Hide Forgot
Description of problem: mod_auth_openidc appears to be unable to access the url provided in OIDCProviderMetadataURL even though I can manually use curl to access it. From a web browser I see an internal server error message. From the log I see: [root@vm2 conf.d]# tail -2 /var/log/httpd/error_log [Wed Oct 19 10:55:48.030931 2016] [auth_openidc:error] [pid 1037] [client 192.168.122.1:45990] oidc_util_http_call: curl_easy_perform() failed on: http://192.168.122.151:18080/auth/realms/test_realm/.well-known/openid-configuration (Failed to connect to 192.168.122.151: Permission denied) [Wed Oct 19 10:55:48.030975 2016] [auth_openidc:error] [pid 1037] [client 192.168.122.1:45990] oidc_provider_static_config: could not retrieve metadata from url: http://192.168.122.151:18080/auth/realms/test_realm/.well-known/openid-configuration From command line though (on the SP with mod_auth_openidc configured, I see it connect: [root@vm2 conf.d]# curl -k http://192.168.122.151:18080/auth/realms/test_realm/.well-known/openid-configuration {"issuer":"http://192.168.122.151:18080/auth/realms/test_realm","authorization_endpoint":"http://192.168.122.151:18080/auth/realms/test_realm/protocol/openid-connect/auth","token_endpoint":"http://192.168.122.151:18080/auth/realms/test_realm/protocol/openid-connect/token","token_introspection_endpoint":"http://192.168.122.151:18080/auth/realms/test_realm/protocol/openid-connect/token/introspect","userinfo_endpoint":"http://192.168.122.151:18080/auth/realms/test_realm/protocol/openid-connect/userinfo","end_session_endpoint":"http://192.168.122.151:18080/auth/realms/test_realm/protocol/openid-connect/logout","jwks_uri":"http://192.168.122.151:18080/auth/realms/test_realm/protocol/openid-connect/certs","grant_types_supported":["authorization_code","implicit","refresh_token","password","client_credentials"],"response_types_supported":["code","none","id_token","token","id_token token","code id_token","code token","code id_token token"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"],"response_modes_supported":["query","fragment","form_post"],"registration_endpoint":"http://192.168.122.151:18080/auth/realms/test_realm/clients-registrations/openid-connect"}[root@vm2 conf.d]# Version-Release number of selected component (if applicable): mod_auth_openidc-1.8.8-3.el7.x86_64 How reproducible: always Steps to Reproduce: 1. Setup RH-SSO 7.0.0 In my case this is running on a server with IPA configured. So ports have to be changed in the standalone-ha.xml file. 2. Add openidc client through keycloak admin console. Get secret and client id for SP configuration 3. Setup SP config like this: [root@vm2 conf.d]# cat /etc/httpd/conf.d/openidc.conf OIDCCryptoPassphrase a-random-secret-used-by-apache-oidc-and-balancer OIDCProviderMetadataURL 'http://192.168.122.151:18080/auth/realms/test_realm/.well-known/openid-configuration' OIDCClientID <Client ID used in Keycloak> OIDCClientSecret <Client Secret from Keycloak (under credentials tab)> OIDCRedirectURI http://192.168.122.152/private/redirect_uri OIDCRemoteUserClaim preferred_username OIDCSSLValidateServer Off <Location /private> AuthType openid-connect Require valid-user </Location> <Directory /var/www/html/private> Options +Includes AddOutputFilter INCLUDES .html </Directory> Actual results: Fails as described Expected results: No failure, authenticates and connects to index.html under private on SP. Additional info:
I ran a test with strace watching httpd process and saw this: 1197 10:25:58 connect(15, {sa_family=AF_INET, sin_port=htons(18080), sin_addr=inet_addr("192.168.122.151")}, 16) = -1 EACCES (Permission denied) I'm not sure why this connect would be failing from httpd when wget/curl works. So, I thought I'd try hiding the port with a reverse proxy on the Keycloak server like this: [root@vm1 ~]# cat /etc/httpd/conf.d/openid-proxy.conf ProxyPass "/openid-configuration" "http://vm1.example.com:18080/auth/realms/test_realm/.well-known/openid-configuration" Then point to that for the OIDCProviderMetadataURL: OIDCProviderMetadataURL http://vm1.example.com/openid-configuration Now, when I go to the /private page from a web browser it works and I'm prompted to login. So, is there another way to specify the port for that config?
This might be an SELinux issue, httpd is heavily restricted by default. Does the original configuration work if you put the system in permissive mode? Are there any AVC's in the audit log?
I thought I'd checked for AVCs but, apparently missed it somewhere. I do see this: type=SYSCALL msg=audit(1476921957.945:109): arch=c000003e syscall=42 success=no exit=-13 a0=f a1=7ffe3c564990 a2=10 a3=0 items=0 ppid=2236 pid=2240 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1476921957.945:109): avc: denied { name_connect } for pid=2240 comm="httpd" dest=18080 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket A little more info too. I setup a new env with the IPA server and IdP separated. I configured Keycloak to use port 80 and 443 so no custom ports were needed in urls. This seemed to work. I'm able to login now. So, this is probably just the AVC. I'll setup my combined server tomorrow and confirm it works if I enable a new rule for the port access.
Ok, this is necessary to resolve the issue: setsebool httpd_can_network_connect=on Since this is normal httpd behavior, I'm closing this one as NOTABUG. Thanks for the help