Authentication process bypasses oidc-provider-metadata-url
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Keystone OIDC Integration Charm |
In Progress
|
High
|
Jadon Naas | ||
2023.1 |
New
|
Undecided
|
Unassigned | ||
2023.2 |
New
|
Undecided
|
Unassigned | ||
2024.1 |
New
|
Undecided
|
Unassigned | ||
Zed |
New
|
Undecided
|
Unassigned |
Bug Description
Hi team,
I have deployed the charm and configured it with the following:
keystone-openidc:
oidc-client-id: <userid>
oidc-
# oidc-redirect-uri: https://<keystone url>:443/
oidc-
user-facing-name: Keycloak
protocol_id: keycloak
And on the configuration side all seems well, but when I try to pick this Keycloak option from Horizon and authenticate with it I'm instantly getting redirected not to the Keycloak URL, but to keystone. And I get {"error"
I've tried to trace the redirection to Keycloak, but it just doesn't get there.
The logs don't indicate anything of that nature (I've monitored on all 3 units at the same time):
$ sudo tail -f /var/log/
2024-05-13 12:41:31 INFO unit.keystone-
2024-05-13 12:41:31 INFO juju.worker.
2024-05-13 12:46:40 INFO unit.keystone-
2024-05-13 12:46:40 INFO unit.keystone-
2024-05-13 12:46:40 INFO unit.keystone-
2024-05-13 12:46:40 INFO juju.worker.
2024-05-13 12:50:58 INFO unit.keystone-
2024-05-13 12:50:58 INFO unit.keystone-
2024-05-13 12:50:58 INFO unit.keystone-
2024-05-13 12:50:58 INFO juju.worker.
$ sudo tail -f /var/log/
(keystone.
(keystone.
(keystone.
(keystone.
(keystone.
(keystone.
(keystone.
(keystone.
(keystone.
(keystone.
(keystone.
(keystone.
Versions:
Openstack Yoga
Keystone yoga/stable rev 686
Keystone-openidc latest/edge rev 13
The steps to reproduce:
$ juju deploy --config keystone-oidc.yaml keystone-openidc --channel latest/edge --to lxd:0
$ juju relate keystone keystone-openidc
$ juju relate openstack-
$ source deploy/
$ openstack identity provider create --remote-id https://<keycloak url>/realms/<realm> keycloak
+------
| Field | Value |
+------
| authorization_ttl | None |
| description | None |
| domain_id | edf2c8a97b0e4a3
| enabled | True |
| id | keycloak |
| remote_ids | https://<keycloak url>/realms/<realm> |
+------
$ openstack domain list
+------
| ID | Name | Enabled | Description |
+------
| 28c0be2ea2df44a
| 59f2a499cffe459
| ccce5424b0a54b5
| default | Default | True | The default domain |
| edf2c8a97b0e4a3
+------
$ openstack domain set --name federated_domain edf2c8a97b0e4a3
$ openstack group create --domain federated_domain federated_users
$ openstack project create --domain federated_domain federated_project
$ openstack mapping create --rules deploy/
$ openstack federation protocol create openid --mapping keycloak_mapping --identity-provider keycloak
$ openstack group list --domain federated_domain
+------
| ID | Name |
+------
| 8de48154fe51465
+------
$ openstack role add --group 8de48154fe51465
summary: |
- Authorization process bypasses oidc-provider-metadata-ur + Authorization process bypasses oidc-provider-metadata-url |
summary: |
- Authorization process bypasses oidc-provider-metadata-url + Authentication process bypasses oidc-provider-metadata-url |
Changed in charm-keystone-openidc: | |
assignee: | nobody → Jadon Naas (jadonn) |
Changed in charm-keystone-openidc: | |
status: | New → In Progress |
importance: | Undecided → High |
I replicated the behavior you described in your bug report on a minimal install of Keystone + OpenStack Dashboard on Yoga/stable with the keystone-openidc charm on latest/edge like you described. I also get redirected to the same kind of URL - http:// 10.20.0. 83:5000/ v3/auth/ OS-FEDERATION/ identity_ providers/ keycloak/ protocols/ openid/ websso? origin= http:// 10.20.0. 84/horizon/ auth/websso/.
That is the URL that is rendered into the Apache configuration at /etc/apache2/ openidc/ openidc- location. openid. conf on the Keystone unit in my installation.
I'm not familiar enough with the Keystone OpenIDC integration to say what exactly is happening at this time, but I will continue to look into what is causing the behavior we are seeing. I will report back when I have more information.