oauth2 backend regression from 3.13.0.rc2 to 3.13.0

[lazedo]

Describe the bug

oauth2 backend not working as expected

Reproduction steps

1. create oauth2 deployments on Kubernetes

- dex as oauth2 provider
- oauth2-proxy for {oauth_initiated_logon_type, idp_initiated} 

3. create cluster with oauth2 setup using operator

spec:
  delayStartSeconds: 30
  image: rabbitmq:3.13.0-rc.2-management-alpine
  override: {}
  persistence:
    storage: 10Gi
  rabbitmq:
    additionalConfig: |
      cluster_name = west
      cluster_partition_handling = pause_minority
      vm_memory_high_watermark_paging_ratio = 0.99
      disk_free_limit.relative = 1.0
      collect_statistics_interval = 10000

      prometheus.return_per_object_metrics = true

      log.console = true
      log.console.level = info
      auth_backends.1 = internal
      auth_backends.2 = rabbit_auth_backend_oauth2

      # local-cert
      auth_oauth2.https.peer_verification = verify_none
    additionalPlugins:
      - rabbitmq_top
      - rabbitmq_federation
      - rabbitmq_federation_management
      - rabbitmq_consistent_hash_exchange
      - rabbitmq_auth_backend_oauth2
      - rabbitmq_prometheus
    advancedConfig: |
      [
          {rabbitmq_auth_backend_oauth2,
           [{scope_prefix, <<>>}
           ,{verify_aud, false}
           ,{extra_scopes_source, <<"groups">>}
           ,{preferred_username_claims, [<<"email">>, <<"username">>, <<"user_name">>, <<"sub">>]}
           ,{key_config, 
            [{peer_verification, verify_none}
            ,{jwks_url, "https://dex.your.fqdn/keys"}
            ]
            }
           ,{scope_aliases, #{<<"myawesomeorg:admins">> => [<<"tag:administrator">>, <<"configure:*/*/*">>, <<"write:*/*/*">>, <<"read:*/*/*">>]}}
           ]
          }
         ,{rabbitmq_management,
           [{oauth_enabled, true}
           ,{oauth_initiated_logon_type, idp_initiated}
           ,{oauth_provider_url, "https://dex.your.fqdn"}
           ]
          }
      ].
  replicas: 3

4. create ingress to management-ui with oauth2-proxy

  annotations:
    cert-manager.io/cluster-issuer: your-cert-issuer
    nginx.ingress.kubernetes.io/auth-response-headers: Authorization
    nginx.ingress.kubernetes.io/auth-signin: >-
      https://auth.your.fqdn/oauth2/start?rd=https://$host$request_uri$is_args$args
    nginx.ingress.kubernetes.io/auth-url: https://auth.your.fqdn/oauth2/auth
    nginx.ingress.kubernetes.io/configuration-snippet: |
      auth_request_set $token $upstream_http_authorization;
      # proxy_set_header Authorization $token;
      auth_request_set $name_upstream_1 $upstream_cookie__oauth2_proxy_1;

      access_by_lua_block {
        if ngx.var.name_upstream_1 ~= "" then
           ngx.header["Set-Cookie"] = "_oauth2_proxy_1=" .. ngx.var.name_upstream_1 .. ngx.var.auth_cookie:match("(; .*)")
        end
      }
    nginx.ingress.kubernetes.io/enable-cors: 'true'
    nginx.ingress.kubernetes.io/proxy-buffer-size: 512k

5. browse to management-ui and verify user is logged in
6. change image from rabbitmq:3.13.0-rc.2-management-alpine to rabbitmq:3.13.0-management-alpine
7. browse to management-ui and verify user is not logged in

Expected behavior

user is logged in.

Additional context

logs seem to indicate that resource_server_id is required even when validate_aud is false.
setting a resource_server_id doesn't help
certificate on provider url is selfsigned and auth_oauth2.https.peer_verification is set to verify_none

[michaelklishin]

I'm afraid "deploy to Kubernetes" is not a reproduction step because there is a bajillion different Kubernetes environments, plus Nginx ingress controller is used, plus Dex (https://github.com/dexidp/dex?) is not an IDP provider we claim to support.

We will see if setting up Dex may end up being reasonably straightforward, and how different it may be from other providers.

The plugin supports five different IDP options (UAA, Keycloak, Auth0, Azure AD, Keycloak with OAuth 2 Proxy) and Dex is not on the list. Dex users are welcome to investigate what may be missing for Dex and contribute support for it.

[lazedo]

dex works as expected in conjunction with oauth2-proxy. I have couchdb, dashboard and previously rabbitmq. the dex provider is not the issue, the issue is a regression from 3.13.0.rc2 to 3.13.0. oauth2_client was added and several things changed.

[MarcialRosales]

the new changes should not affect the existing behaviour. One of the changes were to simplify the configuration. In your configuration, you would only need to configure auth_oauth2.issuer rather than jwks_url and oauth_provider_url as long as your idp is openId compliant, which dex is.
These changes will be soon documented in the rabbitmq website

[lazedo]

d827b72 (edited) changes caused this. rc2 works rc5 doesn't.

[lazedo]

to give more context, dex is configured with GitHub connector, that's where groups claim comes from.

[MarcialRosales]

I appreciate if you could add a PR to https://github.com/rabbitmq/rabbitmq-oauth2-tutorial that show case dex as another Authorization Server. This one is a good example to follow.

