| tkajinam | I wonder how https://opendev.org/openstack/keystone/src/commit/2ac039b717669bf9744f72161e82bdac46dbfacf/devstack/files/oidc/apache_oidc.conf#L15-L16 was tested. I see it contains a few problems and I suspect it does not work for some usages | 07:13 |
|---|---|---|
| tkajinam | there are two OIDCRedirectURI lines but afaik this option does not support multiple values. so probably the 2nd uri, which is used when WEBSSO_IDP_MAPPING is set doesn't work I guess | 07:13 |
| tkajinam | also it lacks the redirecturi for keystone access ( OS-FEDRATION/identity_providers/<idp name>/protocols/<protocol>/auth | 07:14 |
| tkajinam | finally this url ( https://opendev.org/openstack/keystone/src/commit/2ac039b717669bf9744f72161e82bdac46dbfacf/devstack/files/oidc/apache_oidc.conf#L30 ) looks incorrect. According to keystone endpooints the uri should not contain /auth/ | 07:15 |
| frickler | tkajinam: iiuc that commit added an experimental job for it which passed at the time https://review.opendev.org/c/openstack/keystone/+/864566 no idea if that does the right thing though | 07:56 |
| gtema | Wrt resirecturi - my tests showed that exactly the last one wins and not the first one, but I agree it should not be doubled in the conf | 08:01 |
| gtema | Basically there are definitely wrong things in the conf, but what is absolutely required is there and works. Everything is a question of what exactly is being tested | 08:02 |
| tkajinam | frickler, I may probably have to trigger that test, and see which tempest job is run. though now federation job (not oidc, not k2k) is failing and I guess it may be broken as well | 08:04 |
| tkajinam | gtema, yeah that's what I expected (the last one wins) | 08:04 |
| tkajinam | I was asking that question because of a bug report we recently received for puppet-keystone in https://bugs.launchpad.net/bugs/2055041 ... | 08:05 |
| tkajinam | in case we enable oidc auth for keystone and also sso then we need different redirect uris for these. but mod_auth_openidc does not support multiple redirect uris in single vhost and was looking for a "correct" way to configure both | 08:06 |
| gtema | I don't get why you need 2 redirects | 08:15 |
| gtema | The redirect itself serves "just" moving to any protected point, at least that is what is stated somewhere in the doc | 08:17 |
| tkajinam | gtema, IIUC when we use federated auth ih keystone then we have to protect a specific keystone endpoint. | 08:35 |
| tkajinam | and keystone uses different uri for token generation and websso afaik. the first one is /v3/OS-FEDERATION/identity_providers/<idp name>/protocols/<protocol name>/id . the latter is /v3/OS-FEDERATION/websso/<protocol> (or /v3/OS-FEDERATION/identity_providers/<idp name>/protocols/<protocol>/websso | 08:36 |
| gtema | you need to protect only federated auth endpoints to have mod_auth_oidc doing its job | 08:37 |
| tkajinam | the first one should be /v3/OS-FEDERATION/identity_providers/<idp name>/protocols/<protocol name>/auth | 08:37 |
| gtema | but the protection has nothing to do with the redirect itself | 08:37 |
| tkajinam | ah, ok so we don't have to protect websso endpoint ? | 08:37 |
| gtema | you need redirect to implement sso, nothing else (afaik) | 08:37 |
| tkajinam | if you protect an endpoint then it should be allowed as a redirect target. that's what I understood but I might have silly misunderstanding. | 08:38 |
| gtema | you need to protect federated auth endpoints: /v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso, /v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/auth, /v3/auth/OS-FEDERATION/websso/openid | 08:38 |
| tkajinam | and we have to put all to OIDCRedirectURI, don't we ? | 08:39 |
| gtema | no, only http://localhost:5000/v3/auth/OS-FEDERATION/websso/openid is enough | 08:40 |
| tkajinam | but doesn't it assume that WEBSSO_IDP_MAPPING is not set in horizon ? | 08:41 |
| tkajinam | AFAIK WEBSSO_IDP_MAPPING is set and idp is found in the map then horizon uses /v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso instead of /v3/auth/OS-FEDERATION/websso/openid | 08:42 |
| gtema | thats why you have this url also in the protected urls | 08:42 |
| gtema | keystone allows you to have so to say 2 auth urls: with explicit protocol/mapping and without (assuming there is only one) | 08:43 |
| tkajinam | ok | 08:44 |
| tkajinam | I may probably have to deploy oidc federation and learn how it works | 08:44 |
| tkajinam | what confuses me now is that we have three uri (1 for keystone and 2 for websso) and I don't fully understand why we need redirect to only one of these three | 08:44 |
| gtema | from mod_auth_oidc docs: | 08:45 |
| gtema | # OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content | 08:45 |
| gtema | it is not serving to what you think redirect is for - this is something internal for mod_auth_oidc, but I myself not able to say what exactly | 08:46 |
| gtema | ah, next statement in docs says: and register the OIDCRedirectURI as the Redirect or Callback URI with your client at the Provider | 08:47 |
| gtema | so it is not for the keystone/horizon, but for the mod_auth_oidc <-> IDP config | 08:47 |
| tkajinam | hmm ok. I still have to learn more about this area to digest what are explained in their docs | 08:49 |
| tkajinam | gtema, thanks ! | 08:51 |
| gtema | welcome | 08:51 |
| *** mklejn_ is now known as mklejn | 09:00 | |
| opendevreview | OpenStack Release Bot proposed openstack/oslo.limit master: reno: Update master for unmaintained/victoria https://review.opendev.org/c/openstack/oslo.limit/+/911745 | 14:16 |
| opendevreview | OpenStack Release Bot proposed openstack/oslo.policy master: reno: Update master for unmaintained/victoria https://review.opendev.org/c/openstack/oslo.policy/+/911753 | 14:16 |
| opendevreview | OpenStack Release Bot proposed openstack/oslo.limit master: reno: Update master for unmaintained/wallaby https://review.opendev.org/c/openstack/oslo.limit/+/911795 | 14:21 |
| opendevreview | OpenStack Release Bot proposed openstack/oslo.policy master: reno: Update master for unmaintained/wallaby https://review.opendev.org/c/openstack/oslo.policy/+/911803 | 14:22 |
| opendevreview | OpenStack Release Bot proposed openstack/oslo.limit master: reno: Update master for unmaintained/xena https://review.opendev.org/c/openstack/oslo.limit/+/911835 | 14:25 |
| opendevreview | OpenStack Release Bot proposed openstack/oslo.policy master: reno: Update master for unmaintained/xena https://review.opendev.org/c/openstack/oslo.policy/+/911843 | 14:26 |
| -opendevstatus- NOTICE: Jobs that fail due to being unable to resolve mirror.dfw.rackspace.opendev.org can be rechecked. This error was an unexpected side effect of some nodepool configuration changes which have been reverted. | 16:54 | |
| opendevreview | David Wilde proposed openstack/keystone master: Add ability to create users and projects from keystone-manage https://review.opendev.org/c/openstack/keystone/+/912023 | 20:28 |
Generated by irclog2html.py 2.17.3 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!