Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configure Oauth scope prefix #8001

Merged
merged 3 commits into from
May 16, 2023
Merged

Configure Oauth scope prefix #8001

merged 3 commits into from
May 16, 2023

Conversation

MarcialRosales
Copy link
Contributor

@MarcialRosales MarcialRosales commented Apr 26, 2023
edited
Loading

RabbitMQ OAuth2 plugin uses the resource_server_id :

Scopes do not necessarily must have a prefix. Prefixes are necessary, at least, in this situations:

  • to avoid scope collision. For instance, in UAA, all scopes are defined in the same namespace so scopes must prefixed to avoid scope collision with other resources.
  • to conform with Idp conventions. For instance, in Azure, all scopes must always carry a prefix which follows the pattern api://<app_id>..

Clearly, the scopes' prefix does not necessarily match either the audience claim or the resource parameter.

Proposed Changes

Therefore, there is a new setting called scope_prefix. It can be an empty string meaning that the scopes are the raw RabbitMQ scopes, e.g. configure:*/* or it can be any prefix. But it is very important to know that the final scope follows the format: <scope_prefix><rabbitmq_scope> . See that there are no separator character.

In order to keep existing configuration working without making further changes, RabbitMQ defaults scope_prefix to <resource_server_id>.. See that RabbitMQ maintains the dot character in the prefix.

Types of Changes

What types of changes does your code introduce to this project?
Put an x in the boxes that apply

  • Bug fix (non-breaking change which fixes issue #NNNN)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause an observable behavior change in existing systems)
  • Documentation improvements (corrections, new content, etc)
  • Cosmetic change (whitespace, formatting, etc)
  • Build system and/or CI

This PR is accompanied by a doc's PR

@MarcialRosales MarcialRosales force-pushed the configurable-oauth2-scope-prefix branch from aa30fb7 to ce23eed Compare April 26, 2023 11:01
@MarcialRosales MarcialRosales self-assigned this Apr 26, 2023
@MarcialRosales MarcialRosales mentioned this pull request Apr 26, 2023
Closed
@MarcialRosales MarcialRosales marked this pull request as ready for review May 16, 2023 06:37
@MarcialRosales MarcialRosales force-pushed the configurable-oauth2-scope-prefix branch from 0d9867c to 1cd84b3 Compare May 16, 2023 06:40
@michaelklishin michaelklishin added this to the 3.12.0 milestone May 16, 2023
@michaelklishin michaelklishin merged commit e290acb into main May 16, 2023
@michaelklishin michaelklishin deleted the configurable-oauth2-scope-prefix branch May 16, 2023 15:03
@mergify mergify bot mentioned this pull request May 16, 2023
Merged
michaelklishin added a commit that referenced this pull request May 16, 2023
@michaelklishin
Merge pull request #8211 from rabbitmq/mergify/bp/v3.12.x/pr-8001
ddff50d 
Configure Oauth scope prefix (backport #8001)
michaelklishin added a commit that referenced this pull request May 16, 2023
@michaelklishin
Merge pull request #8216 from rabbitmq/mergify/bp/v3.11.x/pr-8211
1a84fc7 
Configure Oauth scope prefix (backport #8001) (backport #8211)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michaelklishin michaelklishin michaelklishin approved these changes

Assignees

@MarcialRosales MarcialRosales

Labels
backport-v3.11.x backport-v3.12.x
Projects
None yet
Milestone
3.12.0
Development

Successfully merging this pull request may close these issues.
2 participants
@MarcialRosales @michaelklishin