Entra ID Oauth broken after upgrading to 4.1.0

[Dutchy-]

Describe the bug

After upgrading from 4.0.7 to 4.1.0, I can no longer login with Oauth/Entra ID because it fails with "Not Authorized".

Reproduction steps

This is my config for the cluster operator:

    additionalConfig: |
      auth_backends.1 = internal
      auth_backends.2 = rabbit_auth_backend_oauth2
      log.console = true
      log.console.level = info
      management.path_prefix = /rabbit
      management.disable_basic_auth = false
      management.oauth_enabled = true
      management.oauth_client_id = 051b784e-7b3c-4c3a-b2ec-740839e25f60
      management.oauth_provider_url = https://login.microsoftonline.com/<redacted>
      management.oauth_disable_basic_auth = true
      auth_oauth2.resource_server_id = 051b784e-7b3c-4c3a-b2ec-740839e25f60
      auth_oauth2.additional_scopes_key = roles
      auth_oauth2.jwks_url = https://login.microsoftonline.com/<redacted>/discovery/v2.0/keys
      auth_oauth2.preferred_username_claims.1 = unique_name
    advancedConfig: |
        [
          {rabbit, [
            {consumer_timeout, undefined}
          ]}
        ].
    additionalPlugins:
      - rabbitmq_management
      - rabbitmq_management_agent
      - rabbitmq_federation
      - rabbitmq_federation_management
      - rabbitmq_shovel
      - rabbitmq_shovel_management
      - rabbitmq_jms_topic_exchange
      - rabbitmq_prometheus
      - rabbitmq_auth_backend_oauth2

What happens in 4.1.0 is that the login process walks through the whole flow correctly, e.g.

1. Click oauth login button
2. Redirect to microsoft
3. Callback to /js/oidc-oauth/login-callback.html
4. Successfully redirected back to the main page but it displays Not Authorized
5. 401 on /api/whoami with the response {"error":"not_authorized","reason":"Not_Authorized"} (as seen through the browser console)

In the server logs, I see this error:

2025-05-12T14:02:50.494843897Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0> HTTP access denied: Authentication using OAuth 2/JWT token failed: {error,�[0m
2025-05-12T14:02:50.494882897Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                 {invalid_token,error,�[0m
2025-05-12T14:02:50.494891697Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                  {badarg,�[0m
2025-05-12T14:02:50.494895698Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                   [<<"<redacted>">>]},�[0m
2025-05-12T14:02:50.494902698Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                  [{jose_jws,do_expand,1,�[0m
2025-05-12T14:02:50.494905498Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                    [{file,�[0m
2025-05-12T14:02:50.494909598Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                      "src/jws/jose_jws.erl"},�[0m
2025-05-12T14:02:50.494912698Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                     {line,463}]},�[0m
2025-05-12T14:02:50.494915498Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                   {jose_jws,expand,1,�[0m
2025-05-12T14:02:50.494918198Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                    [{file,�[0m
2025-05-12T14:02:50.494921298Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                      "src/jws/jose_jws.erl"},�[0m
2025-05-12T14:02:50.494923898Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                     {line,176}]},�[0m
2025-05-12T14:02:50.494926498Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                   {jose_jws,peek_payload,1,�[0m
2025-05-12T14:02:50.494929098Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                    [{file,�[0m
2025-05-12T14:02:50.494932398Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                      "src/jws/jose_jws.erl"},�[0m
2025-05-12T14:02:50.494935998Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                     {line,225}]},�[0m
2025-05-12T14:02:50.494939098Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                   {jose_jwt,peek_payload,1,�[0m
2025-05-12T14:02:50.494944498Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                    [{file,�[0m
2025-05-12T14:02:50.494947599Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                      "src/jwt/jose_jwt.erl"},�[0m
2025-05-12T14:02:50.494950599Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                     {line,159}]},�[0m
2025-05-12T14:02:50.494969499Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                   {uaa_jwt_jwt,get_aud,1,�[0m
2025-05-12T14:02:50.494972399Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                    [{file,"uaa_jwt_jwt.erl"},�[0m
2025-05-12T14:02:50.494974899Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                     {line,38}]},�[0m
2025-05-12T14:02:50.494977799Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                   {uaa_jwt,�[0m
2025-05-12T14:02:50.494980399Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                    resolve_resource_server,1,�[0m
2025-05-12T14:02:50.494992399Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                    [{file,"uaa_jwt.erl"},�[0m
2025-05-12T14:02:50.494998399Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                     {line,98}]},�[0m
2025-05-12T14:02:50.495000899Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                   {rabbit_auth_backend_oauth2,�[0m
2025-05-12T14:02:50.495003600Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                    authenticate,2,�[0m
2025-05-12T14:02:50.495006700Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                    [{file,�[0m
2025-05-12T14:02:50.495009400Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                      "rabbit_auth_backend_oauth2.erl"},�[0m
2025-05-12T14:02:50.495012200Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                     {line,158}]},�[0m
2025-05-12T14:02:50.495014800Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                   {rabbit_auth_backend_oauth2,�[0m
2025-05-12T14:02:50.495017700Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                    user_login_authentication,�[0m
2025-05-12T14:02:50.495020400Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                    2,�[0m
2025-05-12T14:02:50.495023100Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                    [{file,�[0m
2025-05-12T14:02:50.495026300Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                      "rabbit_auth_backend_oauth2.erl"},�[0m
2025-05-12T14:02:50.495028900Z �[38;5;214m2025-05-12 16:02:50.493935+02:00 [warning] <0.347155.0>                                                     {line,64}]}]}}�[0m

