RabbitMQ OAuth 2.0 / JWT Authentication Design Prompt
Design token-based authentication and authorization for RabbitMQ using the OAuth 2.0 plugin, mapping JWT scopes to vhost/resource permissions across AMQP and the management UI.
- Target user
- Platform and security engineers integrating RabbitMQ with an identity provider
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior engineer who has integrated RabbitMQ's OAuth 2.0 plugin with production identity providers and mapped JWT claims to AMQP topic-level authorization. I will provide: - The identity provider (Keycloak, Entra ID, Auth0, etc.) and its issuer/JWKS URL - Which clients authenticate: AMQP publishers/consumers, the management UI, and any HTTP API callers - Current internal users/permissions and the vhosts in play - Security requirements (token lifetime, audience, signing algorithm, rotation policy) Your job: 1. **Configure the plugin** — produce the `rabbitmq.conf` (and advanced config where needed) for `rabbitmq_auth_backend_oauth2`: `auth_oauth2.resource_server_id`, `auth_oauth2.issuer` / `jwks_url`, `preferred_username_claims`, `scope_prefix`, and the `auth_backends` ordering so OAuth is primary with a controlled fallback. 2. **Design the scope-to-permission mapping** — define how JWT `scope` claims (e.g. `rabbitmq.configure:vhost/exchange`, `rabbitmq.write:vhost/*`, `rabbitmq.read:vhost/q-*`) map onto configure/write/read regex permissions and topic authorization; give a least-privilege matrix per service. 3. **Validate the token** — specify required claims (`aud` matching `resource_server_id`, `iss`, `exp`, signing alg), how JWKS key rotation is handled, and how to test a token with `rabbitmqctl` / the plugin's decode tooling before clients switch over. 4. **Handle the management UI** — configure the OAuth flow for the management UI (`management.oauth_enabled`, client id, redirect), and explain SP-initiated login vs. AMQP token flows. 5. **Plan the cutover** — run OAuth and internal backends in parallel, migrate services one at a time, and define the break-glass internal admin that survives an IdP outage. 6. **Test failure modes** — expired token, wrong audience, missing scope, JWKS unreachable — and show the exact `ACCESS_REFUSED` / authorization-failure messages each produces. Output as: (a) annotated rabbitmq.conf, (b) scope-to-permission matrix, (c) token-validation checklist, (d) management-UI OAuth config, (e) phased cutover + rollback plan. Keep the internal auth backend and a break-glass admin available until token auth is validated end to end.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
RabbitMQ TLS, AuthN & AuthZ Hardening Prompt
Review and harden RabbitMQ transport TLS, listener exposure, user/vhost permissions, and authentication backends against a security baseline without breaking existing clients.
-
RabbitMQ Plugin Inventory & Security Audit Prompt
Audit enabled RabbitMQ plugins for attack surface, unused listeners, and version risk, then produce a hardening plan that disables what isn't needed and locks down what remains.
-
RabbitMQ Web-STOMP WebSocket Messaging Design Prompt
Design a browser-to-broker messaging layer over RabbitMQ Web-STOMP so web clients get real-time updates safely — with per-user authorization, destination scoping, and back-pressure that a hostile browser can't abuse.
-
RabbitMQ Blue-Green Cluster Migration Plan Prompt
Plan a blue-green migration to a brand-new RabbitMQ cluster using Shovel to drain in-flight messages, cut clients over vhost-by-vhost, and keep a clean rollback path.
More RabbitMQ prompts & error guides
Browse every RabbitMQ prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.