4.0.x, OAuth 2 with Keycloak: management access denied

[omorfley666]

Describe the bug

RabbitMQ is deployed using helm chart bitnami 16.0.2, RabbitMQ version 4.0.10, Erlang 27.3.3
I use the rabbit_auth_backend_oauth2 plugin in conjunction with Keycloak 26.0.5.
The rabbitmq.conf configuration now looks like this

auth_backends.1 = rabbit_auth_backend_oauth2
auth_backends.2 = rabbit_auth_backend_internal
auth_oauth2.resource_server_id = rabbitmq-dev
auth_oauth2.jwks_url = https://some.domain/realms/somerealm/protocol/openid-connect/certs
auth_oauth2.issuer = https://some.domain.tech/realms/somerealm
auth_oauth2.verify_aud = false
auth_oauth2.preferred_username_claims.1 = preferred_username
auth_oauth2.preferred_username_claims.2 = sub
auth_oauth2.additional_scopes_key = groups
auth_oauth2.scope_aliases.some_ad_group = rabbitmq.tag:administrator
auth_oauth2.https.verify = verify_none
auth_oauth2.https.fail_if_no_peer_cert = false
management.oauth_enabled = true
management.oauth_client_id = rabbitmq-dev
management.oauth_client_secret = somesecret

When trying to log in using SSO, I get the error Not authorized in the UI, and in the logs:

2025-06-02 12:27:27.882016+00:00 [debug] <0.42910.0> Verifying signature using signing_key_id : '<<"somesecret">>' and algorithms: undefined
2025-06-02 12:27:27.883798+00:00 [debug] <0.42910.0> Computing username from client's JWT token: [<<"someusuer">>,<<"sometoken">>] -> someusuer
2025-06-02 12:27:27.883906+00:00 [debug] <0.42910.0> User 'someusuer' authenticated successfully by backend rabbit_auth_backend_oauth2
2025-06-02 12:27:27.884032+00:00 [warning] <0.42910.0> HTTP access denied: user 'someusuer' - Not management user

Extract from JWT token for user:

...
  "aud": [
    "realm-management",
    "account"
  ],
...
  "azp": "rabbitmq-dev",
  "allowed-origins": [
    "https://rabbitmq.server"
  ],
  "realm_access": {
    "roles": [
      "some_ad_group",
      "some_ad_group2"
    ]
  },
  "resource_access": {
    "realm-management": {
      "roles": [
        "view-users",
        "query-groups",
        "query-users"
      ]
    },
    "account": {
      "roles": [
        "view-groups",
        "view-profile"
      ]
    }
  },
  "scope": "openid ldap-groups profile email",
...
  "groups": [
    "some_ad_group",
    "some_ad_group2"
  ],
  "preferred_username": "someuser"
...
}

Reproduction steps

in issue

Expected behavior

Waiting for authorization with the required rights specified in auth_oauth2.scope_aliases

Additional context

No response

[kamenskiyyyy]

I have the same problem

[michaelklishin]

@omorfley666 you haven't provided any evidence of a bug. On top of that, 4.0.x is already out of community support.

As our community support policy clearly states, we won't troubleshoot OAuth 2 for non-paying users.

There is no shortage of users who run RabbitMQ with Keycloak as their IDP, and we have introduced a number of features specifically to support more Keycloak-specific behaviors, most recently in 4.1.0 (#12324).

There are examples for some five IDPs and a troubleshooting guide. Please take it from here.

[michaelklishin]

@omorfley666 @kamenskiyyyy in addition, our team does not at all appreciate issue upvote fests.

We are not dummies, two people from the same country file an issue and leave a comment with a six minute difference is an upvote fest, not genuine feedback.