAuth2 plugin for just authz.

If it's important enough, hire someone to implement it for you.

[inseroaj]

We actually did consider that approach - maybe using the rabbitmq_auth_backend_http.

Just wanted to know if we were missing something that made this possible out-of-the-box. Doesn't sound like it though. Thanks for your input.