Introducing Oauth2 configuration from the CloudAMQP console and API

RabbitMQ

Introducing Oauth2 configuration from the CloudAMQP console and API

We're excited to announce that it's now possible to configure OAuth2 for your RabbitMQ clusters. This new feature gives you the freedom to set up and manage OAuth2 authentication directly, without requiring assistance from our support team.

What is OAuth2 and why does it matter?

OAuth2 is an industry-standard authorization protocol that enables secure access to resources without credential sharing. Implementing OAuth2 for your clusters provides further security through token-based authentication. It also allows for integration with third-party applications and services and to control access for team members. Configuring OAuth2 supports integration with identity providers such as UAA, Keycloak, Auth0, Azure, and Okta. With self-service configuration, you can set up OAuth2 at your convenience and make immediate adjustments as your needs change.

How to configure OAuth2 for your RabbitMQ clusters

To configure OAuth2 for your cluster, follow these steps:

  • Setup an Oauth2 application on your resource identity provider
    • The steps to do so may differ on the specific resource provider. But the following general steps are usually required:
      • Create an application/client and or API for RabbitMQ
      • Set it to a Single Page Application (SPA)
      • Make sure that the application login URI maps to the RabbitMQ cluster
      • Some applications require a callback or redirect URI as well, that should be set to /js/oidc-oauth/login-callback.html
      • Remember the domain and client ID before going to the console
  • In the console under RabbitMQ find → OAuth2 configuration
    1. Enter the identifier that represents your RabbitMQ instance as an OAuth 2.0 resource server in the resource_server_id field. Note that this value should match what you configure in your OAuth provider as the audience for RabbitMQ (it's usually the same as the name of your oauth2 application).
    2. In the issuer field, enter the URL of your OAuth 2.0 authorization server. This will be the domain that was generated by your Oauth2 application.
    3. In the client_id field enter the client ID that was generated by your Oauth2 application.
    4. Enable verify_aud unless the instance is a test or development instance.
  • Configure permissions/scopes in your Oauth2 provider
    • At your Oauth2 provider, configure scopes that match RabbitMQ's permission model:
      • {resource_server_id}.configure:vhost/resource - Configure permissions
      • {resource_server_id}.read:vhost/resource - Read permissions
      • {resource_server_id}.write:vhost/resource - Write permissions
      • {resource_server_id}.tag:management - Management UI access

    Create a user or role in your resource provider and add these permissions. Make sure to add them under oauth_scopes in the console.

    Save your changes in the console. After saving, a broker restart is required for the changes to take effect.

Please note: If your clusters already have OAuth2 configured and you want them visible in the console, you must manually add them and click save Please reach out to us if you’re experiencing issues or need help.

We hope you like this feature and if you're experiencing difficulties with setting up or running OAuth2, please reach out to support@cloudamqp.com for assistance. Our support team is ready to help you.

Share your feedback

This self-service configuration is part of our effort to expand the level of self control for your cluster. We'd love to hear your feedback. Share your thoughts and suggestions with us on contact@cloudamqp.com

Elin Vinka

CloudAMQP

Free Ebook

"The Optimal
RabbitMQ Guide"

CloudAMQP - industry leading RabbitMQ as a service

Start your managed cluster today. CloudAMQP is 100% free to try.

Start your FREE plan today!

13,000+ users including these smart companies