Bug 2084473

Summary: Users authenticating with openid who have more than 5 associated groups are not accepted by by the API.
Product: Red Hat OpenStack Reporter: Eduard Barrera <ebarrera>
Component: openstack-keystoneAssignee: Dave Wilde <dwilde>
Status: NEW --- QA Contact: Jeremy Agee <jagee>
Severity: high Docs Contact:
Priority: high    
Version: 17.1 (Wallaby)CC: dwilde, hrybacki, oblaut, tvainio
Target Milestone: zstreamKeywords: Triaged
Target Release: ---Flags: ifrangs: needinfo? (dwilde)
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1590932    

Description Eduard Barrera 2022-05-12 08:35:59 UTC 
Description of problem:

This started after upgrade from 16.2.0 to 16.2.2 while migrating from custom config to the feature described in [1]. We had fully functional openid federation with many associated groups per user before the upgrade. We have reverted the custom config and use 'keystone::federation::openidc::openidc_response_mode: "form_post"' in env-params.yaml.



[1]
16.2.2 is out and puppet-keystone-15.5.0-2.20211125004854.337022a.el8ost contains

2021-11-24 OSP Prod Chain <dev-null> 15.5.0-2.20211125004854.337022a
- Update patches
- OIDC: Add support for setting OIDCResponseMode <======
- Add oidc options


Version-Release number of selected component (if applicable):
OSP 16.2.2

How reproducible:
always

Steps to Reproduce:
1. Login using openid wqith 5 groups
2.
3.

Actual results:
Failed to authenticate

Expected results:
no auth errors