[MarcialRosales]

@lazedo resource_server_id is required. I appreciate if you could provide some logs otherwise I will try to use your configuration to reproduce your issue.
Here is a sample from the oauth2 tutorial repo : https://github.com/rabbitmq/rabbitmq-oauth2-tutorial/blob/main/conf/oauth2-proxy/rabbitmq.conf#L7 for your use case

[lazedo]

think this is the commit that changed the behaviour d827b72 (edited)

[MarcialRosales]

Since we added support for multiple Oauth2 resource(s), resource_server_id is absolutely required. Maybe in 3.12.x you could get away not setting it up because you were not using it either because you disabled the validation of the aud claim or because you are using idp_initiated logon. With sp_initiated logon, resource_server_id is required too.

I need to decide whether we really want to support resource_server_id as optional or not. Until I get back to you with an answer, please set the resource_server_id.

[lazedo]

even with resource_server_id it doesn't work. this 9f9cd9f seems like a potential fix, when is it going to be available as a release ?

2024-03-08 10:58:52.984210+00:00 [debug] <0.725.0> Using oauth_provider {oauth_provider,<<"https://dex.my.fqdn">>,
2024-03-08 10:58:52.984210+00:00 [debug] <0.725.0>                                      undefined,undefined,
2024-03-08 10:58:52.984210+00:00 [debug] <0.725.0>                                      "https://dex.my.fqdn/keys",
2024-03-08 10:58:52.984210+00:00 [debug] <0.725.0>                                      [{verify,verify_none},
2024-03-08 10:58:52.984210+00:00 [debug] <0.725.0>                                       {cacertfile,[]},
2024-03-08 10:58:52.984210+00:00 [debug] <0.725.0>                                       {depth,10},
2024-03-08 10:58:52.984210+00:00 [debug] <0.725.0>                                       {crl_check,false},
2024-03-08 10:58:52.984210+00:00 [debug] <0.725.0>                                       {fail_if_no_peer_cert,false}]} from keyconfig
2024-03-08 10:58:52.984274+00:00 [debug] <0.725.0> OAuth 2 JWT: downloading keys from "https://dex.my.fqdn/keys" (TLS options: [{verify,
2024-03-08 10:58:52.984274+00:00 [debug] <0.725.0>                                                                                                verify_none},
2024-03-08 10:58:52.984274+00:00 [debug] <0.725.0>                                                                                               {cacertfile,
2024-03-08 10:58:52.984274+00:00 [debug] <0.725.0>                                                                                                []},
2024-03-08 10:58:52.984274+00:00 [debug] <0.725.0>                                                                                               {depth,
2024-03-08 10:58:52.984274+00:00 [debug] <0.725.0>                                                                                                10},
2024-03-08 10:58:52.984274+00:00 [debug] <0.725.0>                                                                                               {crl_check,
2024-03-08 10:58:52.984274+00:00 [debug] <0.725.0>                                                                                                false},
2024-03-08 10:58:52.984274+00:00 [debug] <0.725.0>                                                                                               {fail_if_no_peer_cert,
2024-03-08 10:58:52.984274+00:00 [debug] <0.725.0>                                                                                                false}])
2024-03-08 10:58:52.984511+00:00 [error] <0.725.0> OAuth 2 JWT: failed to download keys: {error,
2024-03-08 10:58:52.984511+00:00 [error] <0.725.0>                                        {failed_connect,
2024-03-08 10:58:52.984511+00:00 [error] <0.725.0>                                         [{to_address,
2024-03-08 10:58:52.984511+00:00 [error] <0.725.0>                                           {"dex.my.fqdn",
2024-03-08 10:58:52.984511+00:00 [error] <0.725.0>                                            443}},
2024-03-08 10:58:52.984511+00:00 [error] <0.725.0>                                          {inet,
2024-03-08 10:58:52.984511+00:00 [error] <0.725.0>                                           [inet],
2024-03-08 10:58:52.984511+00:00 [error] <0.725.0>                                           {options,{cacertfile,[]}}}]}}

[lukebakken]

when is it going to be available as a release ?

Just keep an eye out for version 3.13.1. There is no set date for release at this time.

[lukebakken]

@lazedo as a workaround, set the cacertfile option in your configuration. It should point to a file with a concatenation of the entire X509 cert chain for https://dex.my.fqdn

[MarcialRosales]

@lazedo this issue was fixed 2 weeks ago. Can you please try this image which is built straight from our CI?
pivotalrabbitmq/rabbitmq:main-otp-max-bazel

There is a selenium suite (https://github.com/rabbitmq/rabbitmq-server/actions/runs/8197530182/job/22419646109) which runs your setup (i.e. with verify_none but also with resource_server_id though). Search for authnz-mgt/oauth-with-keycloak-with-verify-none.sh

If you prefer, you can run this test locally.

cd deps/rabbitmq_management/selenium
RABBITMQ_DOCKER_IMAGE=pivotalrabbitmq/rabbitmq:main-otp-max-bazel suites/authnz-mgt/oauth-with-keycloak-with-verify-none.sh

[lazedo]

@MarcialRosales Hi, confirmed it's fixed with that image.
Thank You

[lazedo]

credit_api_v2 feature was not enabled and a warning (all stable flags must be enabled after upgrade) appeared on mgmt site. after enabling it, the warning is gone.

[michaelklishin]

New questions belong to new discussions.