Bug 1386799

Summary: mod_auth_openidc could not retrieve metadata from OIDCProviderMetadataURL pointing to keycloak
Product: Red Hat Enterprise Linux 7 Reporter: Scott Poore <spoore>
Component: mod_auth_openidcAssignee: John Dennis <jdennis>
Status: CLOSED NOTABUG QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: jhrozek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-10-21 16:26:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Scott Poore 2016-10-19 16:03:32 UTC 
Description of problem:

mod_auth_openidc appears to be unable to access the url provided in OIDCProviderMetadataURL even though I can manually use curl to access it.


From a web browser I see an internal server error message.

From the log I see:

[root@vm2 conf.d]# tail -2 /var/log/httpd/error_log

[Wed Oct 19 10:55:48.030931 2016] [auth_openidc:error] [pid 1037] [client 192.168.122.1:45990] oidc_util_http_call: curl_easy_perform() failed on: http://192.168.122.151:18080/auth/realms/test_realm/.well-known/openid-configuration (Failed to connect to 192.168.122.151: Permission denied)

[Wed Oct 19 10:55:48.030975 2016] [auth_openidc:error] [pid 1037] [client 192.168.122.1:45990] oidc_provider_static_config: could not retrieve metadata from url: http://192.168.122.151:18080/auth/realms/test_realm/.well-known/openid-configuration

From command line though (on the SP with mod_auth_openidc configured, I see it connect:

[root@vm2 conf.d]# curl -k http://192.168.122.151:18080/auth/realms/test_realm/.well-known/openid-configuration
{"issuer":"http://192.168.122.151:18080/auth/realms/test_realm","authorization_endpoint":"http://192.168.122.151:18080/auth/realms/test_realm/protocol/openid-connect/auth","token_endpoint":"http://192.168.122.151:18080/auth/realms/test_realm/protocol/openid-connect/token","token_introspection_endpoint":"http://192.168.122.151:18080/auth/realms/test_realm/protocol/openid-connect/token/introspect","userinfo_endpoint":"http://192.168.122.151:18080/auth/realms/test_realm/protocol/openid-connect/userinfo","end_session_endpoint":"http://192.168.122.151:18080/auth/realms/test_realm/protocol/openid-connect/logout","jwks_uri":"http://192.168.122.151:18080/auth/realms/test_realm/protocol/openid-connect/certs","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"],"response_modes_supported":["query","fragment","form_post"],"registration_endpoint":"http://192.168.122.151:18080/auth/realms/test_realm/clients-registrations/openid-connect"}[root@vm2 conf.d]# 


Version-Release number of selected component (if applicable):
mod_auth_openidc-1.8.8-3.el7.x86_64

How reproducible:
always

Steps to Reproduce:
1.  Setup RH-SSO 7.0.0

In my case this is running on a server with IPA configured.  So ports have to be changed in the standalone-ha.xml file.

2.  Add openidc client through keycloak admin console.  Get secret and client id for SP configuration

3.  Setup SP config like this:

[root@vm2 conf.d]# cat /etc/httpd/conf.d/openidc.conf 
OIDCCryptoPassphrase a-random-secret-used-by-apache-oidc-and-balancer
OIDCProviderMetadataURL 'http://192.168.122.151:18080/auth/realms/test_realm/.well-known/openid-configuration'
OIDCClientID <Client ID used in Keycloak>
OIDCClientSecret <Client Secret from Keycloak (under credentials tab)>
OIDCRedirectURI http://192.168.122.152/private/redirect_uri
OIDCRemoteUserClaim preferred_username
OIDCSSLValidateServer Off

<Location /private>
    AuthType openid-connect
    Require valid-user
</Location>

<Directory /var/www/html/private>
    Options +Includes
    AddOutputFilter INCLUDES .html
</Directory>


Actual results:
Fails as described

Expected results:
No failure, authenticates and connects to index.html under private on SP.

Additional info:
Comment 2 Scott Poore 2016-10-20 20:06:33 UTC 
I ran a test with strace watching httpd process and saw this:

1197  10:25:58 connect(15, {sa_family=AF_INET, sin_port=htons(18080), sin_addr=inet_addr("192.168.122.151")}, 16) = -1 EACCES (Permission denied)

I'm not sure why this connect would be failing from httpd when wget/curl works.  

So, I thought I'd try hiding the port with a reverse proxy on the Keycloak server like this:

[root@vm1 ~]# cat /etc/httpd/conf.d/openid-proxy.conf
ProxyPass "/openid-configuration" "http://vm1.example.com:18080/auth/realms/test_realm/.well-known/openid-configuration"


Then point to that for the OIDCProviderMetadataURL:

OIDCProviderMetadataURL http://vm1.example.com/openid-configuration


Now, when I go to the /private page from a web browser it works and I'm prompted to login.

So, is there another way to specify the port for that config?
Comment 3 John Dennis 2016-10-20 20:37:28 UTC 
This might be an SELinux issue, httpd is heavily restricted by default. Does the original configuration work if you put the system in permissive mode? Are there any AVC's in the audit log?
Comment 4 Scott Poore 2016-10-21 01:26:18 UTC 
I thought I'd checked for AVCs but, apparently missed it somewhere.  I do see this:


type=SYSCALL msg=audit(1476921957.945:109): arch=c000003e syscall=42 success=no exit=-13 a0=f a1=7ffe3c564990 a2=10 a3=0 items=0 ppid=2236 pid=2240 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1476921957.945:109): avc:  denied  { name_connect } for  pid=2240 comm="httpd" dest=18080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket



A little more info too.  I setup a new env with the IPA server and IdP separated.  I configured Keycloak to use port 80 and 443 so no custom ports were needed in urls.  This seemed to work.  I'm able to login now.  So, this is probably just the AVC.  I'll setup my combined server tomorrow and confirm it works if I enable a new rule for the port access.
Comment 5 Scott Poore 2016-10-21 16:26:05 UTC 
Ok, this is necessary to resolve the issue:

setsebool httpd_can_network_connect=on

Since this is normal httpd behavior, I'm closing this one as NOTABUG.

Thanks for the help