OAuth 2: support for scope aliases (mappings) #4588
Comments
michaelklishin
added a commit
that referenced
this issue
Apr 20, 2022
Per discussion with @MarcialRosales, we try to fetch aliases from two sources, based on feedback from two different users who seemingly rely on the same family of identity provider products: * Use the JWT scope field value first * Use extra_scopes_source app env setting second Just like with the existing extra scopes/complex claim support originally contributed for Keycloak/identityProvider, we merge all these scopes obtained from "alternative sources" with the value of the JWT scopes field. This implicitly assumes that the result makes sense semantically and there will not be conflicting scopes. That's on the user to make sure of. References #4588
12 tasks
michaelklishin
added a commit
that referenced
this issue
Apr 22, 2022
michaelklishin
added a commit
that referenced
this issue
Apr 22, 2022
mergify bot
pushed a commit
that referenced
this issue
Apr 23, 2022
Per discussion with @MarcialRosales, we try to fetch aliases from two sources, based on feedback from two different users who seemingly rely on the same family of identity provider products: * Use the JWT scope field value first * Use extra_scopes_source app env setting second Just like with the existing extra scopes/complex claim support originally contributed for Keycloak/identityProvider, we merge all these scopes obtained from "alternative sources" with the value of the JWT scopes field. This implicitly assumes that the result makes sense semantically and there will not be conflicting scopes. That's on the user to make sure of. References #4588 (cherry picked from commit a2a5468)
mergify bot
pushed a commit
that referenced
this issue
Apr 23, 2022
(cherry picked from commit eb31785)
|
We decided to extend this to support multiple aliases per |
michaelklishin
added a commit
that referenced
this issue
Apr 27, 2022
Per discussion with @MarcialRosales. In follow-up to #4588.
michaelklishin
added a commit
that referenced
this issue
Apr 27, 2022
mergify bot
pushed a commit
that referenced
this issue
Apr 27, 2022
Per discussion with @MarcialRosales. In follow-up to #4588. (cherry picked from commit ca290f1)
mergify bot
pushed a commit
that referenced
this issue
Apr 27, 2022
(cherry picked from commit 38c5683)
michaelklishin
added a commit
that referenced
this issue
Apr 29, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In some environments, producing scopes that follow the convention used by our OAuth 2 authN/authZ backend is effectively impossible for non-technical reasons.
@MarcialRosales has suggested a workaround that would allow for a mapping of scopes to a set of
RabbitMQ permission scopes.
Here is an example:
{rabbitmq_auth_backend_oauth2, [ {resource_server_id, <<"rabbitmq-122">>}, {extra_scopes_source, <<"claims">>}, {scope_aliases, #{ <<"megacorp.roles.122">> => [ <<"rabbitmq.read:vhost-122/*">>, <<"rabbitmq.write:vhost-122/*">>, <<"rabbitmq.configure:vhost-122/*">> ], <<"megacorp.roles.188">> => [ <<"rabbitmq.read:vhost-188/*">>, <<"rabbitmq.configure:vhost-188/*">> ], <<"megacorp.roles.199">> => [<<"rabbitmq.read:*/*">>] }} {key_config, [{ "claims": "megacorp.roles.122", "aud": [ "rabbitmq-122" ] }The
rabbitmq_auth_backend_oauth2.scope_mappingskey, if defined, can be used to look upa set of RabbitMQ permissions that would then be parsed just like "regular" JWT token scopes
are.
The text was updated successfully, but these errors were encountered: