Bug 1807138 - Support for openid federation requires changes to keystone's httpd configuration [NEEDINFO]
Summary: Support for openid federation requires changes to keystone's httpd configuration
Keywords:
Status: CLOSED DUPLICATE of bug 1590932
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: puppet-keystone
Version: 13.0 (Queens)
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: beta
: ---
Assignee: Dave Wilde
QA Contact: Jeremy Agee
URL:
Whiteboard:
Depends On:
Blocks: 1590932
TreeView+ depends on / blocked
 
Reported: 2020-02-25 17:08 UTC by Lars Kellogg-Stedman
Modified: 2023-08-03 15:46 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-03-17 18:08:45 UTC
Target Upstream Version:
Embargoed:
ifrangs: needinfo? (dwilde)

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker OSP-14032 0 None None None 2022-03-17 18:25:14 UTC
Red Hat Issue Tracker OSP-206 0 None None None 2022-03-17 18:09:36 UTC

Description Lars Kellogg-Stedman 2020-02-25 17:08:23 UTC 
Description of problem:

Supporting openid federation requires setting a number of parameters in keystone's httpd configuration, such as:

  LoadModule auth_openidc_module modules/mod_auth_openidc.so
  OIDCClaimPrefix "OIDC-"
  OIDCResponseType "id_token"
  OIDCScope "openid email profile"
  OIDCProviderMetadataURL "https://sso.massopen.cloud/auth/realms/moc/.well-known/openid-configuration"
  OIDCClientID "kaizen"
  OIDCClientSecret "..."
  OIDCCryptoPassphrase "..."

  OIDCCacheType memcache
  OIDCMemCacheServers "172.16.32.10:11211 172.16.32.11:11211 172.16.32.28:11211"

  # The following directives are necessary to support websso from Horizon
  # (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html)
  OIDCRedirectURI "https://kaizen.massopen.cloud:13000/v3/auth/OS-FEDERATION/identity_providers/moc/protocols/openid/websso"
  OIDCRedirectURI "https://kaizen.massopen.cloud:13000/v3/auth/OS-FEDERATION/websso/openid"

  <LocationMatch "/v3/auth/OS-FEDERATION/websso/openid">
      AuthType "openid-connect"
      Require valid-user
  </LocationMatch>

  <LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/moc/protocols/openid/websso">
      AuthType "openid-connect"
      Require valid-user
  </LocationMatch>

  OIDCOAuthClientID "kaizen"
  OIDCOAuthClientSecret "..."
  OIDCOAuthIntrospectionEndpoint "https://sso.massopen.cloud/auth/realms/moc/protocol/openid-connect/token/introspect"

  <Location ~ "/v3/OS-FEDERATION/identity_providers/moc/protocols/openid/auth">
      AuthType oauth20
      Require valid-user
  </Location>

The puppet-keystone module does not provide any way to inject custom configuration into keystone's apache configuration files (10-keystone_wsgi_admin.conf and 10-keystone_wsgi_main.conf).

These changes can be made via some sort of post-deploy
script/playbook/etc, but that means that authentication is broken for
the duration of the deploy. It would be preferable if there was a
mechanism that would permit an operator to apply this configuration
during the deploy process.

Version-Release number of selected component (if applicable):

puppet-keystone-12.4.0-6.el7ost.noarch
Comment 3 Raildo Mascena de Sousa Filho 2020-03-30 14:14:02 UTC 
Moving it for an RFE, this will be prioritized accordingly later for some new release.
Comment 10 Dave Wilde 2022-03-17 18:08:45 UTC 

*** This bug has been marked as a duplicate of bug 1590932 ***
Note You need to log in before you can comment on or make changes to this bug.