RabbitMQ 4.1.0 Okta Integration monitoring role has admin privileges

[samragu]

Community Support Policy

• I have read RabbitMQ's Community Support Policy
• I run RabbitMQ 4.x, the only series currently covered by community support
• I promise to provide all relevant information (versions, logs from all nodes, rabbitmq-diagnostics output, detailed reproduction steps)

RabbitMQ version used

4.1.0

Erlang version used

27.3.x

Operating system (distribution) used

docker

How is RabbitMQ deployed?

Community Docker image

rabbitmq-diagnostics status output

See https://www.rabbitmq.com/docs/cli to learn how to use rabbitmq-diagnostics

none

Logs from node 1 (with sensitive values edited out)

See https://www.rabbitmq.com/docs/logging to learn how to collect logs

2025-04-19 21:21:32.850012+00:00 [debug] <0.1398.0> Computing username from client's JWT token: [<<"[email protected]">>] -> [email protected]


2025-04-19 21:21:32.850110+00:00 [debug] <0.1398.0> User '[email protected]' authenticated successfully by backend rabbit_auth_backend_oauth2

Logs from node 2 (if applicable, with sensitive values edited out)

See https://www.rabbitmq.com/docs/logging to learn how to collect logs

# PASTE LOG HERE, BETWEEN BACKTICKS

Logs from node 3 (if applicable, with sensitive values edited out)

See https://www.rabbitmq.com/docs/logging to learn how to collect logs

# PASTE LOG HERE, BETWEEN BACKTICKS

rabbitmq.conf

See https://www.rabbitmq.com/docs/configure#config-location to learn how to find rabbitmq.conf file location

loopback_users.guest=false
log.console.level = debug

auth_backends.1 = rabbit_auth_backend_oauth2

management.oauth_enabled = true
management.oauth_client_id = xxxxxxx
management.oauth_scopes = admin monitoring
management.oauth_disable_basic_auth = false

auth_oauth2.resource_server_id = rabbitmq
auth_oauth2.issuer = https://xxxx.okta.com/oauth2/ausockqyc1j1mF11K5d7
auth_oauth2.additional_scopes_key = role
auth_oauth2.verify_aud = false
auth_oauth2.scope_prefix = okta.
auth_oauth2.https.hostname_verification = wildcard
auth_oauth2.scope_aliases.admin = okta.read:*/* okta.write:*/* okta.configure:*/* okta.tag:administrator
auth_oauth2.scope_aliases.monitoring = okta.tag:management okta.read:*/ okta.write:^$ okta.configure:^$

Steps to deploy RabbitMQ cluster

docker run

Steps to reproduce the behavior in question

1. Create users, scopes in Okta as per the OAuth2 tutorial - https://github.com/rabbitmq/rabbitmq-oauth2-tutorial
2. Create local configs, 1-main.conf and advanced.config as per the tutorial
3. Mount the local volume into Docker and start docker
4. Login to the management console as [email protected]

advanced.config

See https://www.rabbitmq.com/docs/configure#config-location to learn how to find advanced.config file location

[
    %% Set a resource server ID. Will require all scopes to be prefixed with `rabbitmq.`
    {rabbitmq_auth_backend_oauth2, [
        {scope_aliases, #{
            <<"admin">> => [
              <<"okta.read:*/*">>,
              <<"okta.write:*/*">>,
              <<"okta.configure:*/*">>,
              <<"okta.tag:administrator">>
            ],

            <<"monitoring">> => [
              <<"okta.read:*/*">>,
              <<"okta.write:^$">>,
              <<"okta.configure:^$">>,
              <<"okta.tag:management">>
            ]


        }}
    ]} % rabbitmq_auth_backend_oauth2
].

Application code

# PASTE CODE HERE, BETWEEN BACKTICKS

Kubernetes deployment file

# Relevant parts of K8S deployment that demonstrate how RabbitMQ is deployed
# PASTE YAML HERE, BETWEEN BACKTICKS

What problem are you trying to solve?

I have setup Okta claims for "role" claim to have either "admin" or "monitoring" values depending on the user and have configured [email protected] with admin role and [email protected] with monitoring role. I am able to login and receive valid JWT tokens from Okta. When I login as rabbitmq-monitoring user, I get correct JWT token (shown below) with role claim having "monitoring" value. However, after logging into the management console, this user has all Admin privileges. This user can create and delete queues, vhosts etc. Is there anything wrong with my configuration? I have also deleted the write and configure permissions for monitoring user in advanced.config but has no effect

{
"ver": 1,
"jti": "AT.vjL9sXl_vby-5Ge6ejt_3xzkRw7Ct-yGqGM-X8deoH4",
"iss": "https://xxx.okta.com/oauth2/ausockqyc1j1mF11K5d7",
"aud": "rabbitmq",
"iat": 1745096658,
"exp": 1745100258,
"cid": "0oaockesrnBWxeOyi5d7",
"uid": "00uocglex5M781ugz5d7",
"scp": [
"admin",
"monitoring"
],
"auth_time": 1745096656,
"sub": "[email protected]",
"role": "monitoring",
"scope": "admin monitoring"
}

[michaelklishin]

@samragu the ability to declare queues, exchanges, bindings ultimately comes from the permissions a user has, not its tag. Certain tags are necessary for certain management UI and HTTP API operations but tags control nothing outside of the management plugin, and specifically around authN and authZ chains.

Users labelled as monitoring do not have access to certain management UI features but they can have sufficient permissions to modify the topology, consume messages, and so on.

We will not troubleshoot OAuth 2 setups for non-paying users.

Besides extensive documentation that covers multiple IDPs there are examples for multiple IDPs and a troubleshooting guide.