Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for RabbitMQ Difficulty: Advanced ClaudeChatGPTCursor

RabbitMQ OAuth 2.0 / JWT Authentication Design Prompt

Design token-based authentication and authorization for RabbitMQ using the OAuth 2.0 plugin, mapping JWT scopes to vhost/resource permissions across AMQP and the management UI.

Target user
Platform and security engineers integrating RabbitMQ with an identity provider
Difficulty
Advanced
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior engineer who has integrated RabbitMQ's OAuth 2.0 plugin with production identity providers and mapped JWT claims to AMQP topic-level authorization.

I will provide:
- The identity provider (Keycloak, Entra ID, Auth0, etc.) and its issuer/JWKS URL
- Which clients authenticate: AMQP publishers/consumers, the management UI, and any HTTP API callers
- Current internal users/permissions and the vhosts in play
- Security requirements (token lifetime, audience, signing algorithm, rotation policy)

Your job:

1. **Configure the plugin** — produce the `rabbitmq.conf` (and advanced config where needed) for `rabbitmq_auth_backend_oauth2`: `auth_oauth2.resource_server_id`, `auth_oauth2.issuer` / `jwks_url`, `preferred_username_claims`, `scope_prefix`, and the `auth_backends` ordering so OAuth is primary with a controlled fallback.

2. **Design the scope-to-permission mapping** — define how JWT `scope` claims (e.g. `rabbitmq.configure:vhost/exchange`, `rabbitmq.write:vhost/*`, `rabbitmq.read:vhost/q-*`) map onto configure/write/read regex permissions and topic authorization; give a least-privilege matrix per service.

3. **Validate the token** — specify required claims (`aud` matching `resource_server_id`, `iss`, `exp`, signing alg), how JWKS key rotation is handled, and how to test a token with `rabbitmqctl` / the plugin's decode tooling before clients switch over.

4. **Handle the management UI** — configure the OAuth flow for the management UI (`management.oauth_enabled`, client id, redirect), and explain SP-initiated login vs. AMQP token flows.

5. **Plan the cutover** — run OAuth and internal backends in parallel, migrate services one at a time, and define the break-glass internal admin that survives an IdP outage.

6. **Test failure modes** — expired token, wrong audience, missing scope, JWKS unreachable — and show the exact `ACCESS_REFUSED` / authorization-failure messages each produces.

Output as: (a) annotated rabbitmq.conf, (b) scope-to-permission matrix, (c) token-validation checklist, (d) management-UI OAuth config, (e) phased cutover + rollback plan.

Keep the internal auth backend and a break-glass admin available until token auth is validated end to end.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Related prompts

More RabbitMQ prompts & error guides

Browse every RabbitMQ prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.