New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OAuth 2 plugin improvements #3887
Conversation
Hi @anhanhnguyen I can see that there are some test failures for |
There are warnings and that will break compilation from scratch with the flags we use by default:
|
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The documentation section reinvents a lot of docs and uses non-standard (at least for us) terminology. Instead it should reference existing RabbitMQ TLS docs and use the same terms used there as much as possible.
- Validate JWKS server when getting keys - Restrict usable algorithms
- "strict" changes to "https.peer_verification" - "cacertfile" changes to "https.cacertfile"
- Update new configuration document - Add configurable "depth" for key server verification
A "wildcard" configuration is added to enable key server verification with wildcard certificate
- Add configuration: crl_check, fail_if_no_peer_cert - Correct configuration: hostname_verification
Thank you for your comments. I updated the README and tests. Please let me know what you think. |
Thank you! |
OAuth 2 plugin improvements (backport #3887)
Hi,
We implemented some changes to the Oauth plugin which affect how RabbitMQ fetches the JWKey Sets from a remote host, restrict the list of valid algorithms in the token, and some improvements to the config file.
These changes are the following:
Care was taken to keep the current behaviour, however for example this caused that verify_none needs to be the default for the key fetching.
This PR was created as part of a security audit made on behalf of LKAB.