Bug 2307307

Summary: [Regression] changes to the way mod_auth_oidc handles headers break federation
Product: Red Hat OpenStack Reporter: Dave Wilde <dwilde>
Component: openstack-tripleo-heat-templatesAssignee: MilanaLevy <millevy>
Status: CLOSED ERRATA QA Contact: Jeremy Agee <jagee>
Severity: high Docs Contact:
Priority: high    
Version: 17.1 (Wallaby)CC: dhughes, mariel, mburns, millevy, oblaut
Target Milestone: z4Keywords: Triaged
Target Release: 17.1   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: openstack-tripleo-heat-templates-14.3.1-17.1.20240919130751.e7c7ce3.el9ost Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2024-11-21 09:30:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dave Wilde 2024-08-22 15:50:00 UTC 
Description of problem:

An update to the way mod_auth_openidc in 2.4.x changes the way that it handles headers as well as the remote_id_attribute.  This breaks our current implementation of OIDC federation, where the claim is now missing the fields necessary to correctly map the federated user. Fields containing underscores are being removed by Apache.

Version-Release number of selected component (if applicable):
17.1.3

How reproducible:
Always with our recommended federation configuration.

Steps to Reproduce:
1. Configure OSP to use OIDC federation
2. Attempt to login via the Horizon dashboard
3. Keystone will return a 403, unable to find the correct user_id field for mapping

Actual results:
Keystone will return a 403, enabling insecure_debug will show that the OIDC-preferred_username is missing

Expected results:
The user should be redirected to the Horizon dashboard after successfully authenticating.

Additional info:
The fix is to remove OIDCPassClaimsAs headers from keystones httpd configuration and to change the remote_id_attribute to OIDC-iss in the keystone configuration file.
Comment 11 MilanaLevy 2024-10-08 16:03:48 UTC 
Verified on RHOS-17.1-RHEL-9-20240909.n.1
Login of federated users were successful.
Comment 17 errata-xmlrpc 2024-11-21 09:30:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: RHOSP 17.1.4 (openstack-tripleo-heat-templates) security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2024:9978