Introduction

CloudAMQP Console

Migration Guides

Tutorials

Marketplaces

Features

Protocols

Code Sample

MQTT Code Sample

OAuth 2.0 configuration through CloudAMQP

This feature is available on dedicated RabbitMQ instances, versions over 3.13.

RabbitMQ supports OAuth 2.0 as an authorization backend. This allows clients to use JWT access tokens for authentication and authorization. It is possible to configure OAuth 2.0 in the console under the OAuth 2.0 Configuration tab.

The OAuth 2.0 confguration in the CloudAMQP console.

OAuth 2.0 Configuration Options

The following configuration options can be set through the CloudAMQP console.

Option Description
resource_server_id
(Required) 		The unique identifier that represents this RabbitMQ instance as an OAuth 2.0 resource server. This needs to match scope prefixes if any. It must be coordinated with the OAuth server configuration.
issuer
(Required) 		The URL of the OAuth 2.0 authorization server that issues the JWT tokens. The server must be Open ID Connect (OIDC) compliant. The URL needs to start with https://.
preferred_username_claims A list of JWT token claims that RabbitMQ will search to extract a user-friendly username.
additional_scopes_key Specifies an alternative JWT token claim field to extract scopes from, instead of or in addition to the standard "scope" field.
scope_prefix custom prefix for OAuth 2.0 scopes to avoid scope collisions or unintended overlap. By default, resource_server_id followed by a dot (.) character is used as the prefix.
scope_aliases Enables mapping between custom role names or scopes provided by OAuth identity providers and the standard RabbitMQ permission scopes that the authorization backend can parse and use.
verify_aud Controls whether RabbitMQ validates the "aud" (audience) claim in JWT tokens against the configured resource_server_id.
oauth_client_id
(Recommended) 		The client identifier that RabbitMQ Management UI uses when initiating OAuth 2.0 authorization flows with the configured identity provider. This must match the client ID that was registered with your identity provider for the RabbitMQ application.
oauth_scopes Scopes required for management interface access.
audience Some identity providers (e.g. Auth0) mandate this parameter. Should not be set if you are using Azure/Entra v2 endpoints. Usually the same value as resource_server_id.