OAuth 2.0 authentication and authorization for Amazon MQ for RabbitMQ - Amazon MQ

OAuth 2.0 authentication and authorization for Amazon MQ for RabbitMQ

Amazon MQ for RabbitMQ supports the following authentication and authorization methods:

Simple authentication and authorization

In this method, broker users are stored internally in the RabbitMQ broker and managed through the web console or management API. Permissions for vhosts, exchanges, queues, and topics are configured directly in RabbitMQ. This is the default method. For more information about this method, see Broker users.

OAuth 2.0 authentication and authorization

In this method, broker users and their permissions are managed by an external OAuth 2.0 identity provider (IdP). User authentication and resource permissions for vhosts, exchanges, queues, and topics are centralized through the OAuth 2.0 provider's scope system. This simplifies user management and enables integration with existing identity systems.

Important considerations
  • OAuth 2.0 integration isn't supported on Amazon MQ for ActiveMQ brokers.

  • Amazon MQ for RabbitMQ doesn't support server certificate issued by a private CA.

  • The RabbitMQ OAuth 2.0 plugin doesn't support token introspection endpoints and opaque access tokens. It also doesn't perform token revocation checks.

  • You must include the IAM permission, mq:UpdateBrokerAccessConfiguration, to enable OAuth 2.0 on existing brokers.

  • Amazon MQ automatically creates a system user named monitoring-AWS-OWNED-DO-NOT-DELETE with monitoring-only permissions. This user uses RabbitMQ's internal authentication system even on OAuth 2.0-enabled brokers and is restricted to loopback interface access only.

For information about how to configure OAuth 2.0 authentication for your Amazon MQ for RabbitMQ brokers, see Using OAuth 2.0 authentication and authorization.

Supported OAuth 2.0 configurations

Amazon MQ for RabbitMQ supports all configurable variables in RabbitMQ OAuth 2.0 plugin, with the following exceptions:

  • auth_oauth2.https.cacertfile

  • auth_oauth2.oauth_providers.{id/index}.https.cacertfile

  • management.oauth_client_secret

    Because Amazon MQ doesn't support this key, we don't support UAA as an IdP.

  • management.oauth_resource_servers.{id/index}.oauth_client_secret

  • auth_oauth2.signing_keys.{id/index}

Additional validations for OAuth 2.0 authentication

Amazon MQ also enforces the following additional validations for OAuth 2.0 authentication:

  • All URLs need to start with https://.

  • Supported signature algorithms: Ed25519, Ed25519ph, Ed448, Ed448ph, EdDSA, ES256K, ES256, ES384, ES512, HS256, HS384, HS512, PS256, PS384, PS512, RS256, RS384, and RS512.