Description of problem: With external OpenId provider (Keycloak) it was not possible to obtain token for further engine's Rest API calls. Version-Release number of selected component (if applicable): ovirt-engine.noarch 4.3.10.4-1.el7 @ovirt-4.3 ovirt-engine-extension-aaa-misc.noarch 1.0.4-1.el7 @ovirt-4.3 mod_auth_openidc.x86_64 1.8.8-5.el7 @base How reproducible: Steps to Reproduce: 1. Setup Keycloak with Ovirt Engine according to [1] 2. curl -k -H "Accept: application/json" 'https://engine.example.com/ovirt-engine/sso/oauth/token?grant_type=password&username=myuser@openidchttp&password=mypass&scope=ovirt-app-api' Actual results: {"error_description":"Cannot authenticate user Invalid scopes: ovirt-app-api ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-ext=token:password-access.","error":"access_denied"} Expected results: Valid token should be returned Additional info: [1] https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-openid-connect-infrastructure/ [root@virt ~]# cat /etc/*elease CentOS Linux release 7.7.1908 (Core) NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)" ANSI_COLOR="0;31" CPE_NAME="cpe:/o:centos:centos:7" HOME_URL="https://www.centos.org/" BUG_REPORT_URL="https://bugs.centos.org/" CENTOS_MANTISBT_PROJECT="CentOS-7" CENTOS_MANTISBT_PROJECT_VERSION="7" REDHAT_SUPPORT_PRODUCT="centos" REDHAT_SUPPORT_PRODUCT_VERSION="7" CentOS Linux release 7.7.1908 (Core) CentOS Linux release 7.7.1908 (Core) Keycloak: 10.0.1
I managed to re-create the issue on my local environment. Previously I tested it agains Keycloak 8.0.1 with users loaded from LDAP. Currently I have users/groups created via Keycloak management panel. I need to investigate further which of the two changes is the root cause (It works fine with the old setup)
This issue exists for Keycloak version 10.0.x. The most recent working integration is with Keycloak 9.0.3.
Based on the response on Keycloaks forum: There was a Keycloak change [1] based on ticket [2] that added strict requirement for all the scopes for access token to be configured. "Only proper configuration of requested scope should be valid solution." Previously, such scopes were ignored. [1]https://github.com/keycloak/keycloak/commit/cbab159aa87ca5e3443b3e87fdbf8de40542d1d3 [2]https://issues.redhat.com/browse/KEYCLOAK-8071 What needs to be done here is to identify 'unknown' scope and then make it fully registered ('known' to the client configuration in Keycloak UI). This looks more like configuration (documentation) issue but it must yet confirmed.
The fix: Keycloak must be aware of additional client scope for configured client that is created the same ways as 'ovirt-app-admin' or 'ovirt-app-api' The name of the new optional client scope is: 'ovirt-ext=auth:sequence-priority=~' as on screenshot[1] [1] https://drive.google.com/file/d/1vJqcEZ3hhlyHQ2H5Vm9qsrw1x5aeVEkw/view?usp=sharing Tested and confirmed with Keycloak 11.0.2
Created attachment 1937052 [details] Additional scopes for oVirt in Keycloak > The fix: > Keycloak must be aware of additional client scope for configured client that is created the same ways as 'ovirt-app-admin' or 'ovirt-app-api' > > The name of the new optional client scope is: 'ovirt-ext=auth:sequence-priority=~' as on screenshot[1] > > > > [1] https://drive.google.com/file/d/1vJqcEZ3hhlyHQ2H5Vm9qsrw1x5aeVEkw/view?usp=sharing > > Tested and confirmed with Keycloak 11.0.2 I don't have permissions to reshare the image, so attaching it directly to the bug