Keystone OIDC JWKS fix
JWT failed to validate on auth-oidc endpoint used by openstack cli with "could not find key with kid: XX" error. To fix this we need to use jwks provided in "jwks_uri" by OIDC metadata endpoint. Missing "ServerName" directive from vhost config causes redirection to fail in some cases when external tls is enabled. - added "keystone_federation_oidc_jwks_uri" variable - added "OIDCOAuthVerifyJwksUri" to keystone vhost config - added "ServerName" to keystone vhost config - jinja templating additional whitespace trimmed to correct end result indentation and empty newlines Closes-bug: 1990375 Change-Id: I4f5c1bd8be8e23cf6299ca4bdfd79e9d98c9a9eb
This commit is contained in:
parent
81d4d26279
commit
9892976119
@ -220,6 +220,7 @@ keystone_container_federation_oidc_attribute_mappings_folder: "{{ container_conf
|
||||
keystone_host_federation_oidc_metadata_folder: "{{ node_config_directory }}/keystone/federation/oidc/metadata"
|
||||
keystone_host_federation_oidc_idp_certificate_folder: "{{ node_config_directory }}/keystone/federation/oidc/cert"
|
||||
keystone_host_federation_oidc_attribute_mappings_folder: "{{ node_config_directory }}/keystone/federation/oidc/attribute_maps"
|
||||
keystone_federation_oidc_jwks_uri: ""
|
||||
|
||||
# These variables are used to define multiple trusted Horizon dashboards.
|
||||
# keystone_trusted_dashboards: ['<https://dashboardServerOne/auth/websso/>', '<https://dashboardServerTwo/auth/websso/>', '<https://dashboardServerN/auth/websso/>']
|
||||
|
@ -39,6 +39,11 @@ LogLevel info
|
||||
|
||||
|
||||
<VirtualHost *:{{ keystone_public_listen_port }}>
|
||||
{# NOTE(darmach): with external tls enabled OIDC redirection fails, as TLS terminated on haproxy keystone is not aware that redirection should use https. -#}
|
||||
{# With missing ServerName Keystone Apache uses fqdn, with http. Adding ServerName pointing to keystone_public_url corrects this. -#}
|
||||
{% if kolla_enable_tls_external | bool %}
|
||||
ServerName {{ keystone_public_url }}
|
||||
{% endif %}
|
||||
WSGIDaemonProcess keystone-public processes={{ keystone_api_workers }} threads=1 user=keystone group=keystone display-name=keystone-public
|
||||
WSGIProcessGroup keystone-public
|
||||
WSGIScriptAlias / {{ binary_path }}/keystone-wsgi-public
|
||||
@ -55,7 +60,7 @@ LogLevel info
|
||||
SSLEngine on
|
||||
SSLCertificateFile /etc/keystone/certs/keystone-cert.pem
|
||||
SSLCertificateKeyFile /etc/keystone/certs/keystone-key.pem
|
||||
{% endif %}
|
||||
{% endif -%}
|
||||
|
||||
{% if keystone_enable_federation_openid %}
|
||||
OIDCClaimPrefix "OIDC-"
|
||||
@ -63,6 +68,9 @@ LogLevel info
|
||||
OIDCResponseType "{{ keystone_federation_oidc_response_type }}"
|
||||
OIDCScope "{{ keystone_federation_oidc_scopes }}"
|
||||
OIDCMetadataDir {{ keystone_container_federation_oidc_metadata_folder }}
|
||||
{% if keystone_federation_oidc_jwks_uri | length > 0 %}
|
||||
OIDCOAuthVerifyJwksUri {{ keystone_federation_oidc_jwks_uri }}
|
||||
{% endif %}
|
||||
{% if keystone_federation_openid_certificate_key_ids | length > 0 %}
|
||||
OIDCOAuthVerifyCertFiles {{ keystone_federation_openid_certificate_key_ids | join(" ") }}
|
||||
{% endif %}
|
||||
@ -96,7 +104,7 @@ LogLevel info
|
||||
|
||||
{# CLI / API authentication endpoint -#}
|
||||
{% for idp in keystone_identity_providers %}
|
||||
{% if idp.protocol == 'openid' %}
|
||||
{% if idp.protocol == 'openid' -%}
|
||||
<LocationMatch /v3/OS-FEDERATION/identity_providers/{{ idp.name }}/protocols/{{ idp.protocol }}/auth>
|
||||
Require valid-user
|
||||
{# Note(jasonanderson): `auth-openidc` is a special auth type that can -#}
|
||||
|
@ -88,6 +88,14 @@ below:
|
||||
- name: "mappingId1"
|
||||
file: "/full/qualified/path/to/mapping/json/file/to/mappingId1"
|
||||
|
||||
In some cases it's necessary to add JWKS (JSON Web Key Set) uri.
|
||||
It is required for auth-openidc endpoint - which is
|
||||
used by OpenStack command line client. Example config shown below:
|
||||
|
||||
.. code-block:: yaml
|
||||
|
||||
keystone_federation_oidc_jwks_uri: "https://<AUTH PROVIDER>/<ID>/discovery/v2.0/keys"
|
||||
|
||||
Identity providers configurations
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
|
@ -0,0 +1,7 @@
|
||||
---
|
||||
fixes:
|
||||
- |
|
||||
Fixes Keystone OIDC failing to validate JWT because of missing key
|
||||
on Azure auth-oidc endpoint. Adds new variable containing JWKS uri
|
||||
that delivers missing keys.
|
||||
`LP#1990375 <https://bugs.launchpad.net/kolla-ansible/+bug/1990375>`__
|
Loading…
Reference in New Issue
Block a user