Thanos Apostolidis
Reputation: 33
Keycloak + RabbitMQ: Access to vhost '/' refused for user
I am following the suggested documentation for using Keycloak as authentication means with rabbitmq. However I always get the following access denied error:
(530) "NOT_ALLOWED - access to vhost '/' refused for user '05c4b0ae-9c07-4ab6-b3a1-c1e9e5e36759'"
I believe the keycloak scopes (even though they are present in the JWT) are not visible on rabbit as seen here. Clients can authenticate but they are not allowed to read/write on rabbitmq.
rabbitmq-1 | 2025-02-21 13:59:04.992226+00:00 [debug] <0.699.0> Computing username from client's JWT token: [<<"05c4b0ae-9c07-4ab6-b3a1-c1e9e5e36759">>] -> 05c4b0ae-9c07-4ab6-b3a1-c1e9e5e36759
rabbitmq-1 | 2025-02-21 13:59:04.992305+00:00 [debug] <0.699.0> User '05c4b0ae-9c07-4ab6-b3a1-c1e9e5e36759' authenticated successfully by backend rabbit_auth_backend_oauth2
rabbitmq-1 | 2025-02-21 13:59:04.994004+00:00 [debug] <0.699.0> Matching virtual host '/' against the following scopes:
rabbitmq-1 | 2025-02-21 13:59:04.994058+00:00 [error] <0.699.0> Error on AMQP connection <0.699.0> (192.168.48.1:39816 -> 192.168.48.2:5672, user: '05c4b0ae-9c07-4ab6-b3a1-c1e9e5e36759', state: opening):
rabbitmq-1 | 2025-02-21 13:59:04.994058+00:00 [error] <0.699.0> access to vhost '/' refused for user '05c4b0ae-9c07-4ab6-b3a1-c1e9e5e36759'
Decoded token field (after authenticating with keycloak) looks like:
"scope": "email rabbitmq.read:*/* rabbitmq.configure:*/* rabbitmq.write:*/* profile",
So I know that the JWT includes required fields.
I am using files from this example.
Tried default conf for rabbit with no luck, also tried minifying a little bit with no results:
auth_backends.1 = rabbit_auth_backend_oauth2
log.default.level = debug
auth_oauth2.resource_server_id = rabbit_prod
auth_oauth2.preferred_username_claims.1 = user_name
auth_oauth2.additional_scopes_key = scope
auth_oauth2.issuer = https://omitted/realms/prod
What am I missing?
Thanks in advance!
Reproduction steps:
- Import Keycloak realm settings. Tried multiple.
- Modify resource_server_id to include appropriate aud claim (works since I can authenticate)
- Run RabbitMQ with docker (tried latest image and also 4.0.2-management as seen on examples)
- Run provided Pika client.
Upvotes: 0
Views: 26
Answers (0)
Related Questions
- Logout user via Keycloak REST API doesn't work
- how to get the roles in access token: keycloak
- RabbitMQ Connection refused 127.0.0.1:5672
- Access denied for the queue that the user should have access to in RabbitMQ
- RabbitMQ - vhost '/' is down for user 'XYZ'. even after user has all access
- Programatic username/password access with KeyCloak using external IDP brokering
- Failing to connect RabbitMQ through a EasyNetQ, getting access refused for user guest