Unable to match mqtt scope since update

[gaetansenn]

Describe the bug

Since the update of the new version of rabbitmq v3.13.1 i'm not able to write in topics. I had to rollback to the version 3.12.1 but didn't tested in version between the last version.
I'm using the rabbit_auth_backend_oauth2 and rabbit_auth_backend_internal with thoses enables plugins:
[rabbitmq_amqp1_0,rabbitmq_auth_backend_oauth2,rabbitmq_management,rabbitmq_mqtt,rabbitmq_stomp,rabbitmq_stream]

When the user try to write on this topic positions.${sub} i got this error from the mqtt logs:

2024-04-16 18:35:13.152680+02:00 [debug] <0.1384.0> User '******' authenticated successfully by backend rabbit_auth_backend_oauth2
2024-04-16 18:35:13.153060+02:00 [debug] <0.1384.0> Matching virtual host '/' against the following scopes: write:*/*/positions.{sub}
2024-04-16 18:35:13.153562+02:00 [info] <0.1384.0> Accepted MQTT connection 10.0.75.173:46650 -> 10.0.74.205:1883 for client ID 97967017-5963-4FD4-9C0D-D78C8570758A

Reproduction steps

Here is my advanced configuration it is using the keycloak:

[
  {rabbit, [
    {auth_backends, [rabbit_auth_backend_oauth2, rabbit_auth_backend_internal]}
  ]},


  {rabbitmq_management, [
    {enable_uaa, false}
  ]},

  {rabbitmq_auth_backend_oauth2, [
    {resource_server_id, <<"argos">>},
    {extra_scopes_source, <<"mqtt_scope">>},
    {preferred_username_claims, [ <<"name">>, <<"preferred_username">>, <<"email">> ]},
    {key_config, [
      {jwks_url, "..../realms/testing/protocol/openid-connect/certs"}
    ]}
  ]}
].

And an example of the jwt payload:

{
  "exp": 1713286423,
  "iat": 1713285823,
  "jti": "c6bdb805-d6a8-409f-ad45-ea1d67153822",
  "iss": "...",
  "aud": [
    "argos",
    "realm-management",
    "account"
  ],
  "sub": "2b1cae37-197e-4b47-ab88-5141ac958112",
  "typ": "Bearer",
  "azp": "**",
  "session_state": "**",
  "acr": "1",
  "allowed-origins": [
    "***"
  ],
  "realm_access": {
    "roles": [
      "default-roles-fnpc",
      "offline_access",
      "uma_authorization"
    ]
  },
  "resource_access": {
    "realm-management": {
      "roles": [
        "manage-users",
        "query-users"
      ]
    },
    "account": {
      "roles": [
        "manage-account",
        "manage-account-links",
        "view-profile"
      ]
    }
  },
  "scope": "openid profile email",
  "sid": "***",
  "internal": "true",
  "email_verified": true,
  "name": "***",
  "preferred_username": "***",
  "given_name": "***",
  "family_name": "***",
  "mqtt_scope": "argos.write:*/*/positions.{sub}",
  "email": "***",
  "email_otp": "false"
}

Expected behavior

Expected to be able to write in topic with identificated user as with the old version of the rabbitmq

Additional context

No additional

[michaelklishin]

@gaetansenn we will only investigate OAuth 2-related issues if you provide a complete set of steps to reproduce or if you are a paying user. Otherwise you'd have to troubleshoot it yourself.

Enabling debug logging would be a good first step. Provide details on how Keycloak was configured. We routinely see issues with IDP configuration that has nothing to do with RabbitMQ.

[michaelklishin]

Paying users should use commercial support channels, not GitHub Discussions.

[michaelklishin]

I also highly recommend against using advanced.config where it is not absolutely mandatory. Most OAuth 2-related settings are exposed to rabbitmq.conf.

[gaetansenn]

Hello @michaelklishin thank you for your reply.
I can setup a reproduction step for this problem, and I already enabled the debug logging.

Here the more detailed lines but look like the problem comes from the mqtt-will-mqttjs... and it was working perfectly since we updated the rabbitmq version.

