Description of problem: An update to the way mod_auth_openidc in 2.4.x changes the way that it handles headers as well as the remote_id_attribute. This breaks our current implementation of OIDC federation, where the claim is now missing the fields necessary to correctly map the federated user. Fields containing underscores are being removed by Apache. Version-Release number of selected component (if applicable): 17.1.3 How reproducible: Always with our recommended federation configuration. Steps to Reproduce: 1. Configure OSP to use OIDC federation 2. Attempt to login via the Horizon dashboard 3. Keystone will return a 403, unable to find the correct user_id field for mapping Actual results: Keystone will return a 403, enabling insecure_debug will show that the OIDC-preferred_username is missing Expected results: The user should be redirected to the Horizon dashboard after successfully authenticating. Additional info: The fix is to remove OIDCPassClaimsAs headers from keystones httpd configuration and to change the remote_id_attribute to OIDC-iss in the keystone configuration file.
Verified on RHOS-17.1-RHEL-9-20240909.n.1 Login of federated users were successful.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: RHOSP 17.1.4 (openstack-tripleo-heat-templates) security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2024:9978