© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
Hi Jadon,
Here is a feedback on the current patches we have and need to make keystone-
- Patch 1:
Add missing incude line in Apache config in /etc/apache/
IncludeOptional openidc/*.conf
- Patch 2:
Add missing trusted dashbaoard configuration in Keystone. This can be done through the existing, but not documented, relation
`juju relate openstack-
- Patch 3:
Change the order of /keycloak/ and /openidc/ in URI path of the 2 last Location directives, the ones using AuthType openid-connect.
`<Location /v3/auth/
Not sure if this patch is really needed or if it comes from a misconfiguration on our side. In anycase, we receive the original HTTP 401 Natalia mentioned if we don't apply it.
- Patch 4:
Comment the 2 extra OIDCRedirectURI directives
openidc configuration file has 3 OIDCRedirectURI directives. The first one around the top of the file and 2 extra ones after the `# Support for websso from Horizon` line. Commenting those 2 extra ones was needed (why do we have this directive defined 3 times ?)
```
# Support for websso from Horizon
# OIDCRedirectURI "https:/
# OIDCRedirectURI "https:/
```
- Patch 5:
Add HTTPS scheme forwarding to not break the HTTPS OIDC workflow with HTTP requests between HAProxy and individual Keystone units.
`OIDCXForwarded
Without this setting, we receive a HTTP 500 with logs sent in previous comment.
- Patch 6:
Do not use user-agent to generate state and session cookie. This will lead to a cookie mismatch between the request being made to Keysotne external endpoint and the request between HAproxy and the Keystone units.
Add the 2 following settings:
```
OIDCStateInputH
OIDCSessionType client-
```
Is patch 6 going to be persistent or is it something to be changed in HAProxy (wouldn't forwarding the User-Agent be better?)
Thanks again for your quick help.