SASL Authentication

RabbitMQ has pluggable support for various SASL authentication mechanisms. There are three such mechanisms built into the server: PLAIN, AMQPLAIN, and RABBIT-CR-DEMO, and one - EXTERNAL - available as a plugin. You can also implement your own authentication mechanism by implementing the rabbit_auth_mechanism behaviour in a plugin.

Built-in mechanisms

The three built-in mechanisms are:

PLAIN
SASL PLAIN authentication. This is enabled by default in the RabbitMQ server and clients, and is the default for most other clients.
AMQPLAIN
Non-standard version of PLAIN as defined by the AMQP 0-8 specification. This is enabled by default in the RabbitMQ server, and is the default for QPid's Python client.
RABBIT-CR-DEMO
Non-standard mechanism which demonstrates challenge-response authentication. This mechanism has security equivalent to PLAIN, and is not enabled by default in the RabbitMQ server.

Server configuration

The configuration variable auth_mechanisms in the rabbit application determines which of the installed mechanisms are offered to connecting clients. This variable should be a list of atoms corresponding to mechanism names, for example ['PLAIN', 'AMQPLAIN'] by default. The server-side list is not considered to be in any particular order. See the configuration file documentation.

Client configuration