OpenStack Keystone OIDC Integration Charm

  1. Series 2023.1
  2. Bug #2065590
  3. Comment #3

Comment 3 for bug 2065590

Revision history for this message
Jadon Naas (jadonn) wrote :

Thanks for the link to the other information! After further looking I have identified two problems in the keystone-openidc charm that break the charm in my testing. The first problem is that the charm does not add a block like the following in /etc/keystone/keystone.conf:

[federation]
trusted_dashboard = https://horizon.<mydomain>/auth/websso/

Replace <mydomain> with the actual domain. The workaround for this is to add a block like the above example to the Keystone charm template inside each Keystone unit at /var/lib/juju/agents/unit-keystone-<unit-num>/charm/templates/rocky/keystone.conf. Then, trigger a rebuild of the template, such as by triggering debugging on and off (that is, juju config keystone debug=true then juju config keystone debug=false). That should rebuild the template with the change and restart Keystone. This should resolve the 401 error associated with this error from the Keystone logs:

(keystone.api.auth): 2024-05-13 12:54:50,609 ERROR https://horizon.<mydomain>/auth/websso/ is not a trusted dashboard host

I noticed this error is in the logs sample Natalia provided when reporting this bug.

There is a second, more serious problem I found after fixing this error in my test setup. It appears the OIDC configuration for Apache is not actually included anywhere in Apache's configuration. This means the configration the keystone-openidc charm places at /etc/apache2/openidc/openidc-location.openid.conf is not applied to Apache. The workaround for this is to add the following line to the bottom of /etc/apache2/apache2.conf in each Keystone unit:

IncludeOptional openidc/*.conf

After adding this line, reload the Apache service's configuration, such as by running sudo systemctl reload apache2. That should activate the OIDC configuration, and Horizon should properly redirect to the OIDC provider, such as Keycloak, instead of the Keystone URL that returns the 401 error.

The keystone-openidc charm needs to do these things on its own. That will take more work, but I wanted to share back these workarounds in case they can help unblock you.