Use the outcome from first authentication
stored in the #user.authz_backends to authenticate
subsequent attempts which occur when a session is
opened.
In particular, during the first authentication attempt
which occurs during the sasl handshake, the amqp 1.0
plugins reads and validates JWT token present in the
password field.
When a new AMQP 1.0 session is opened, the plugin creates
an internal AMQP connection which triggers a second/nth
authentication. For this second/nth authentication, the
plugin propagates as Authentication Credentials the outcome
from the first authentication which is stored in the
`#user.authz_backends`.
The Oauth2 backend first attempts to authenticate using
the password credentials else it uses the credential with the
key `rabbit_auth_backend_oauth2` which has a function which
returns the decoded token
Per discussion with @MarcialRosales, we try to fetch
aliases from two sources, based on feedback from two different
users who seemingly rely on the same family of identity
provider products:
* Use the JWT scope field value first
* Use extra_scopes_source app env setting second
Just like with the existing extra scopes/complex claim
support originally contributed for Keycloak/identityProvider,
we merge all these scopes obtained from "alternative sources"
with the value of the JWT scopes field. This implicitly
assumes that the result makes sense semantically and
there will not be conflicting scopes. That's on the user to
make sure of.
References #4588
Lager strips trailing newline characters but OTP logger with the default
formatter adds a newline at the end. To avoid unintentional multi-line log
messages we have to revisit most messages logged.
Some log entries are intentionally multiline, others
are printed to stdout directly: newlines are required there
for sensible formatting.
Normally when auth fails, we simply log that it failed for a given
username. Since the username is ignored with the auth mechanism,
this does not provide sufficient context for debugging config
errors.
Michael Klishin
Marcial Rosales
Alexey Lebedeff
Michael Klishin
Simon Unge
Luke Bakken
Philip Kuryloski
Péter Gömöri
Arnaud Cogoluègnes
Anh Thi Lan Nguyen
Teo Klestrup Röijezon
Robert Gustafsson
Simon Alling
dcorbacho
Jean-Sébastien Pédron
Philip Kuryloski