Bug 1807138

Summary: Support for openid federation requires changes to keystone's httpd configuration
Product: Red Hat OpenStack Reporter: Lars Kellogg-Stedman <lars>
Component: puppet-keystoneAssignee: Dave Wilde <dwilde>
Status: CLOSED DUPLICATE QA Contact: Jeremy Agee <jagee>
Severity: medium Docs Contact:
Priority: high    
Version: 13.0 (Queens)CC: alee, dwilde, hrybacki, jjoyce, jschluet, scohen, slinaber, tvignaud
Target Milestone: betaKeywords: FutureFeature, Triaged
Target Release: ---Flags: ifrangs: needinfo? (dwilde)
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-17 18:08:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1590932    

Description Lars Kellogg-Stedman 2020-02-25 17:08:23 UTC 
Description of problem:

Supporting openid federation requires setting a number of parameters in keystone's httpd configuration, such as:

  LoadModule auth_openidc_module modules/mod_auth_openidc.so
  OIDCClaimPrefix "OIDC-"
  OIDCResponseType "id_token"
  OIDCScope "openid email profile"
  OIDCProviderMetadataURL "https://sso.massopen.cloud/auth/realms/moc/.well-known/openid-configuration"
  OIDCClientID "kaizen"
  OIDCClientSecret "..."
  OIDCCryptoPassphrase "..."

  OIDCCacheType memcache
  OIDCMemCacheServers "172.16.32.10:11211 172.16.32.11:11211 172.16.32.28:11211"

  # The following directives are necessary to support websso from Horizon
  # (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html)
  OIDCRedirectURI "https://kaizen.massopen.cloud:13000/v3/auth/OS-FEDERATION/identity_providers/moc/protocols/openid/websso"
  OIDCRedirectURI "https://kaizen.massopen.cloud:13000/v3/auth/OS-FEDERATION/websso/openid"

  <LocationMatch "/v3/auth/OS-FEDERATION/websso/openid">
      AuthType "openid-connect"
      Require valid-user
  </LocationMatch>

  <LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/moc/protocols/openid/websso">
      AuthType "openid-connect"
      Require valid-user
  </LocationMatch>

  OIDCOAuthClientID "kaizen"
  OIDCOAuthClientSecret "..."
  OIDCOAuthIntrospectionEndpoint "https://sso.massopen.cloud/auth/realms/moc/protocol/openid-connect/token/introspect"

  <Location ~ "/v3/OS-FEDERATION/identity_providers/moc/protocols/openid/auth">
      AuthType oauth20
      Require valid-user
  </Location>

The puppet-keystone module does not provide any way to inject custom configuration into keystone's apache configuration files (10-keystone_wsgi_admin.conf and 10-keystone_wsgi_main.conf).

These changes can be made via some sort of post-deploy
script/playbook/etc, but that means that authentication is broken for
the duration of the deploy. It would be preferable if there was a
mechanism that would permit an operator to apply this configuration
during the deploy process.

Version-Release number of selected component (if applicable):

puppet-keystone-12.4.0-6.el7ost.noarch
Comment 3 Raildo Mascena de Sousa Filho 2020-03-30 14:14:02 UTC 
Moving it for an RFE, this will be prioritized accordingly later for some new release.
Comment 10 Dave Wilde 2022-03-17 18:08:45 UTC 

*** This bug has been marked as a duplicate of bug 1590932 ***