Add Azure AD use case #8
Conversation
|
Thank you! It's a substantial amount of work. It will take some time to review as well :) |
| {resource_server_id, <<"PUT YOUR AZURE AD APPLICATION ID">>}, | ||
| {extra_scopes_source, <<"roles">>}, | ||
| {key_config, [ | ||
| {jwks_url, <<"PUT YOUR AZURE AD JWKS URI VALUE">>} |
There was a problem hiding this comment.
Umm. I think I should initialize jwks_url from the openconnect discovery endpoint unless the discover endpoint does not return a jwks_uri. I did not think about this one. Thank you !!!
use-cases/azure.md
Outdated
|
|
||
| > :arrow_right: You will provide this file to RabbitMQ when you will start it (later in this tutorial) | ||
|
|
||
| ## Start RabbitMQ |
There was a problem hiding this comment.
Did you try the instructions on how to start RabbitMq explained here? in particular the very last step which suggest using an already built docker image. Did it work for you?
The plan is that once this oidc-integration branch merges into v.3.10.x branch we drop all the instructions referring to building RabbiMQ and instead we pull one of the existing docker images.
There was a problem hiding this comment.
I didn't try before but I just did: it works perfectly so let me try to adjust the tutorial to use this method instead of building rabbitmq from scratch as I did.
use-cases/azure.md
Outdated
|
|
||
| For the purpose of this tutorial, you can generate a self-signed certificate/key pair (answer the questions and enter the Common Name when prompted): | ||
| ``` | ||
| openssl req -newkey rsa:2048 -nodes -keyout KEY_FILENAME.key -x509 -days 365 -out CERT_FILENAME.crt |
There was a problem hiding this comment.
May I suggest that you create an azure folder under bin folder , similar to bin/keycloak or bin/uaa, called setup that generates this cert with the exact name you will use in the proxy.conf?
In the Makefile, there could be a target "setup-azure" which calls this script. Just a suggestion.
There was a problem hiding this comment.
Sure. Let me try to implement it :)
use-cases/azure.md
Outdated
| - Expose HTTPS port **443** | ||
|
|
||
| ``` | ||
| docker run -d -p 443:443 -v ./proxy.conf:/etc/nginx/conf.d/proxy.conf -v ./rabbit.crt:/etc/nginx/rabbit.crt -v ./rabbit.key:/etc/nginx/rabbit.key nginx:latest |
There was a problem hiding this comment.
To make it dead easy for community using this tutorial, I was thinking of providing scripts and invoke those scripts from a target in the Makefile.
For instance, what about a target in the Makefile called start-azure-proxy ? Up to you if you prefer to call directly docker from the Makefile target or move the docker statement to a separate script under bin/azure whichever way is easy. Sometimes i find it easier to do the latter.
There was a problem hiding this comment.
Thank you so much for this thorough work !
I am glad to see that Azure does not impose its own scope's structure. I have seen that you have been able to define scopes compliant with RabbitMQ.
I would like to go through the tutorial and try it out but as far as i can see I am happy with the changes. I have left a few small comments.
baptistedaroit
force-pushed
the
oidc-integration-azure-use-case
branch
3 times, most recently
from
45950bb to
7fc1093
Compare
baptistedaroit
force-pushed
the
oidc-integration-azure-use-case
branch
from
7fc1093 to
58c7e31
Compare
|
I have updated the initial proposition to be easier and compliant with a local implementation (ie using localhost):
This should be quite simple now to follow this tutorial. HTH. |
|
Hi @baptistedaroit , it does help a lot. I am hoping to merge your PR after I use your guide today. Thanks ! |
| echo "--------------------------------" | ||
| echo "Configure SSL cert/key ownership" | ||
| echo "--------------------------------" | ||
| chown 999:999 ${ROOT}/conf/azure/rabbitmq-ca.crt \ |
There was a problem hiding this comment.
When I run it on my mac, these two lines failed. I skipped them and everything worked fine. @baptistedaroit Do we need them?
There was a problem hiding this comment.
@MarcialRosales I think it depends on how docker is configured on the machine. In my case, I needed it because the key was mounted in the container with root as owner, with permissions 600 thus preventing rabbitmq to read it at startup.
| ]}, | ||
| {oauth_enable, true}, | ||
| {oauth_client_id, "PUT YOUR AZURE AD APPLICATION ID"}, | ||
| {oauth_client_secret, "PUT YOUR AZURE AD APPLICATION SECRET"}, |
There was a problem hiding this comment.
I made a mistake from the beginning even though in your instructions you cleared set, "take the value of the secret". And I wrongly took the secret id. Maybe, and given in the Azure user interface it is referred as "secret value", we can use "PUT YOUR AZURE AD APPLICATION SECRET VALUE"
There was a problem hiding this comment.
ahah yep you are right, it can be confusing. Sorry about that one!
|
|
||
| ## Verify RabbitMQ Management UI access | ||
|
|
||
| Go to RabbitMQ Management UI `https://localhost:15671`. Depending on your browser, ignore the security warnings (raised by the fact that we are using a self-signed certificate) to proceed. |
There was a problem hiding this comment.
very minor: I would not wrap the uri https://localhost:15671 in single quotes so that the reader can simply click and redirect to the management ui.
| ``` | ||
|
|
||
| This generates the following files in `conf/azure`: | ||
| - **rabbitmq-ca.**crt**: a custom certificate authority that is used to generate and sign a self signed certificate for RabbitMQ |
There was a problem hiding this comment.
i think you have an extra double * in front of crt.
There was a problem hiding this comment.
EXCELLENT JOB ! I followed your guide without any problems. In fact, I did only one mistake which was taking the secret id rather than the secret value. But that was me playing bold.
THANK YOU VERY MUCH @baptistedaroit !
|
Thanks! |
Hello!
As discussed in issue #2605, here is a pull request to add a tutorial about how to integrate with Azure AD.
This is for now only focusing on accessing the RabbitMQ Management UI.
Thanks.