Entra ID Oauth broken after upgrading to 4.1.0

[Dutchy-]

Describe the bug

After upgrading from 4.0.7 to 4.1.0, I can no longer login with Oauth/Entra ID because it fails with "Not Authorized".

Reproduction steps

This is my config for the cluster operator:

    additionalConfig: |
      auth_backends.1 = internal
      auth_backends.2 = rabbit_auth_backend_oauth2
      log.console = true
      log.console.level = info
      management.path_prefix = /rabbit
      management.disable_basic_auth = false
      management.oauth_enabled = true
      management.oauth_client_id = 051b784e-7b3c-4c3a-b2ec-740839e25f60
      management.oauth_provider_url = https://login.microsoftonline.com/<redacted>
      management.oauth_disable_basic_auth = true
      auth_oauth2.resource_server_id = 051b784e-7b3c-4c3a-b2ec-740839e25f60
      auth_oauth2.additional_scopes_key = roles
      auth_oauth2.jwks_url = https://login.microsoftonline.com/<redacted>/discovery/v2.0/keys
      auth_oauth2.preferred_username_claims.1 = unique_name
    advancedConfig: |
        [
          {rabbit, [
            {consumer_timeout, undefined}
          ]}
        ].
    additionalPlugins:
      - rabbitmq_management
      - rabbitmq_management_agent
      - rabbitmq_federation
      - rabbitmq_federation_management
      - rabbitmq_shovel
      - rabbitmq_shovel_management
      - rabbitmq_jms_topic_exchange
      - rabbitmq_prometheus
      - rabbitmq_auth_backend_oauth2

What happens in 4.1.0 is that the login process walks through the whole flow correctly, e.g.

1. Click oauth login button
2. Redirect to microsoft
3. Callback to /js/oidc-oauth/login-callback.html
4. Successfully redirected back to the main page but it displays Not Authorized
5. 401 on /api/whoami with the response {"error":"not_authorized","reason":"Not_Authorized"} (as seen through the browser console)

In the server logs, I see this error:

2025-05-12T14:02:50.494843897Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0> HTTP access denied: Authentication using OAuth 2/JWT token failed: {error,�[0m
2025-05-12T14:02:50.494882897Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                 {invalid_token,error,�[0m
2025-05-12T14:02:50.494891697Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                  {badarg,�[0m
2025-05-12T14:02:50.494895698Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                   [<<"<redacted>">>]},�[0m
2025-05-12T14:02:50.494902698Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                  [{jose_jws,do_expand,1,�[0m
2025-05-12T14:02:50.494905498Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                    [{file,�[0m
2025-05-12T14:02:50.494909598Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                      "src/jws/jose_jws.erl"},�[0m
2025-05-12T14:02:50.494912698Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                     {line,463}]},�[0m
2025-05-12T14:02:50.494915498Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                   {jose_jws,expand,1,�[0m
2025-05-12T14:02:50.494918198Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                    [{file,�[0m
2025-05-12T14:02:50.494921298Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                      "src/jws/jose_jws.erl"},�[0m
2025-05-12T14:02:50.494923898Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                     {line,176}]},�[0m
2025-05-12T14:02:50.494926498Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                   {jose_jws,peek_payload,1,�[0m
2025-05-12T14:02:50.494929098Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                    [{file,�[0m
2025-05-12T14:02:50.494932398Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                      "src/jws/jose_jws.erl"},�[0m
2025-05-12T14:02:50.494935998Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                     {line,225}]},�[0m
2025-05-12T14:02:50.494939098Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                   {jose_jwt,peek_payload,1,�[0m
2025-05-12T14:02:50.494944498Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                    [{file,�[0m
2025-05-12T14:02:50.494947599Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                      "src/jwt/jose_jwt.erl"},�[0m
2025-05-12T14:02:50.494950599Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                     {line,159}]},�[0m
2025-05-12T14:02:50.494969499Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                   {uaa_jwt_jwt,get_aud,1,�[0m
2025-05-12T14:02:50.494972399Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                    [{file,"uaa_jwt_jwt.erl"},�[0m
2025-05-12T14:02:50.494974899Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                     {line,38}]},�[0m
2025-05-12T14:02:50.494977799Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                   {uaa_jwt,�[0m
2025-05-12T14:02:50.494980399Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                    resolve_resource_server,1,�[0m
2025-05-12T14:02:50.494992399Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                    [{file,"uaa_jwt.erl"},�[0m
2025-05-12T14:02:50.494998399Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                     {line,98}]},�[0m
2025-05-12T14:02:50.495000899Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                   {rabbit_auth_backend_oauth2,�[0m
2025-05-12T14:02:50.495003600Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                    authenticate,2,�[0m
2025-05-12T14:02:50.495006700Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                    [{file,�[0m
2025-05-12T14:02:50.495009400Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                      "rabbit_auth_backend_oauth2.erl"},�[0m
2025-05-12T14:02:50.495012200Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                     {line,158}]},�[0m
2025-05-12T14:02:50.495014800Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                   {rabbit_auth_backend_oauth2,�[0m
2025-05-12T14:02:50.495017700Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                    user_login_authentication,�[0m
2025-05-12T14:02:50.495020400Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                    2,�[0m
2025-05-12T14:02:50.495023100Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                    [{file,�[0m
2025-05-12T14:02:50.495026300Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                      "rabbit_auth_backend_oauth2.erl"},�[0m
2025-05-12T14:02:50.495028900Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                     {line,64}]}]}}�[0m

