OpenStack Keystone SAML Mellon Charm

mellon 0.18+ does not work on chromium-based browsers

Bug #2068654 reported by Rodrigo Barbieri on 2024-06-06

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Keystone SAML Mellon Charm	Fix Committed	Medium	Rodrigo Barbieri

Bug Description

Since commit [1] mellon changed the default behavior of cross-site cookies by allowing all if unset.

Some IDP providers use cross-site cookies to authenticate. Chromium-based browsers reject insecure cross-site cookies.

It is necessary to add the following parameters to mellon apache config file so it can use secure HTTPS cookies to be compatible with chromium-based browsers:

MellonSecureCookie On
MellonCookieSameSite None

[1] https://github.com/latchset/mod_auth_mellon/commit/5a629a1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-06-06: Fix proposed to charm-keystone-saml-mellon (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/charm-keystone-saml-mellon/+/921472

Changed in charm-keystone-saml-mellon:
status:	New → In Progress

Myles Penner (mylesjp) on 2024-06-11

Changed in charm-keystone-saml-mellon:
importance:	Undecided → Medium

Revision history for this message

Alex Kavanagh (ajkavanagh) wrote on 2024-06-12:

I assigned you, Rodrigo, to the bug as you created the review. Hope that's okay.

Changed in charm-keystone-saml-mellon:
assignee:	nobody → Rodrigo Barbieri (rodrigo-barbieri2010)

Revision history for this message

Rodrigo Barbieri (rodrigo-barbieri2010) wrote on 2024-06-12:

Thanks Alex! Apparently the Closes-bug gerrit tag didn't do its job this time.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-06-21: Fix merged to charm-keystone-saml-mellon (master)

Reviewed: https://review.opendev.org/c/openstack/charm-keystone-saml-mellon/+/921472
Committed: https://opendev.org/openstack/charm-keystone-saml-mellon/commit/8c973aaed370e37e38a57b9566bb83ffc7b80656
Submitter: "Zuul (22348)"
Branch: master

commit 8c973aaed370e37e38a57b9566bb83ffc7b80656
Author: Rodrigo Barbieri <email address hidden>
Date: Thu Jun 6 13:09:14 2024 -0300

Improve compatibility with Chromium-based browsers

    Since commit [1] mellon changed the default behavior
    of cross-site cookies by allowing all if unset.
    Some IDP providers use cross-site cookies to
    authenticate. Chromium-based browsers reject insecure
    cross-site cookies.

    Adding config option to optioanlly enable
    Secure HTTPS cookies so it can work with
    Chromium-based browsers as long as the
    IDP connection is HTTPS.

[1] https://github.com/latchset/mod_auth_mellon/commit/5a629a1

Closes-bug: #2068654
Change-Id: Ied65c3dc87e3ebb599b446cc72ce3c6adac74e08

Changed in charm-keystone-saml-mellon:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-06-21: Fix proposed to charm-keystone-saml-mellon (stable/2024.1)

Fix proposed to branch: stable/2024.1
Review: https://review.opendev.org/c/openstack/charm-keystone-saml-mellon/+/922495

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-06-24: Fix merged to charm-keystone-saml-mellon (stable/2024.1)

Reviewed: https://review.opendev.org/c/openstack/charm-keystone-saml-mellon/+/922495
Committed: https://opendev.org/openstack/charm-keystone-saml-mellon/commit/ffcb4348ef47c70934b58f2f34f058c5e7ae29f0
Submitter: "Zuul (22348)"
Branch: stable/2024.1

commit ffcb4348ef47c70934b58f2f34f058c5e7ae29f0
Author: Rodrigo Barbieri <email address hidden>
Date: Thu Jun 6 13:09:14 2024 -0300

Improve compatibility with Chromium-based browsers

    Adding config option to optioanlly enable
    Secure HTTPS cookies so it can work with
    Chromium-based browsers as long as the
    IDP connection is HTTPS.

[1] https://github.com/latchset/mod_auth_mellon/commit/5a629a1

    Closes-bug: #2068654
    Change-Id: Ied65c3dc87e3ebb599b446cc72ce3c6adac74e08
    (cherry picked from commit 8c973aaed370e37e38a57b9566bb83ffc7b80656)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-06-24: Fix proposed to charm-keystone-saml-mellon (stable/2023.2)

Fix proposed to branch: stable/2023.2
Review: https://review.opendev.org/c/openstack/charm-keystone-saml-mellon/+/922633

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-07-01: Fix merged to charm-keystone-saml-mellon (stable/2023.2)

Reviewed: https://review.opendev.org/c/openstack/charm-keystone-saml-mellon/+/922633
Committed: https://opendev.org/openstack/charm-keystone-saml-mellon/commit/28207fa4f244dd4d02e33e8d858e6295308175da
Submitter: "Zuul (22348)"
Branch: stable/2023.2

commit 28207fa4f244dd4d02e33e8d858e6295308175da
Author: Rodrigo Barbieri <email address hidden>
Date: Thu Jun 6 13:09:14 2024 -0300

Improve compatibility with Chromium-based browsers

    Adding config option to optioanlly enable
    Secure HTTPS cookies so it can work with
    Chromium-based browsers as long as the
    IDP connection is HTTPS.

[1] https://github.com/latchset/mod_auth_mellon/commit/5a629a1

    Closes-bug: #2068654
    Change-Id: Ied65c3dc87e3ebb599b446cc72ce3c6adac74e08
    (cherry picked from commit 8c973aaed370e37e38a57b9566bb83ffc7b80656)
    (cherry picked from commit ffcb4348ef47c70934b58f2f34f058c5e7ae29f0)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2024-07-01: Fix proposed to charm-keystone-saml-mellon (stable/2023.1)

Fix proposed to branch: stable/2023.1
Review: https://review.opendev.org/c/openstack/charm-keystone-saml-mellon/+/923177

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.