Access to vhost '/' refused.

[apostolides]

Hello and good evening.

I am following the suggested documentation for using Keycloak with rabbitmq. However I always get the following access denied error:

(530) "NOT_ALLOWED - access to vhost '/' refused for user '05c4b0ae-9c07-4ab6-b3a1-c1e9e5e36759'"

I believe the keycloak scopes (even though they are present in the JWT) are not visible on rabbit as seen here.

rabbitmq-1  | 2025-02-21 13:59:04.992226+00:00 [debug] <0.699.0> Computing username from client's JWT token: [<<"05c4b0ae-9c07-4ab6-b3a1-c1e9e5e36759">>] -> 05c4b0ae-9c07-4ab6-b3a1-c1e9e5e36759
rabbitmq-1  | 2025-02-21 13:59:04.992305+00:00 [debug] <0.699.0> User '05c4b0ae-9c07-4ab6-b3a1-c1e9e5e36759' authenticated successfully by backend rabbit_auth_backend_oauth2
rabbitmq-1  | 2025-02-21 13:59:04.994004+00:00 [debug] <0.699.0> Matching virtual host '/' against the following scopes:
rabbitmq-1  | 2025-02-21 13:59:04.994058+00:00 [error] <0.699.0> Error on AMQP connection <0.699.0> (192.168.48.1:39816 -> 192.168.48.2:5672, user: '05c4b0ae-9c07-4ab6-b3a1-c1e9e5e36759', state: opening):        
rabbitmq-1  | 2025-02-21 13:59:04.994058+00:00 [error] <0.699.0> access to vhost '/' refused for user '05c4b0ae-9c07-4ab6-b3a1-c1e9e5e36759'

Decoded token field (after authenticating with keycloak) looks like:

  "scope": "email rabbitmq.read:*/* rabbitmq.configure:*/* rabbitmq.write:*/* profile",

I am using files from this example.

What am I missing?

Thanks in advance!

Reproduction steps

1. Import Keycloak realm settings
2. Modify resource_server_id to include appropriate aud claim (works since I can authenticate)
3. Run RabbitMQ with docker (tried latest image and also 4.0.2-management as seen on examples)
4. Run provided Pika client.
   ...

Expected behavior

Client should be able to access vhost.

Additional context

No response