I have a rabbit instance that multiple teams needs to access. Each team has their own vhost to manage their queues in and are not allowed in other vhosts. I got AD login working through the rabbitmq_auth_backend_oauth2 plugin.
What I can't find a solution to is how I now tie the AD to a specific vhost. Would it be possible to do it through what groups that exists in the jwt token when users log in?
Relevent part of my helmchart:
advancedConfig: |
[
{rabbit, [
{auth_backends, [rabbit_auth_backend_oauth2, rabbit_auth_backend_internal]}
]},
{rabbitmq_management, [
{oauth_enabled, true},
{oauth_client_id, "<id>"},
{oauth_provider_url, "<url>"}
]},
{rabbitmq_auth_backend_oauth2, [
{resource_server_id, <<"<id>">>},
{extra_scopes_source, <<"roles">>},
{key_config, [
{jwks_url, <<"<url>/discovery/v2.0/keys">>}
]}
]}
].
After a lot of testing with configuration of the plugin and customizing the JWT token to create more dynamic roles I ended up having to write a custom version of the 'rabbit_auth_backend_oauth2' plugin to have full control over roles-to-vhost permissions.
Frustrating Azure doesn't allow for more customization as claims mapping would've worked if not for only being allowed one transformation expression/claim.