Is your feature request related to a problem? Please describe.

We manage a RabbitMQ instance shared across multiple teams. To minimize cross-team interference, each team is assigned its own vhost, and all messages from the default vhost are forwarded into these team-specific vhosts so they can manage them independently.

However this creates an issue when using the default OAuth2 plugin for access control. To prevent teams from accidentally modifying resources in other teams’ vhosts, we would need to configure separate scopes for each vhost and assign them to the corresponding team. With current solution that is a lot of static roles that needs to be created, assigned and managed.

As a workaround we've extended the plugin to allow roles based on the user’s AD group memberships. This works well but it would be ideal to have official support so we don’t need to maintain our own patched version and keep it up to date with the official changes.

Describe the solution you'd like

Add a new entrypoint to the rabbitmq_auth_backend_oauth2 where you could specify a specific AD field to create roles form

Describe alternatives you've considered

No response

Additional context

No response