OpenStack Identity (keystone)

WebSSO unable to support multiple identity providers

Bug #1838592 reported by Guang Yee
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Colleen Murphy

Bug Description

When performing WebSSO authentication (i.e. openid connect), if there are multiple identity providers exist, regardless of protocol and mapping association, Keystone will yield the following error.

Aug 01 03:41:21 localhost <email address hidden>[26546]: ERROR keystone.server.flask.application [None req-00ae9c5a-5d05-43d9-b15b-585720f7aefa None None] Could not find federated protocol openid for Identity Provider: 4afcec6e3c45565103e8f71665dff443f3e>
Aug 01 03:41:21 localhost <email address hidden>[26546]: ERROR keystone.server.flask.application Traceback (most recent call last):
Aug 01 03:41:21 localhost <email address hidden>[26546]: ERROR keystone.server.flask.application File "/usr/lib/python2.7/site-packages/flask_restful/__init__.py", line 266, in error_router
Aug 01 03:41:21 localhost <email address hidden>[26546]: ERROR keystone.server.flask.application return self.handle_error(e)
Aug 01 03:41:21 localhost <email address hidden>[26546]: ERROR keystone.server.flask.application File "/usr/lib/python2.7/site-packages/flask/app.py", line 1949, in full_dispatch_request
Aug 01 03:41:21 localhost <email address hidden>[26546]: ERROR keystone.server.flask.application rv = self.dispatch_request()
Aug 01 03:41:21 localhost <email address hidden>[26546]: ERROR keystone.server.flask.application File "/usr/lib/python2.7/site-packages/flask/app.py", line 1935, in dispatch_request
Aug 01 03:41:21 localhost <email address hidden>[26546]: ERROR keystone.server.flask.application return self.view_functions[rule.endpoint](**req.view_args)
Aug 01 03:41:21 localhost <email address hidden>[26546]: ERROR keystone.server.flask.application File "/usr/lib/python2.7/site-packages/flask_restful/__init__.py", line 458, in wrapper
Aug 01 03:41:21 localhost <email address hidden>[26546]: ERROR keystone.server.flask.application resp = resource(*args, **kwargs)
Aug 01 03:41:21 localhost <email address hidden>[26546]: ERROR keystone.server.flask.application File "/usr/lib/python2.7/site-packages/flask/views.py", line 89, in view
Aug 01 03:41:21 localhost <email address hidden>[26546]: ERROR keystone.server.flask.application return self.dispatch_request(*args, **kwargs)
Aug 01 03:41:21 localhost <email address hidden>[26546]: ERROR keystone.server.flask.application File "/usr/lib/python2.7/site-packages/flask_restful/__init__.py", line 573, in dispatch_request
Aug 01 03:41:21 localhost <email address hidden>[26546]: ERROR keystone.server.flask.application resp = meth(*args, **kwargs)
Aug 01 03:41:21 localhost <email address hidden>[26546]: ERROR keystone.server.flask.application File "/opt/stack/keystone/keystone/server/flask/common.py", line 1064, in wrapper
Aug 01 03:41:21 localhost <email address hidden>[26546]: ERROR keystone.server.flask.application return f(*args, **kwargs)
Aug 01 03:41:21 localhost <email address hidden>[26546]: ERROR keystone.server.flask.application File "/opt/stack/keystone/keystone/api/auth.py", line 359, in get
Aug 01 03:41:21 localhost <email address hidden>[26546]: ERROR keystone.server.flask.application return self._perform_auth(protocol_id)
Aug 01 03:41:21 localhost <email address hidden>[26546]: ERROR keystone.server.flask.application File "/opt/stack/keystone/keystone/api/auth.py", line 340, in _perform_auth
Aug 01 03:41:21 localhost <email address hidden>[26546]: ERROR keystone.server.flask.application idp, protocol_id)
Aug 01 03:41:21 localhost <email address hidden>[26546]: ERROR keystone.server.flask.application File "/opt/stack/keystone/keystone/federation/utils.py", line 286, in get_remote_id_parameter
Aug 01 03:41:21 localhost <email address hidden>[26546]: ERROR keystone.server.flask.application protocol_ref = PROVIDERS.federation_api.get_protocol(idp['id'], protocol)
Aug 01 03:41:21 localhost <email address hidden>[26546]: ERROR keystone.server.flask.application File "/opt/stack/keystone/keystone/federation/backends/sql.py", line 279, in get_protocol
Aug 01 03:41:21 localhost <email address hidden>[26546]: ERROR keystone.server.flask.application protocol_ref = self._get_protocol(session, idp_id, protocol_id)
Aug 01 03:41:21 localhost <email address hidden>[26546]: ERROR keystone.server.flask.application File "/opt/stack/keystone/keystone/federation/backends/sql.py", line 255, in _get_protocol
Aug 01 03:41:21 localhost <email address hidden>[26546]: ERROR keystone.server.flask.application raise exception.FederatedProtocolNotFound(**kwargs)
Aug 01 03:41:21 localhost <email address hidden>[26546]: ERROR keystone.server.flask.application FederatedProtocolNotFound: Could not find federated protocol openid for Identity Provider: 4afcec6e3c45565103e8f71665dff443f3eff2107ade89918207aa60d95063a3.
Aug 01 03:41:21 localhost <email address hidden>[26546]: ERROR keystone.server.flask.application

Keystone should've either catch the exception and move onto the next lookup or parse the identity provider from the request path.

Steps to reproduce the problem.

1. following the doc to setup WebSSO against Google OpenID Connect provider
2. create one more identity provider with a different protocol and mapping
3. attempt to login from Horizon should yield something like "{"error":{"code":404,"message":"Could not find federated protocol openid for Identity Provider: 4afcec6e3c45565103e8f71665dff443f3eff2107ade89918207aa60d95063a3.","title":"Not Found"}}"

Revision history for this message
Guang Yee (guang-yee) wrote :

Looks it was caused by this patch

https://review.opendev.org/#/c/637305/

Colleen Murphy (krinkle)
Changed in keystone:
assignee: nobody → Colleen Murphy (krinkle)
status: New → Confirmed
importance: Undecided → High
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/674122

Changed in keystone:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.opendev.org/674122
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=d8f3ba0429c535cdc9dbde83d948b816ae7d760b
Submitter: Zuul
Branch: master

commit d8f3ba0429c535cdc9dbde83d948b816ae7d760b
Author: Colleen Murphy <email address hidden>
Date: Thu Aug 1 12:34:30 2019 -0700

    Fix websso auth loop

    In bf67b3c8[1] we introduced an error whereby trying to use WebSSO to
    authenticate with one protocol would fail with an uncaught HTTP 404 if
    an IdP was found that did not use that protocol. This patch fixes the
    issue by ensuring that during the search for an IdP that matches the
    given protocol, we ignore invalid IdPs.

    This is tested by the existing WebSSOTests unit test class simply by
    inserting a dummy IdP and protocol combination into the test data during
    setup, since the problem arises when the protocol you are *not* trying
    to authenticate with is indexed first in the database.

    Since the breaking change was not released yet, this bugfix does not
    need a release note.

    [1] https://review.opendev.org/637305

    Change-Id: Id423f8a304abffbe0c7814ab2ab4458e6a403bb1
    Closes-bug: #1838592

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 16.0.0.0rc1

This issue was fixed in the openstack/keystone 16.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.