rabbitmq-server/deps/rabbitmq_auth_backend_oauth2/README.md

## RabbitMQ authorisation Backend for [Cloud Foundry UAA](https://github.com/cloudfoundry/uaa)

Allows to use access tokens provided by CF UAA to authorize in RabbitMQ.
Make requests to `/check_token` endpoint on UAA server. See https://github.com/cloudfoundry/uaa/blob/master/docs/UAA-APIs.rst#id32

### Usage

First, enable the plugin. Then, configure access to UAA:

``` erlang
{rabbitmq_auth_backend_uaa,
  [{uri,      <<"https://your-uaa-server">>},
   {username, <<"uaa-client-id">>},
   {password, <<"uaa-client-secret">>},
   {resource_server_id, <<"your-resource-server-id"}]}
   
```

where

 * `your-uaa-server` is a UAA server host
 * `uaa-client-id` is a UAA client ID
 * `uaa-client-secret` is the shared secret
 * `your-resource-server-id` is a resource server ID (e.g. 'rabbitmq')

To learn more about UAA/OAuth 2 clients, see [UAA docs](https://github.com/cloudfoundry/uaa/blob/master/docs/UAA-APIs.rst#id73).

Then you can use `access_tokens` acquired from UAA as username to authenticate in RabbitMQ.

### Scopes

Note: *scopes is a subject to change, the current implementation provides limited flexibility.*

Current scope format is `<vhost>_<kind>_<permission>_<name>`, where

 * `<vhost>` is resource vhost
 * `<kind>`: `q` or `queue` for queue, `ex` or `exchange` for exchange, `t` or `topic` for topic, or other string without `_` for custom resource kinds.
 * `<permission>` is an access permission (`configure`, `read`, or `write`)
 * `<name>` is an exact resource name (no regular expressions are supported)

The scopes implementation is shared with the [RabbitMQ OAuth 2.0 backend](https://github.com/rabbitmq/rabbitmq_auth_backend_oauth).

### Authorization workflow

#### Prerequisites

1. There should be application client registered on UAA server.
2. Client id and secret should be set in plugin env as `username` and `password`
3. Client authorities should include `uaa.resource`
4. RabbitMQ auth_backends should include `rabbit_auth_backend_uaa`

#### Authorization

1. Client authorize with UAA, requesting `access_token` (using any grant type)
2. Token scope should contain rabbitmq resource scopes (e.g. /_q_configure_foo - configure queue 'foo')
3. Client use token as username to connect to RabbitMQ server
Update README.md 2016-01-21 19:30:15 +08:00			`## RabbitMQ authorisation Backend for [Cloud Foundry UAA](https://github.com/cloudfoundry/uaa)`
Update README.md 2016-01-15 23:00:16 +08:00
			`Allows to use access tokens provided by CF UAA to authorize in RabbitMQ.`
			Make requests to `/check_token` endpoint on UAA server. See https://github.com/cloudfoundry/uaa/blob/master/docs/UAA-APIs.rst#id32

			`### Usage`

Update README.md 2016-01-21 19:29:02 +08:00			`First, enable the plugin. Then, configure access to UAA:`

			``` erlang
Update README.md 2016-01-15 23:00:16 +08:00			`{rabbitmq_auth_backend_uaa,`
Tesing on working UAA 2016-01-19 02:05:45 +08:00			`[{uri, <<"https://your-uaa-server">>},`
Update README.md 2016-01-15 23:00:16 +08:00			`{username, <<"uaa-client-id">>},`
Resource id. Scopes README 2016-01-16 01:03:31 +08:00			`{password, <<"uaa-client-secret">>},`
			`{resource_server_id, <<"your-resource-server-id"}]}`
Update README.md 2016-01-15 23:00:16 +08:00
			```

Update README.md 2016-01-21 19:29:02 +08:00			`where`
Update README.md 2016-01-15 23:00:16 +08:00
Update README.md 2016-01-21 19:29:02 +08:00			* `your-uaa-server` is a UAA server host
			* `uaa-client-id` is a UAA client ID
			* `uaa-client-secret` is the shared secret
			* `your-resource-server-id` is a resource server ID (e.g. 'rabbitmq')
Update README.md 2016-01-15 23:00:16 +08:00
Update README.md 2016-01-21 19:29:02 +08:00			`To learn more about UAA/OAuth 2 clients, see [UAA docs](https://github.com/cloudfoundry/uaa/blob/master/docs/UAA-APIs.rst#id73).`
Resource id. Scopes README 2016-01-16 01:03:31 +08:00
Update README.md 2016-01-21 19:29:02 +08:00			Then you can use `access_tokens` acquired from UAA as username to authenticate in RabbitMQ.
Resource id. Scopes README 2016-01-16 01:03:31 +08:00
Update README.md 2016-01-21 19:29:02 +08:00			`### Scopes`
Resource id. Scopes README 2016-01-16 01:03:31 +08:00
Update README.md 2016-01-21 19:29:02 +08:00			`Note: scopes is a subject to change, the current implementation provides limited flexibility.`
Resource id. Scopes README 2016-01-16 01:03:31 +08:00
Update README.md 2016-01-21 19:29:02 +08:00			Current scope format is `<vhost>_<kind>_<permission>_<name>`, where
Resource id. Scopes README 2016-01-16 01:03:31 +08:00
Update README.md 2016-01-21 19:29:02 +08:00			* `<vhost>` is resource vhost
Support for custom resource kinds 2016-02-16 20:36:38 +08:00			* `<kind>`: `q` or `queue` for queue, `ex` or `exchange` for exchange, `t` or `topic` for topic, or other string without `_` for custom resource kinds.
Update README.md 2016-01-21 19:29:02 +08:00			* `<permission>` is an access permission (`configure`, `read`, or `write`)
			* `<name>` is an exact resource name (no regular expressions are supported)
Resource id. Scopes README 2016-01-16 01:03:31 +08:00
Update README.md 2016-01-21 19:29:02 +08:00			`The scopes implementation is shared with the [RabbitMQ OAuth 2.0 backend](https://github.com/rabbitmq/rabbitmq_auth_backend_oauth).`
Workflow info 2016-01-20 22:16:24 +08:00
Update README.md 2016-01-21 19:29:02 +08:00			`### Authorization workflow`
Workflow info 2016-01-20 22:16:24 +08:00
			`#### Prerequisites`

			`1. There should be application client registered on UAA server.`
			2. Client id and secret should be set in plugin env as `username` and `password`
			3. Client authorities should include `uaa.resource`
			4. RabbitMQ auth_backends should include `rabbit_auth_backend_uaa`

			`#### Authorization`

			1. Client authorize with UAA, requesting `access_token` (using any grant type)
			`2. Token scope should contain rabbitmq resource scopes (e.g. /_q_configure_foo - configure queue 'foo')`
			`3. Client use token as username to connect to RabbitMQ server`