kolla-ansible

Keystone OIDC fails to validate JWST on Azure auth-oidc endpoint.

Bug #1990375 reported by Jakub Darmach
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
kolla-ansible
Fix Released
Undecided
Jakub Darmach

Bug Description

Using OIDC keystone integration with Azure AD. JWST fails to validate oauth-oidc endpoint, used by openstack-cli client. Error thrown is:

2022-09-20 12:05:49.669686 oidc_proto_jwt_verify: JWT signature verification failed: [src/jose.c:990: oidc_jwt_verify]: could not find key with kid: 2ZQpJ3UpbjAYXYGaXEJl8lV0TOI
2022-09-20 12:05:49.669724 oidc_oauth_validate_jwt_access_token: JWT access token signature could not be validated, aborting

Looks like it doesn't use jwks_uri present in metadata. According to the docs oauth0oidc endpoint (used by cli) needs "OIDCOAuthVerifyJwksUrl" defined.

Jakub Darmach (darmachj)
Changed in kolla-ansible:
assignee: nobody → Jakub Darmach (darmachj)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/858698

Changed in kolla-ansible:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (master)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/858698
Committed: https://opendev.org/openstack/kolla-ansible/commit/98929761191e265474459a0b73fdbeb07afd2bb4
Submitter: "Zuul (22348)"
Branch: master

commit 98929761191e265474459a0b73fdbeb07afd2bb4
Author: Jakub Darmach <email address hidden>
Date: Wed Sep 21 14:36:53 2022 +0200

    Keystone OIDC JWKS fix

    JWT failed to validate on auth-oidc endpoint used by openstack cli
    with "could not find key with kid: XX" error. To fix this we need
    to use jwks provided in "jwks_uri" by OIDC metadata endpoint.

    Missing "ServerName" directive from vhost config causes redirection
    to fail in some cases when external tls is enabled.

      - added "keystone_federation_oidc_jwks_uri" variable
      - added "OIDCOAuthVerifyJwksUri" to keystone vhost config
      - added "ServerName" to keystone vhost config
      - jinja templating additional whitespace trimmed to
        correct end result indentation and empty newlines

    Closes-bug: 1990375
    Change-Id: I4f5c1bd8be8e23cf6299ca4bdfd79e9d98c9a9eb

Changed in kolla-ansible:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/yoga)

Fix proposed to branch: stable/yoga
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/860431

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/yoga)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/860431
Committed: https://opendev.org/openstack/kolla-ansible/commit/1d8c7c0da1186bbbb707a4da6aba1f7c24b887a5
Submitter: "Zuul (22348)"
Branch: stable/yoga

commit 1d8c7c0da1186bbbb707a4da6aba1f7c24b887a5
Author: Jakub Darmach <email address hidden>
Date: Wed Sep 21 14:36:53 2022 +0200

    Keystone OIDC JWKS fix

    JWT failed to validate on auth-oidc endpoint used by openstack cli
    with "could not find key with kid: XX" error. To fix this we need
    to use jwks provided in "jwks_uri" by OIDC metadata endpoint.

    Missing "ServerName" directive from vhost config causes redirection
    to fail in some cases when external tls is enabled.

      - added "keystone_federation_oidc_jwks_uri" variable
      - added "OIDCOAuthVerifyJwksUri" to keystone vhost config
      - added "ServerName" to keystone vhost config
      - jinja templating additional whitespace trimmed to
        correct end result indentation and empty newlines

    Closes-bug: 1990375
    Change-Id: I4f5c1bd8be8e23cf6299ca4bdfd79e9d98c9a9eb
    (cherry picked from commit 98929761191e265474459a0b73fdbeb07afd2bb4)

tags: added: in-stable-yoga
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/xena)

Fix proposed to branch: stable/xena
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/860453

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/860453
Committed: https://opendev.org/openstack/kolla-ansible/commit/d94d1376378bbb3c72864374615d65edef59338a
Submitter: "Zuul (22348)"
Branch: stable/xena

commit d94d1376378bbb3c72864374615d65edef59338a
Author: Jakub Darmach <email address hidden>
Date: Wed Sep 21 14:36:53 2022 +0200

    Keystone OIDC JWKS fix

    JWT failed to validate on auth-oidc endpoint used by openstack cli
    with "could not find key with kid: XX" error. To fix this we need
    to use jwks provided in "jwks_uri" by OIDC metadata endpoint.

    Missing "ServerName" directive from vhost config causes redirection
    to fail in some cases when external tls is enabled.

      - added "keystone_federation_oidc_jwks_uri" variable
      - added "OIDCOAuthVerifyJwksUri" to keystone vhost config
      - added "ServerName" to keystone vhost config
      - jinja templating additional whitespace trimmed to
        correct end result indentation and empty newlines

    Closes-bug: 1990375
    Change-Id: I4f5c1bd8be8e23cf6299ca4bdfd79e9d98c9a9eb
    (cherry picked from commit 98929761191e265474459a0b73fdbeb07afd2bb4)

tags: added: in-stable-xena
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to kolla-ansible (stable/wallaby)

Fix proposed to branch: stable/wallaby
Review: https://review.opendev.org/c/openstack/kolla-ansible/+/860469

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to kolla-ansible (stable/wallaby)

Reviewed: https://review.opendev.org/c/openstack/kolla-ansible/+/860469
Committed: https://opendev.org/openstack/kolla-ansible/commit/f5f14cb4a7055addaf37f80d68e805c3e6a4b913
Submitter: "Zuul (22348)"
Branch: stable/wallaby

commit f5f14cb4a7055addaf37f80d68e805c3e6a4b913
Author: Jakub Darmach <email address hidden>
Date: Wed Sep 21 14:36:53 2022 +0200

    Keystone OIDC JWKS fix

    JWT failed to validate on auth-oidc endpoint used by openstack cli
    with "could not find key with kid: XX" error. To fix this we need
    to use jwks provided in "jwks_uri" by OIDC metadata endpoint.

    Missing "ServerName" directive from vhost config causes redirection
    to fail in some cases when external tls is enabled.

      - added "keystone_federation_oidc_jwks_uri" variable
      - added "OIDCOAuthVerifyJwksUri" to keystone vhost config
      - added "ServerName" to keystone vhost config
      - jinja templating additional whitespace trimmed to
        correct end result indentation and empty newlines

    Closes-bug: 1990375
    Change-Id: I4f5c1bd8be8e23cf6299ca4bdfd79e9d98c9a9eb
    (cherry picked from commit 98929761191e265474459a0b73fdbeb07afd2bb4)

tags: added: in-stable-wallaby
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 13.6.0

This issue was fixed in the openstack/kolla-ansible 13.6.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 14.6.0

This issue was fixed in the openstack/kolla-ansible 14.6.0 release.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible 15.0.0.0rc1

This issue was fixed in the openstack/kolla-ansible 15.0.0.0rc1 release candidate.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/kolla-ansible wallaby-eol

This issue was fixed in the openstack/kolla-ansible wallaby-eol release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.