Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be unavailable on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1416491 - [RFE] Add support for OpenID Connect in engine SSO
Summary: [RFE] Add support for OpenID Connect in engine SSO
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: ovirt-engine
Classification: oVirt
Component: AAA
Version: ---
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: ovirt-4.2.0
: 4.2.0
Assignee: Ravi Nori
QA Contact: Gonza
URL:
Whiteboard:
Depends On: 1425935
Blocks: oVirt-Metrics-and-Logs 1518086
TreeView+ depends on / blocked
 
Reported: 2017-01-25 15:49 UTC by Ravi Nori
Modified: 2018-02-12 10:10 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
This update adds SSO support for OpenID Connect clients. The following new OpenID Connect discovery endpoint has been added so that clients can discover the authorization endpoints and OpenID Connect capabilities of the Manager: https://<Manager>/ovirt-engine/sso/openid/.well-known/openid-configuration The following endpoint is used for client authorization and for obtaining the authentication code: https://<Manager>/ovirt-engine/sso/openid/authorize The following endpoint is used by clients to obtain the authentication token from the authentication code: https://<Manager>/ovirt-engine/sso/openid/token The following endpoint can used by clients to get details of the logged in user: https://<Manager>/ovirt-engine/sso/openid/userinfo The following endpoint can used by clients to get the keys used by SSO to sign the id_token returned from token and tokeninfo endpoints: https://<Manager>/ovirt-engine/sso/openid/jwks
Clone Of:
Environment:
Last Closed: 2018-02-12 10:10:53 UTC
oVirt Team: Infra
rule-engine: ovirt-4.2+
ylavi: exception+
grafuls: testing_plan_complete+
ylavi: planning_ack+
mperina: devel_ack+
lsvaty: testing_ack+


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 1518066 0 urgent CLOSED ovirt-engine-backend contains jar files that shouldn't be there 2021-02-22 00:41:40 UTC
oVirt gerrit 71200 0 'None' MERGED aaa: Add support for OpenId Connect auth 2021-02-08 13:59:05 UTC
oVirt gerrit 74532 0 'None' MERGED aaa: Token validation does not need client and secret 2021-02-08 13:59:05 UTC
oVirt gerrit 75152 0 'None' MERGED aaa: Sso registration tool should create output dir 2021-02-08 13:59:05 UTC
oVirt gerrit 75414 0 'None' MERGED aaa: Add support for OpenId Connect password grant scope 2021-02-08 13:59:04 UTC
oVirt gerrit 76053 0 'None' MERGED aaa: Add OpenId support 2021-02-08 13:59:05 UTC
oVirt gerrit 78256 0 'None' MERGED aaa: Rename error to error_description and error_code to error 2021-02-08 13:59:05 UTC
oVirt gerrit 78257 0 'None' MERGED aaa: Add OpenId Token end point 2021-02-08 13:59:06 UTC
oVirt gerrit 79079 0 'None' MERGED aaa: SDK requires error and error_code 2021-02-08 13:59:06 UTC

Internal Links: 1518066

Description Ravi Nori 2017-01-25 15:49:00 UTC
Description of problem: Engine SSO is OAuth2 complaint but openshift can delegate authentication to OpenConnectId and not OAuth2. Need to extent engine SSO to support both OAuth2 and OpenConnectId.

Comment 1 Yaniv Lavi 2017-02-19 12:00:42 UTC
This is needed for simple authentication of the metrics store that we hope to release in the 4.1.z time frame. Therefore requesting z stream target.

Comment 4 Sandro Bonazzola 2017-04-13 15:49:41 UTC
I see that in https://gerrit.ovirt.org/71200
the following 3rd party dependencies have been added to the project:

      <dependency>
        <groupId>net.minidev</groupId>
        <artifactId>json-smart</artifactId>
        <version>1.3.1</version>
      </dependency>
      <dependency>
        <groupId>com.nimbusds</groupId>
        <artifactId>nimbus-jose-jwt</artifactId>
        <version>4.13.1</version>
      </dependency>

Any plan to provide them properly packaged as rpm?

Comment 5 Martin Perina 2017-04-13 22:26:14 UTC
(In reply to Sandro Bonazzola from comment #4)
> I see that in https://gerrit.ovirt.org/71200
> the following 3rd party dependencies have been added to the project:
> 
>       <dependency>
>         <groupId>net.minidev</groupId>
>         <artifactId>json-smart</artifactId>
>         <version>1.3.1</version>
>       </dependency>
>       <dependency>
>         <groupId>com.nimbusds</groupId>
>         <artifactId>nimbus-jose-jwt</artifactId>
>         <version>4.13.1</version>
>       </dependency>
> 
> Any plan to provide them properly packaged as rpm?

They are build by JBoss team, but unfortunately they are packaged as standalone RPM. So if those packages will not be provided within WildFly 11 / EAP 7.1, we will distribute along with engine on upstream and add them to rhevm-dependencies downsteam.

Comment 8 Gonza 2018-01-29 10:15:45 UTC
Verified with:
ovirt-engine-4.2.1.1-0.1.el7.noarch

Comment 9 Sandro Bonazzola 2018-02-12 10:10:53 UTC
This bugzilla is included in oVirt 4.2.0 release, published on Dec 20th 2017.

Since the problem described in this bug report should be
resolved in oVirt 4.2.0 release, published on Dec 20th 2017, it has been closed with a resolution of CURRENT RELEASE.

If the solution does not work for you, please open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.