Bug 1805914

New commits detected on ManageIQ/manageiq-api/ivanchuk:

https://github.com/ManageIQ/manageiq-api/commit/5d482984334e606d74c72182fb07b5db33a7040b
commit 5d482984334e606d74c72182fb07b5db33a7040b
Author:     Jason Frey <jfrey>
AuthorDate: Thu Feb 20 15:22:56 2020 +0000
Commit:     Jason Frey <jfrey>
CommitDate: Thu Feb 20 15:22:56 2020 +0000

    Merge pull request #737 from abellotti/support_oidc

    Adding support for OpenID-Connect/OAuth2 in the API

    (cherry picked from commit 95e86abb70c2a601f424e18f3d8d0f3d119c9d01)

    Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1805914

 app/controllers/api/base_controller/authentication.rb | 139 +-
 1 file changed, 136 insertions(+), 3 deletions(-)

New commit detected on ManageIQ/manageiq-api/ivanchuk:

https://github.com/ManageIQ/manageiq-api/commit/32158db30eaeb3766a747198c0f67f8b725d7f59
commit 32158db30eaeb3766a747198c0f67f8b725d7f59
Author:     Oleg Barenboim <chessbyte>
AuthorDate: Sun Feb 23 12:51:37 2020 +0000
Commit:     Oleg Barenboim <chessbyte>
CommitDate: Sun Feb 23 12:51:37 2020 +0000

    Merge pull request #747 from abellotti/support_optional_oidc_parameters

    Adding support for OIDCProviderTokenEndpoint, OIDCOAuthIntrospectionEndpoint and OIDCScope

    (cherry picked from commit 7677117443d76c0a6aecdb0bfaa1030183cea808)

    https://bugzilla.redhat.com/show_bug.cgi?id=1805914

 app/controllers/api/base_controller/authentication.rb | 75 +-
 1 file changed, 58 insertions(+), 17 deletions(-)

Hi Alberto, can you help me with the verification steps? How do I test this?

For this, just configure an appliance for OpenID-Connect authentication as per https://www.manageiq.org/docs/reference/latest/auth/openid_connect either manually or via the appliance_console_cli.

Setup the user and related group in Keycloak, make sure you can login with that user in the UI.

Then just use the API with the Keycloak user:

i.e.

curl -k -X GET --user oidc_user:oidc_password https://miq_appliance/api



If you like you can also test via a JWT Token, i.e. get a JWT Token (access token) for that user from Keycloak, then do the API call with that access token.

You need to get the token endpoint of your keycloak first,

it's usually something like:

http://<your_keycloak_server>:8008/auth/realms/<your_realm>/protocol/openid-connect/token

Then do a:

curl -k -L --user <oidc_user>:<oidc_password> -X POST \
  -H "Content-Type: application/x-www-form-urlencoded" \
  -d "grant_type=password" \
  -d "client_id=${OID_CLIENT_ID}" \
  -d "client_secret=${OID_CLIENT_SECRET}" \
  -d "username=<oidc_user>" \
  -d "password=<oidc_password>" \
  http://<your_keycloak_server>:8008/auth/realms/<your_realm>/protocol/openid-connect/token


Replacing OIDC_CLIENT_ID and OIDC_CLIENT_SECRET from the ext-auth oidc config file.

Then fetch the access_token from that response, then use that to authenticate with the API:

curl -k -X GET -H "Authorization: Bearer <access_token>" https://miq_appliance/api

For authentication using a JWT Token, you need to make sure the groups is returned in the token introspection. i.e. in the groups mapper, make sure it is Added to the access token and Added to userinfo.

Alberto

FIXED. Verified on 5.11.4.1.20200228172510_c08508d.

Tested it via Basic Auth and JWT token - worked perfectly for both.

Thank you for all the help you did Alberto :)

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0867