Update OIDC Apache config to avoid masking Keystone API endpoint

The current configuration for the OIDCRedirectURI results in
mod_auth_openidc masking the Keystone federation authentication
endpoint, which results in incorrect responses to requests for
Keystone tokens. This change updates the documentation to
recommend using a vanity URL that does not match a Keystone
API endpoint.

Closes-Bug: 2075349
Change-Id: I1dfba5c71da68522fdb6059f0dc03cddc74cb07d
This commit is contained in:
Jadon Naas 2024-08-01 21:10:43 -04:00
parent f0352c5481
commit 7ac0c3cd33

View File

@ -63,7 +63,7 @@ options:
OIDCClientID <openid_client_id> OIDCClientID <openid_client_id>
OIDCClientSecret <openid_client_secret> OIDCClientSecret <openid_client_secret>
OIDCCryptoPassphrase <random string> OIDCCryptoPassphrase <random string>
OIDCRedirectURI https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/google/protocols/openid/auth OIDCRedirectURI https://sp.keystone.example.org/v3/redirect_uri
``OIDCScope`` is the list of attributes that the user will authorize the ``OIDCScope`` is the list of attributes that the user will authorize the
Identity Provider to send to the Service Provider. ``OIDCClientID`` and Identity Provider to send to the Service Provider. ``OIDCClientID`` and
@ -77,7 +77,9 @@ must be used while using the AuthType ``auth-openidc``, when using the AuthType
will not be necessary. will not be necessary.
``OIDCRedirectURI`` is a vanity URL that must ``OIDCRedirectURI`` is a vanity URL that must
point to a protected path that does not have any content, such as an extension point to a protected path that does not have any content, such as an extension
of the protected federated auth path. of the protected federated auth path. It should not match any Keystone API endpoints
or mod_auth_openidc will handle requests to the endpoint instead of Keystone. This
can lead to unusual errors and behaviors from Keystone.
.. note:: .. note::
@ -94,6 +96,10 @@ Configure each protected path to use the ``openid-connect`` AuthType:
.. code-block:: apache .. code-block:: apache
<Location ~ "/redirect_uri">
Require valid-user
AuthType openid-connect
</Location>
<Location /v3/OS-FEDERATION/identity_providers/google/protocols/openid/auth> <Location /v3/OS-FEDERATION/identity_providers/google/protocols/openid/auth>
Require valid-user Require valid-user
AuthType openid-connect AuthType openid-connect