I've redacted the token because I do not know what information is in there.

I would like to restate that this was working fine in 4.0.7. I do not see any changes regarding oauth in the changelog, but in the commit history I see many changes to the oauth backend and management plugin on this front.
My Oauth setup was done using https://www.rabbitmq.com/docs/next/oauth2-examples-entra-id

Expected behavior

A successful login.

Additional context

No response

[michaelklishin]

@Dutchy- per our community support policy, we will not be troubleshooting OAuth 2 for non-paying users.

There is a dedicated doc guide that covers a number of common scenarios.

Entra specifically deviates from the spec and requires custom configuration #13788. The exception contains a resolve_resource_server/1 function which seems highly similar to #13788.

[Dutchy-]

Thank you for your response.

I am not very satisfied with the answer because the configuration broke after a minor update (4.0.7 to 4.1.0) and it is not a troubleshooting issue per se - the configuration was proven to be working before. However, I respect your right to not give support on oauth.

I hope there are other people here who can share if they had a similar experience with 4.1.0. I'll try the configuration for the aud from #13788, but that ticket specifically mentions an no_matching_aud_found error which I do not see in our logs. 🤞

[Dutchy-]

Hereby confirming that auth_oauth2.verify_aud = false indeed did not fix the problem.

[michaelklishin]

@MarcialRosales do you have other observations from this config snippet and the stack trace?

[Dutchy-]

Ok, I did some more digging, and I have some news.

Apparently, this section in your guide is new: https://www.rabbitmq.com/docs/oauth2-examples-entra-id#create-a-scope-for-management-ui-access
It was added somewhere in the last year (I configured oauth for rabbitmq in the summer of last year).
I updated the config on the MS side and I updated the rabbitmq configuration and now it works.

Apparently, the old config worked fine up until 4.1.0

My new config on the rabbitmq side now looks like this

      auth_backends.1 = internal
      auth_backends.2 = rabbit_auth_backend_oauth2
      log.console = true
      log.console.level = info
      management.path_prefix = /rabbit
      management.disable_basic_auth = false
      management.oauth_enabled = true
      management.oauth_client_id = 051b784e-7b3c-4c3a-b2ec-740839e25f60
      management.oauth_provider_url = https://login.microsoftonline.com/<redacted>
      management.oauth_disable_basic_auth = false
      management.oauth_scopes = openid profile api://051b784e-7b3c-4c3a-b2ec-740839e25f60/rabbitmq
      auth_oauth2.resource_server_id = 051b784e-7b3c-4c3a-b2ec-740839e25f60
      auth_oauth2.additional_scopes_key = roles
      auth_oauth2.issuer = https://login.microsoftonline.com/<redacted>/v2.0
      auth_oauth2.preferred_username_claims.1 = unique_name
      auth_oauth2.verify_aud = false

When I check my aud it is now api://051b784e-7b3c-4c3a-b2ec-740839e25f60 so I suppose I need to keep verify_aud = false in the config.

[Dutchy-]

I would like to add that the api://identifierhere can be any identifier, it doesn't have to be the client id, as long as you configure the same thing on the microsoft side. It just needs to be globally unique in the tenant.

[michaelklishin]

Thank you for following up.

My hypothesis about

auth_oauth2.verify_aud = false

missing turned out to be correct.

OK, the original setup from about a year ago explains it. Yes, the OAuth 2 plugin and the docs both evolve in part in response to the IDP changes, which Entra introduces more often than others.