I've redacted the token because I do not know what information is in there.

I would like to restate that this was working fine in 4.0.7. I do not see any changes regarding oauth in the changelog, but in the commit history I see many changes to the oauth backend and management plugin on this front.
My Oauth setup was done using https://www.rabbitmq.com/docs/next/oauth2-examples-entra-id

Expected behavior

A successful login.

Additional context

No response

[michaelklishin]

@Dutchy- per our community support policy, we will not be troubleshooting OAuth 2 for non-paying users.

There is a dedicated doc guide that covers a number of common scenarios.

Entra specifically deviates from the spec and requires custom configuration #13788. The exception contains a resolve_resource_server/1 function which seems highly similar to #13788.

[Dutchy-]

Thank you for your response.

I am not very satisfied with the answer because the configuration broke after a minor update (4.0.7 to 4.1.0) and it is not a troubleshooting issue per se - the configuration was proven to be working before. However, I respect your right to not give support on oauth.

I hope there are other people here who can share if they had a similar experience with 4.1.0. I'll try the configuration for the aud from #13788, but that ticket specifically mentions an no_matching_aud_found error which I do not see in our logs. 🤞

[Dutchy-]

Hereby confirming that auth_oauth2.verify_aud = false indeed did not fix the problem.

[michaelklishin]

@MarcialRosales do you have other observations from this config snippet and the stack trace?

[Dutchy-]

Ok, I did some more digging, and I have some news.

Apparently, this section in your guide is new: https://www.rabbitmq.com/docs/oauth2-examples-entra-id#create-a-scope-for-management-ui-access
It was added somewhere in the last year (I configured oauth for rabbitmq in the summer of last year).
I updated the config on the MS side and I updated the rabbitmq configuration and now it works.

Apparently, the old config worked fine up until 4.1.0

My new config on the rabbitmq side now looks like this

      auth_backends.1 = internal
      auth_backends.2 = rabbit_auth_backend_oauth2
      log.console = true
      log.console.level = info
      management.path_prefix = /rabbit
      management.disable_basic_auth = false
      management.oauth_enabled = true
      management.oauth_client_id = 051b784e-7b3c-4c3a-b2ec-740839e25f60
      management.oauth_provider_url = https://login.microsoftonline.com/<redacted>
      management.oauth_disable_basic_auth = false
      management.oauth_scopes = openid profile api://051b784e-7b3c-4c3a-b2ec-740839e25f60/rabbitmq
      auth_oauth2.resource_server_id = 051b784e-7b3c-4c3a-b2ec-740839e25f60
      auth_oauth2.additional_scopes_key = roles
      auth_oauth2.issuer = https://login.microsoftonline.com/<redacted>/v2.0
      auth_oauth2.preferred_username_claims.1 = unique_name
      auth_oauth2.verify_aud = false

When I check my aud it is now api://051b784e-7b3c-4c3a-b2ec-740839e25f60 so I suppose I need to keep verify_aud = false in the config.

[Dutchy-]

I would like to add that the api://identifierhere can be any identifier, it doesn't have to be the client id, as long as you configure the same thing on the microsoft side. It just needs to be globally unique in the tenant.

[michaelklishin]

Thank you for following up.

My hypothesis about

auth_oauth2.verify_aud = false

missing turned out to be correct.

OK, the original setup from about a year ago explains it. Yes, the OAuth 2 plugin and the docs both evolve in part in response to the IDP changes, which Entra introduces more often than others.

