From 4e12e19c87d3e0c66ca1aab238398be23b6c1553 Mon Sep 17 00:00:00 2001 From: Steve Martinelli Date: Tue, 4 Nov 2014 12:49:37 -0500 Subject: [PATCH] Add openid connect support Add minor changes to the code to support the apache module mod_auth_openidc (https://github.com/pingidentity/mod_auth_openidc) Also add documention on how to setup mod_auth_openidc for SP federation. implements: bp openid-connect Change-Id: Ia48e94905de0a9ee0e3c8d4f007075cba6e7e770 --- doc/source/configure_federation.rst | 6 +- doc/source/extensions/federation.rst | 7 ++- doc/source/extensions/openidc.rst | 93 ++++++++++++++++++++++++++++ keystone/token/providers/common.py | 2 +- 4 files changed, 102 insertions(+), 6 deletions(-) create mode 100644 doc/source/extensions/openidc.rst diff --git a/doc/source/configure_federation.rst b/doc/source/configure_federation.rst index 4903b5b711..a7218c5a93 100644 --- a/doc/source/configure_federation.rst +++ b/doc/source/configure_federation.rst @@ -117,11 +117,13 @@ Configure Apache to use a federation capable authentication method ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ There are many ways to configure Federation in the Apache HTTPD server. -Shibboleth is the only one documented so far. +Using Shibboleth and OpenID Connect are documented so far. -Follow the steps outlined at: `Setup Shibboleth`_. +* Follow the steps outlined at: `Setup Shibboleth`_. +* Follow the steps outlined at: `Setup OpenID Connect`_. .. _`Setup Shibboleth`: extensions/shibboleth.html +.. _`Setup OpenID Connect`: extensions/openidc.html Enable the ``OS-FEDERATION`` extension ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ diff --git a/doc/source/extensions/federation.rst b/doc/source/extensions/federation.rst index 2fce36865a..840237a6e2 100644 --- a/doc/source/extensions/federation.rst +++ b/doc/source/extensions/federation.rst @@ -26,12 +26,13 @@ To enable the federation extension: [federation] driver = keystone.contrib.federation.backends.sql.Federation -2. Add the ``saml2`` authentication method to the ``[auth]`` section in - ``keystone.conf``:: +2. Add the ``saml2`` and/or ``oidc`` authentication methods to the ``[auth]`` + section in ``keystone.conf``:: [auth] - methods = external,password,token,saml2 + methods = external,password,token,saml2,oidc saml2 = keystone.auth.plugins.mapped.Mapped + oidc = keystone.auth.plugins.mapped.Mapped .. NOTE:: The ``external`` method should be dropped to avoid any interference with diff --git a/doc/source/extensions/openidc.rst b/doc/source/extensions/openidc.rst new file mode 100644 index 0000000000..f515309e42 --- /dev/null +++ b/doc/source/extensions/openidc.rst @@ -0,0 +1,93 @@ +:orphan: + +.. + Licensed under the Apache License, Version 2.0 (the "License"); you may + not use this file except in compliance with the License. You may obtain + a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the + License for the specific language governing permissions and limitations + under the License. + +==================== +Setup OpenID Connect +==================== + +Configuring mod_auth_openidc +============================ + +Federate Keystone (SP) and an external IdP using OpenID Connect (`mod_auth_openidc`_) + +.. _`mod_auth_openidc`: https://github.com/pingidentity/mod_auth_openidc + +To install `mod_auth_openidc` on Ubuntu, perform the following: + +.. code-block:: bash + + sudo apt-get install libapache2-mod-auth-openidc + +Note that this module is not available on Fedora/CentOS/Red Hat. + +In the keystone Apache site file, add the following as a top level option, to +load the `mod_auth_openidc` module: + +.. code-block:: xml + + LoadModule auth_openidc_module /usr/lib/apache2/modules/mod_auth_openidc.so + +Also within the same file, locate the virtual host entry and add the following +entries for OpenID Connect: + +.. code-block:: xml + + + + ... + + OIDCClaimPrefix "OIDC-" + OIDCResponseType "id_token" + OIDCScope "openid email profile" + OIDCProviderMetadataURL + OIDCClientID + OIDCClientSecret + OIDCCryptoPassphrase openstack + OIDCRedirectURI http://localhost:5000/v3/OS-FEDERATION/identity_providers//protocols/oidc/auth/redirect + + + AuthType openid-connect + Require valid-user + LogLevel debug + + + +Note an example of an `OIDCProviderMetadataURL` instance is: https://accounts.google.com/.well-known/openid-configuration +If not using `OIDCProviderMetadataURL`, then the following attributes +must be specified: `OIDCProviderIssuer`, `OIDCProviderAuthorizationEndpoint`, +`OIDCProviderTokenEndpoint`, `OIDCProviderTokenEndpointAuth`, +`OIDCProviderUserInfoEndpoint`, and `OIDCProviderJwksUri` + +Note, if using a mod_wsgi version less than 4.3.0, then the `OIDCClaimPrefix` +must be specified to have only alphanumerics or a dash ("-"). This is because +mod_wsgi blocks headers that do not fit this criteria. See http://modwsgi.readthedocs.org/en/latest/release-notes/version-4.3.0.html#bugs-fixed +for more details + +Once you are done, restart your Apache daemon: + +.. code-block:: bash + + $ service apache2 restart + +Tips +==== + +1. When creating a mapping, note that the 'remote' attributes will be prefixed, + with `HTTP_`, so for instance, if you set OIDCClaimPrefix to `OIDC-`, then a + typical remote value to check for is: `HTTP_OIDC_ISS`. + +2. Don't forget to add oidc as an [auth] plugin in keystone.conf, see `Step 2`_ + +.. _`Step 2`: federation.html \ No newline at end of file diff --git a/keystone/token/providers/common.py b/keystone/token/providers/common.py index 06ea8ccd9c..d6f6d2e956 100644 --- a/keystone/token/providers/common.py +++ b/keystone/token/providers/common.py @@ -429,7 +429,7 @@ class BaseProvider(provider.Provider): trust = self.trust_api.get_trust(metadata_ref['trust_id']) token_ref = None - if 'saml2' in method_names: + if 'saml2' in method_names or 'oidc' in method_names: token_ref = self._handle_federation_tokens( auth_context, project_id, domain_id)