Here is a feedback on the current patches we have and need to make keystone-openidc/Keycloak integration work on our setup (HAProxy behind 3 keystone units)
- Patch 1:
Add missing incude line in Apache config in /etc/apache/apache2.conf
IncludeOptional openidc/*.conf
- Patch 2:
Add missing trusted dashbaoard configuration in Keystone. This can be done through the existing, but not documented, relation
`juju relate openstack-dashboard:websso-trusted-dashboard keystone:websso-trusted-dashboard`
- Patch 3:
Change the order of /keycloak/ and /openidc/ in URI path of the 2 last Location directives, the ones using AuthType openid-connect.
`<Location /v3/auth/OS-FEDERATION/websso/keycloak>` changed to `<Location /v3/auth/OS-FEDERATION/websso/openid>` and `<Location /v3/auth/OS-FEDERATION/identity_providers/openid/protocols/keycloak/websso>` changed to `<Location /v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso>`.
Not sure if this patch is really needed or if it comes from a misconfiguration on our side. In anycase, we receive the original HTTP 401 Natalia mentioned if we don't apply it.
- Patch 5:
Add HTTPS scheme forwarding to not break the HTTPS OIDC workflow with HTTP requests between HAProxy and individual Keystone units.
`OIDCXForwardedHeaders X-Forwarded-Proto`
Without this setting, we receive a HTTP 500 with logs sent in previous comment.
- Patch 6:
Do not use user-agent to generate state and session cookie. This will lead to a cookie mismatch between the request being made to Keysotne external endpoint and the request between HAproxy and the Keystone units.
Add the 2 following settings:
```
OIDCStateInputHeaders none
OIDCSessionType client-cookie:persistent
```
Is patch 6 going to be persistent or is it something to be changed in HAProxy (wouldn't forwarding the User-Agent be better?)
Hi Jadon,
Here is a feedback on the current patches we have and need to make keystone- openidc/ Keycloak integration work on our setup (HAProxy behind 3 keystone units)
- Patch 1: apache2. conf
Add missing incude line in Apache config in /etc/apache/
IncludeOptional openidc/*.conf
- Patch 2: dashboard: websso- trusted- dashboard keystone: websso- trusted- dashboard`
Add missing trusted dashbaoard configuration in Keystone. This can be done through the existing, but not documented, relation
`juju relate openstack-
- Patch 3: OS-FEDERATION/ websso/ keycloak> ` changed to `<Location /v3/auth/ OS-FEDERATION/ websso/ openid> ` and `<Location /v3/auth/ OS-FEDERATION/ identity_ providers/ openid/ protocols/ keycloak/ websso> ` changed to `<Location /v3/auth/ OS-FEDERATION/ identity_ providers/ keycloak/ protocols/ openid/ websso> `.
Change the order of /keycloak/ and /openidc/ in URI path of the 2 last Location directives, the ones using AuthType openid-connect.
`<Location /v3/auth/
Not sure if this patch is really needed or if it comes from a misconfiguration on our side. In anycase, we receive the original HTTP 401 Natalia mentioned if we don't apply it.
- Patch 4: /keystone. XXX.de: 5000/v3/ auth/OS- FEDERATION/ identity_ providers/ openid/ protocols/ keycloak/ websso" /keystone. XXX.de: 5000/v3/ auth/OS- FEDERATION/ websso/ keycloak"
Comment the 2 extra OIDCRedirectURI directives
openidc configuration file has 3 OIDCRedirectURI directives. The first one around the top of the file and 2 extra ones after the `# Support for websso from Horizon` line. Commenting those 2 extra ones was needed (why do we have this directive defined 3 times ?)
```
# Support for websso from Horizon
# OIDCRedirectURI "https:/
# OIDCRedirectURI "https:/
```
- Patch 5: Headers X-Forwarded-Proto`
Add HTTPS scheme forwarding to not break the HTTPS OIDC workflow with HTTP requests between HAProxy and individual Keystone units.
`OIDCXForwarded
Without this setting, we receive a HTTP 500 with logs sent in previous comment.
- Patch 6: eaders none cookie: persistent
Do not use user-agent to generate state and session cookie. This will lead to a cookie mismatch between the request being made to Keysotne external endpoint and the request between HAproxy and the Keystone units.
Add the 2 following settings:
```
OIDCStateInputH
OIDCSessionType client-
```
Is patch 6 going to be persistent or is it something to be changed in HAProxy (wouldn't forwarding the User-Agent be better?)
Thanks again for your quick help.