[kamilkrzeminski]

I'm having the same issue.
Could you please explain how you configured it on the Entra side, @Dutchy- ?

My config looks like this:

    additionalConfig: |
      cluster_partition_handling = pause_minority
      queue_leader_locator = balanced
      log.console = true
      log.console.formatter = json
      auth_backends.1 = rabbit_auth_backend_oauth2
      auth_backends.2 = rabbit_auth_backend_internal
      management.oauth_enabled = true
      management.oauth_disable_basic_auth = false
      management.oauth_client_id = 4b9b9e6f-3597-4dbb-bd73-94bd79f71fc4
      management.oauth_provider_url = https://login.microsoftonline.com/<redacted>
      management.oauth_scopes = openid profile api://4b9b9e6f-3597-4dbb-bd73-94bd79f71fc4/management-ui
      auth_oauth2.resource_server_id = 4b9b9e6f-3597-4dbb-bd73-94bd79f71fc4
      auth_oauth2.additional_scopes_key = roles
      auth_oauth2.jwks_url = https://login.microsoftonline.com/<redacted>/discovery/v2.0/keys
      auth_oauth2.scope_prefix = rabbitmq.
      auth_oauth2.verify_aud = false

Scope is configured as below.

[Dutchy-]

I'm very sorry, I don't have access to this configuration within my organisation, I had to work together with someone else to do this.

One detail I see in your configuration, I changed jwks_url to issuer. I don't know if this will solve your problem.

[kamilkrzeminski]

That really helped! Thank you so much!

[MarcialRosales]

It is better to use issuer rather than jwks_url or any other endpoint. From the issuer url , RabbitMQ discovers the other endpoints. It is very rare, you need to configure management.oauth_provider_url unless it is different than issuer. In the majority of Idps, the issuer and the url where to redirect users to login are both the same.

[ThomasZook]

@Dutchy- Thank you so much for the answer on here. We upgraded from 4.0.X to 4.1.3 today and we were pulling our hair out trying to figure out what happened in the upgrade that caused authentication with Azure Entra to break, even after updating our configurations in Azure and in rabbitmq.conf to match the examples.

Further experimentation led us to find that we could stop using auth_oauth2.verify_aud = false if we adjusted auth_oauth2.resource_server_id from auth_oauth2.resource_server_id = {Application_ID} to auth_oauth2.resource_server_id = api://{Application_ID} after following the OAuth2 Entra ID example from the docs to setup the scope in Azure Entra App's "Expose an API" section.

This does lead to needing to setup auth_oauth2.scope_prefix as, if one follows the example, Azure will be emitting values for the roles setup in the format like {Application_ID}.tag:administrator but it won't be recognized by the configuration due to the changed resource_server_id value. We found that adding auth_oauth2.scope_prefix = {Application_ID}. will get Rabbit to correct view the scopes that are part of the roles that get issued. We haven't attempted to just adjust the value in Azure yet so that the values are similar to api://{Application_ID}.tag:administrator but that is experimentation for another day.

[michaelklishin]

If you have a summary of what should be done, we can add it to the 4.1 release notes. Entra is known to break things and deviate from the OAuth 2 family of standards, so as much as we, ahem, not appreciate that, we are as willing to document the essential bits for the poor souls who have to deal with that wonderful service.

[MarcialRosales]

@ThomasZook You should only need to do what it is explained here https://www.rabbitmq.com/docs/oauth2-examples-entra-id#create-a-scope-for-management-ui-access (note: in the docs, it suggests the scope name api://{Application (client) ID}/management-ui but in the actual example rabbitmq configuration it uses api://{Application (client) ID}/rabbitmq ). This is assuming you are using the sample configuration for 4.1 https://github.com/rabbitmq/rabbitmq-oauth2-tutorial/blob/next/conf/entra/rabbitmq.conf.tmpl#L9 . I have highlighted the key configuration change introduced in 4.1 which is that RabbitMQ is using v2 of the Entra API. This was the big change from 4.0 to 4.1 as Entra was deprecating v1 and RabbitMQ had to accommodate for it. Keep your existing rabbitmq's scopes/roles in Entra as you had them before. You need to set auth_oauth2.verify_aud = false for Entra because typically one configure auth_oauth2.resource_server_id with the value {Application_ID} but then Azure uses a different value to refer to this resource in the aud claim, i.e . it uses api://{Application_ID} rather than {Application_ID}. I hope it helps.