2024-04-16 16:44:27.007891+02:00 [debug] <0.1056.0>                                            <<"use">> => <<"sig">>,
2024-04-16 16:44:27.007891+02:00 [debug] <0.1056.0>                                            <<"x5c">> =>
2024-04-16 16:44:27.007891+02:00 [debug] <0.1056.0>                                                [<<"MIIClzCCAX8CBgGI9wEVyjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARmbnBjMB4XDTIzMDYyNjA5MTg0M1oXDTMzMDYyNjA5MjAyM1owDzENMAsGA1UEAwwEZm5wYzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKq/tATcp/FnfJJFHFGfLhebJyIfeU4OuHIUYKD6yl4P1DelXPRGRXrsCn0xVZzJmFj5lrBbkOOGHFI/7zSVS/9HPmCECxxn/0WXTsCy+StAVR/sRfspnk9yU1F/uJxOPSsTANVVcwc5wHZRg5VRbBu5IyWHvzCciLXGcFFIVzeyyAm70jLqwa/uFL4rykU9plizjB15k/gz9Psb/Zb9CMiCg81j5hOKU7JBkXuOFP1tUnkNdaoB5n8AAyCDaOWY3XK7r6CTNkEa4WJuPxJeJCwcDnTM7bq1a8QdTNTzjDvR4CDkbE9CwCPjdhaqOXdgmeZsNgMOdEcGCu8+bFS/1P0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEACTSiQ8AUl8Cm1Q4Ex1E6rZbS0eLdz1magpsa6l1eCNaOJA0KfcVCqdRkZTkbwKEqi1y3kDcs2Xt66nir02sgAs7S+A5XvV17I5Uw7eytNXa/CToyrDKwCLVUrRfstODkTRkUc4+XWVC/EmsWiVerApx6f5v9Xp2fOtMVcomTdQbtJL3UneL0TNmDWVIVDDmwAgdRk6xZkmjLm6Cbn+3xJU5jJY/afHo/wEkPIvRuRji53+jUn3y2DlbrhxCTY+Hdj5UPHCjUVjjGpiF2A2UTPoN2w9JR3WFtYp5OPXbkwIseODuQMjg3kT3Lbgbln6AxMinhE0wzBXwfZfidqDlxIg==">>],
2024-04-16 16:44:27.007891+02:00 [debug] <0.1056.0>                                            <<"x5t">> =>
2024-04-16 16:44:27.007891+02:00 [debug] <0.1056.0>                                                <<"SF3QOdRLcrRcAbFTi2psqIbd2Cs">>,
2024-04-16 16:44:27.007891+02:00 [debug] <0.1056.0>                                            <<"x5t#S256">> =>
2024-04-16 16:44:27.007891+02:00 [debug] <0.1056.0>                                                <<"4MRUsBYxlJg-bvGa4rXpNbMn1wBEM8aYX0Kt55Lc9mE">>}'
2024-04-16 16:44:27.009420+02:00 [debug] <0.1056.0> Computing username from client's JWT token: [<<"Luigi BUFFETEAU">>,<<"lbuffeteau">>,
2024-04-16 16:44:27.009420+02:00 [debug] <0.1056.0>  <<"***@***">>,
2024-04-16 16:44:27.009420+02:00 [debug] <0.1056.0>  <<"2b1cae37-197e-4b47-ab88-5141ac958112">>] -> *****
2024-04-16 16:44:27.009565+02:00 [debug] <0.1056.0> User '***' authenticated successfully by backend rabbit_auth_backend_oauth2
2024-04-16 16:44:27.009684+02:00 [debug] <0.1056.0> Matching virtual host '/' against the following scopes: write:*/*/positions.{sub}
2024-04-16 16:44:27.009883+02:00 [error] <0.1056.0> MQTT resource access refused: configure access to queue 'mqtt-will-mqttjs_632cf075' in vhost '/' refused for user '***'
2024-04-16 16:44:27.010115+02:00 [error] <0.1056.0> Rejected MQTT connection 10.0.75.173:43846 -> 10.0.74.205:1883 with Connect Reason Code 135

[lukebakken]

@gaetansenn you will have to provide us a complete reproduction example. Keycloak, everything.

cc @MarcialRosales any ideas from the very limited amount of information we have so far?

[ansd]

Please provide full debug logs of the MQTT connection.

In 3.13.1 configure access is required to delete any will queue for the given client ID:

rabbitmq-server/deps/rabbitmq_mqtt/src/rabbit_mqtt_processor.erl

Line 232 in afe06a9

ok ?= clear_will_msg(S),

https://www.rabbitmq.com/blog/2023/07/21/mqtt5#feature-14-will-delay

[ansd]

This issue will be fixed in 3.13.2 by #11023 which doesn't check for configure access anymore if the will queue doesn't exist.

[gaetansenn]

Oh that's a good new thank you for your reply @ansd. Do you know when the 3.13.2 is scheduled to be release ?

[ansd]

We plan to release 3.13.2 later this month.

[michaelklishin]

This month or in May, an ongoing build infrastructure migration can affect our current plan. But there was a reasonably straightforward workaround provided below.

[gaetansenn]

Okay cool thank you so much for your reactivity and help :)

[MarcialRosales]

Hi @gaetansenn , i am reading the following error in the logs which tells me you are trying to create a queue (i.e configure) , however the scope is for write operation.

MQTT resource access refused: configure access to queue 'mqtt-will-mqttjs_632cf075' in vhost '/' refused for user '***'

[MarcialRosales]

I would follow @michaelklishin recommendation with regards using .conf over .config except if you need to configure scope aliases. Below is your configuration. I have chosen issuer for you over jwks_url for convenience. RabbitMQ automatically discovers the jwks_uri endpoint via the issuer url (in fact, over the OpenId connect discovery endpoint)

auth_backends.1 = rabbit_auth_backend_oauth2
auth_backends.2 = rabbit_auth_backend_internal

management.oauth_enabled = false

auth_oauth2.resource_server_id = argos
auth_oauth2.preferred_username_claims.1 = name
auth_oauth2.preferred_username_claims.2 = preferred_username
auth_oauth2.preferred_username_claims.3 = email
auth_oauth2.additional_scopes_key = mqtt_scope
auth_oauth2.issuer = https://<your_keycloak_server>/realms/testing

[gaetansenn]

Hi @MarcialRosales,
I'm actually not doing this configurate but only using node mqtt client to write to the scoped topic. And with the old version of mqtt with the same client code, keycloak configuration it is working.
I will try to move to the .conf.
Thank you for your helps ☺️

[MarcialRosales]

For now, I would grant the configure scope to your client. I am checking if something may have changed in the mqtt plugin in 3.13.

[gaetansenn]

Hi @MarcialRosales I will try to add configure so I just add configure for the topic I need to do write action for ?

"mqtt_scope": ["argos.write:*/*/positions.{sub}", "argos.configure:*/*/positions.{sub}"]

[MarcialRosales]

Yes, it should work with those 2 scopes.
You can narrow down the configure scope to argos.configure:*/mqtt-will-*

When I tested MQTT with OAuth 2 authentication, i granted full access (https://github.com/rabbitmq/rabbitmq-oauth2-tutorial/blob/main/README.md#testing-mqtt-with-an-access-token). Maybe it is too much for a production environment.

Please, take a look at @ansd reply above : #11021