OAuth 2.0 authentication and authorization for Amazon MQ for RabbitMQ
Amazon MQ for RabbitMQ supports the following authentication and authorization methods:
Simple authentication and authorization
In this method, broker users are stored internally in the RabbitMQ broker and managed through the web console or management API. Permissions for vhosts, exchanges, queues, and topics are configured directly in RabbitMQ. This is the default method. For more information about this method, see Broker users.
OAuth 2.0 authentication and authorization
In this method, broker users and their permissions are managed by an external OAuth 2.0 identity provider (IdP). User authentication and resource permissions for vhosts, exchanges, queues, and topics are centralized through the OAuth 2.0 provider's scope system. This simplifies user management and enables integration with existing identity systems.
Important considerations
-
OAuth 2.0 integration isn't supported on Amazon MQ for ActiveMQ brokers.
-
Amazon MQ for RabbitMQ doesn't support server certificate issued by a private CA.
-
The RabbitMQ OAuth 2.0 plugin doesn't support token introspection endpoints and opaque access tokens. It also doesn't perform token revocation checks.
-
You must include the IAM permission,
mq:UpdateBrokerAccessConfiguration
, to enable OAuth 2.0 on existing brokers. -
Amazon MQ automatically creates a system user named
monitoring-AWS-OWNED-DO-NOT-DELETE
with monitoring-only permissions. This user uses RabbitMQ's internal authentication system even on OAuth 2.0-enabled brokers and is restricted to loopback interface access only.
For information about how to configure OAuth 2.0 authentication for your Amazon MQ for RabbitMQ brokers, see Using OAuth 2.0 authentication and authorization.
Supported OAuth 2.0 configurations
Amazon MQ for RabbitMQ supports all configurable variables
-
auth_oauth2.https.cacertfile
-
auth_oauth2.oauth_providers.{id/index}.https.cacertfile
-
management.oauth_client_secret
Because Amazon MQ doesn't support this key, we don't support UAA as an IdP.
-
management.oauth_resource_servers.{id/index}.oauth_client_secret
-
auth_oauth2.signing_keys.{id/index}
Additional validations for OAuth 2.0 authentication
Amazon MQ also enforces the following additional validations for OAuth 2.0 authentication:
-
All URLs need to start with
https://
. -
Supported signature algorithms:
Ed25519
,Ed25519ph
,Ed448
,Ed448ph
,EdDSA
,ES256K
,ES256
,ES384
,ES512
,HS256
,HS384
,HS512
,PS256
,PS384
,PS512
,RS256
,RS384
, andRS512
.