OAuth2.0 signature validation failing for HS256 algorithm with base64 encoded symmetric key

[manpreet1992]

We are trying to use rabbitmq with oauth2 plugin (HS256 + base64url-encoded key value). We are using keycloak as the authentication server. Facing below error while trying to curl api/vhosts with port 15672.

Rabbitmq server-logs
2021-09-06 08:07:14.980 [debug] <0.983.0> Authentication using an OAuth 2/JWT token failed: signature_invalid 2021-09-06 08:07:14.981 [debug] <0.983.0> User '' failed authenticatation by backend rabbit_auth_backend_oauth2 2021-09-06 08:07:14.981 [debug] <0.983.0> User '' failed authenticatation by backend rabbit_auth_backend_internal 2021-09-06 08:07:14.981 [warning] <0.983.0> HTTP access denied: user '' - invalid credentials

advanced.config
[ {rabbit, [ {default_user, <<"user">>}, {default_pass, {encrypted, <<"5239e2VE3SiHKzRFnToP7li34XXPmCJt1aCX95noE/pxOqFUANEh4Iv0NlOIbptu">> } }, {config_entry_decoder, [ {passphrase, <<"mypassphrase">>} ]} ,{auth_backends, [rabbit_auth_backend_oauth2, rabbit_auth_backend_internal]} ]}, %%{foo, %% [{bar, [ {path, "/rabbitmq"}, %% {connections_total_enabled, true} ]} ]}, {rabbitmq_management, [ {listener, [{port, 15672} ]} ]}, {rabbitmq_auth_backend_oauth2, [ {resource_server_id, <<"rabbitmq">>}, {key_config, [ {default_key, <<"5635a0fd-b729-414d-b429-0aeb71abed13">>}, {signing_keys, #{ <<"5635a0fd-b729-414d-b429-0aeb71abed13">> => {map, #{ <<"alg">> => <<"HS256">>, <<"value">> => <<"XXXXXXXXx_S7ZeT91_G9QOjPWcHDQgJhaXXXXXXX7NxHA-l6U6WS42k-QacXXN1Eg">>, <<"kty">> => <<"MAC">>} } }} ]} ]} ].

NOTE: The same is working with keycloak + RS256 algorithm. Can anyone point the issue or provide the link to the documentation for configuring the HS256 with a key from keycloak.

[michaelklishin]

I will convert this issue to a GitHub discussion. Currently GitHub will automatically close and lock the issue even though your question will be transferred and responded to elsewhere. This is to let you know that we do not intend to ignore this but this is how the current GitHub conversion mechanism makes it seem for the users :(

[michaelklishin]

There is no dedicated documentation for that combination. You may be the only user of that combination of tools/algos/settings, so it's on you to troubleshoot.

Enabling debug logging may reveal relevant information. Erlang and OpenSSL (since they together implements TLS and crypto modules used by RabbitMQ) version information is also essential.

[manpreet1992]

Hi @michaelklishin,
I can understand your point. I just want to add that we tried using the same key in our java code to validate the JWT signature and it was able to verify. We are confused about the key format. What format of the key shall we pass? As in our java code, we used base64-urlencoded key and even in the example rabbitmq.config the <<"value">> is mentioned as <<"rabbit_signing_key">>. We will appreciate any inputs regarding the symmetric key format.

[manpreet1992]

As the key-type was octetSequence(OCT), So passing the symmetric key-configuration in advanced.config as below solved the problem.

{rabbitmq_auth_backend_oauth2, [
               {resource_server_id, <<"rabbitmq">>},
               {key_config, [
                 {signing_keys, #{
                  <<"7XXXXX8-9xX0-4XXa-9xXa-8e6X4X3xXXX3">> => {map, #{<<"kty">> => <<"oct">>,
                                            <<"alg">> => <<"HS256">>,
                                            <<"k">> => <<"XXXXXXXXXXz7hAgXXXXXXXXXXXXQ56cEk76Ea_W-XXXXXXXXXXXXX-GYCdANXFzTpZj-XXXXXXXXXXXXXXXXXXX">>}}
                  }}
                ]}
              ]}

NOTE: "k" is the key-value(Base64-url encoded).

To Fetch the HS256 OCT key-value from keycloak, we need to execute the below sql-query in the keycloak database.

SELECT value FROM COMPONENT_CONFIG CC INNER JOIN COMPONENT C ON(CC.component_id = C.id) WHERE C.realm_id = '<your-realm-id>' and provider_id = 'hmac-generated' AND CC.name = 'secret';