Bug 1849569

Summary: Cannot obtain token for engine API calls when openid external provider (Keycloak) configured [Keycloak 10]
Product: [oVirt] ovirt-engine Reporter: Artur Socha <asocha>
Component: AAAAssignee: Artur Socha <asocha>
Status: CLOSED NOTABUG QA Contact: Lucie Leistnerova <lleistne>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.3.10.4CC: bugs, emarcus, mperina
Target Milestone: ovirt-4.4.4-1Flags: emarcus: needinfo-
mperina: ovirt-4.5?
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-09-07 09:01:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: Infra RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Additional scopes for oVirt in Keycloak none

Description Artur Socha 2020-06-22 09:20:57 UTC 
Description of problem:
With external OpenId provider (Keycloak) it was not possible to obtain token for further engine's Rest API calls.

Version-Release number of selected component (if applicable):
ovirt-engine.noarch                     4.3.10.4-1.el7    @ovirt-4.3
ovirt-engine-extension-aaa-misc.noarch  1.0.4-1.el7       @ovirt-4.3
mod_auth_openidc.x86_64                 1.8.8-5.el7       @base

How reproducible:


Steps to Reproduce:
1. Setup Keycloak with Ovirt Engine according to [1]
2. curl -k -H "Accept: application/json" 'https://engine.example.com/ovirt-engine/sso/oauth/token?grant_type=password&username=myuser@openidchttp&password=mypass&scope=ovirt-app-api'


Actual results:
{"error_description":"Cannot authenticate user Invalid scopes: ovirt-app-api ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access.","error":"access_denied"}

Expected results:
Valid token should be returned


Additional info:
[1] https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-openid-connect-infrastructure/

[root@virt ~]# cat /etc/*elease
CentOS Linux release 7.7.1908 (Core)
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
 
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
 
CentOS Linux release 7.7.1908 (Core)
CentOS Linux release 7.7.1908 (Core)

Keycloak: 10.0.1
Comment 1 Artur Socha 2020-06-22 13:13:13 UTC 
I managed to re-create the issue on my local environment. 
Previously I tested it agains Keycloak 8.0.1 with users loaded from LDAP. Currently I have users/groups created via Keycloak management panel. I need to investigate further which of the two changes is the root cause (It works fine with the old setup)
Comment 2 Artur Socha 2020-06-22 14:53:56 UTC 
This issue exists for Keycloak version 10.0.x. The most recent working integration is with Keycloak 9.0.3.
Comment 3 Artur Socha 2020-08-17 13:11:53 UTC 
Based on the response on Keycloaks forum:

There was a Keycloak change [1] based on ticket [2] that added strict requirement for all the scopes for access token to be configured.
"Only proper configuration of requested scope should be valid solution."
Previously, such scopes were ignored.

[1]https://github.com/keycloak/keycloak/commit/cbab159aa87ca5e3443b3e87fdbf8de40542d1d3
[2]https://issues.redhat.com/browse/KEYCLOAK-8071

What needs to be done here is to identify 'unknown' scope and then make it fully registered ('known' to the client configuration in Keycloak UI).

This looks more like configuration (documentation) issue but it must yet confirmed.
Comment 4 Artur Socha 2020-09-07 08:52:24 UTC 
The fix:
Keycloak must be aware of additional client scope for configured client that is created the same ways as 'ovirt-app-admin' or 'ovirt-app-api'

The name of the new optional client scope is:  'ovirt-ext=auth:sequence-priority=~'   as on screenshot[1]



[1] https://drive.google.com/file/d/1vJqcEZ3hhlyHQ2H5Vm9qsrw1x5aeVEkw/view?usp=sharing

Tested and confirmed with Keycloak 11.0.2
Comment 7 Martin Perina 2023-01-10 10:15:41 UTC 
Created attachment 1937052 [details]
Additional scopes for oVirt in Keycloak

> The fix:
> Keycloak must be aware of additional client scope for configured client that is created the same ways as 'ovirt-app-admin' or 'ovirt-app-api'
> 
> The name of the new optional client scope is:  'ovirt-ext=auth:sequence-priority=~'   as on screenshot[1]
> 
> 
> 
> [1] https://drive.google.com/file/d/1vJqcEZ3hhlyHQ2H5Vm9qsrw1x5aeVEkw/view?usp=sharing
> 
> Tested and confirmed with Keycloak 11.0.2

I don't have permissions to reshare the image, so attaching it directly to the bug