Skip to main content
Version: 3.13

Use Keycloak as OAuth 2.0 server

Demonstrate how to authenticate using the OAuth 2.0 protocol and Keycloak as Authorization Server using the following flows:

  • Access management UI via a browser
  • Access management rest api
  • Access AMQP protocol

Prerequisites to follow this guide

  • Docker
  • make
  • git clone https://github.com/rabbitmq/rabbitmq-oauth2-tutorial. This github repository contains all the configuration files and scripts used on this example.

Deploy Keycloak

  1. First, deploy Keycloak. It comes preconfigured with all the required scopes, users and clients.

  2. Run the following command to start Keycloak server:

    make start-keycloak

There is a dedicated Keycloak realm called Test configured as follows:

  • A rsa signing key
  • A rsa provider
  • Three clients: rabbitmq-client-code for the rabbitmq management UI, mgt_api_client to access via the management api and producer to access via AMQP protocol.

Start RabbitMQ

Run the command below to start RabbitMQ configured with the Keycloak server we started in the previous section: This is the rabbitmq.conf used for Keycloak.

export MODE=keycloak
make start-rabbitmq

Access Management api

To access the management api run the following command. It uses the client mgt_api_client which has the scope rabbitmq.tag:administrator.

make curl-keycloak url=http://localhost:15672/api/overview client_id=mgt_api_client secret=LWOuYqJ8gjKg3D2U8CJZDuID3KiRZVDa

Access AMQP protocol with PerfTest

To test OAuth 2.0 authentication with AMQP protocol you are going to use RabbitMQ PerfTest tool which uses RabbitMQ Java Client.

First you obtain the token and pass it as a parameter to the make target start-perftest-producer-with-token.

make start-perftest-producer-with-token PRODUCER=producer TOKEN=$(bin/keycloak/token producer kbOFBXI9tANgKUq8vXHLhT6YhbivgXxn)

NOTE: Initializing an application with a token has one drawback: the application cannot use the connection beyond the lifespan of the token. See the next section where you demonstrate how to refresh the token.

Access AMQP protocol with Pika

In the following information, OAuth 2.0 authentication is tested with the AMQP protocol and the Pika library. These tests specifically demonstrate how to refresh a token on a live AMQP connection.

The sample Python application can be found on GitHub.

To run this sample code proceed as follows:

python3 --version
pip install pika
pip install requests
python3 pika-client/producer.py producer kbOFBXI9tANgKUq8vXHLhT6YhbivgXxn

Note: Ensure you install pika 1.3

Access Management UI

  1. Go to http://localhost:15672.
  2. Click on the single button on the page which redirects to Keycloak to authenticate.
  3. Enter rabbit_admin and rabbit_admin and you should be redirected back to RabbitMQ Management fully logged in.

Stop keycloak

make stop-keycloak

Notes about setting up Keycloak

Configure Client

For backend applications which uses Client Credentials flow, you can create a Client with:

  • Access Type : public
  • Turn off Standard Flow, Implicit Flow, and Direct Access Grants
  • With Service Accounts Enabled on. If it is not enabled you do not have the tab Credentials
  • In the Credentials tab, you have the client id

Configure Client scopes

Default Client Scope are scopes automatically granted to every token. Whereas Optional Client Scope are scopes which are only granted if they are explicitly requested during the authorization/token request flow.

Include appropriate aud claim

You must configure a Token Mapper of type Hardcoded claim with the value of rabbitmq's resource_server_id*. You can configure Token Mapper either to a Client scope or to a Client.