Merge "Keystone OIDC JWKS fix"

ansible/roles/keystone/defaults/main.yml

@@ -220,6 +220,7 @@ keystone_container_federation_oidc_attribute_mappings_folder: "{{ container_conf
 keystone_host_federation_oidc_metadata_folder: "{{ node_config_directory }}/keystone/federation/oidc/metadata"
 keystone_host_federation_oidc_idp_certificate_folder: "{{ node_config_directory }}/keystone/federation/oidc/cert"
 keystone_host_federation_oidc_attribute_mappings_folder: "{{ node_config_directory }}/keystone/federation/oidc/attribute_maps"
+keystone_federation_oidc_jwks_uri: ""
 
 # These variables are used to define multiple trusted Horizon dashboards.
 # keystone_trusted_dashboards: ['<https://dashboardServerOne/auth/websso/>', '<https://dashboardServerTwo/auth/websso/>', '<https://dashboardServerN/auth/websso/>']

ansible/roles/keystone/templates/wsgi-keystone.conf.j2

@@ -39,6 +39,11 @@ LogLevel info
 
 
 <VirtualHost *:{{ keystone_public_listen_port }}>
+{# NOTE(darmach): with external tls enabled OIDC redirection fails, as TLS terminated on haproxy keystone is not aware that redirection should use https. -#}
+{# With missing ServerName Keystone Apache uses fqdn, with http. Adding ServerName pointing to keystone_public_url corrects this. -#}
+{% if kolla_enable_tls_external | bool %}
+    ServerName {{ keystone_public_url }}
+{% endif %}
     WSGIDaemonProcess keystone-public processes={{ keystone_api_workers }} threads=1 user=keystone group=keystone display-name=keystone-public
     WSGIProcessGroup keystone-public
     WSGIScriptAlias / {{ binary_path }}/keystone-wsgi-public
@@ -55,7 +60,7 @@ LogLevel info
     SSLEngine on
     SSLCertificateFile /etc/keystone/certs/keystone-cert.pem
     SSLCertificateKeyFile /etc/keystone/certs/keystone-key.pem
-{% endif %}
+{% endif -%}
 
 {% if keystone_enable_federation_openid %}
     OIDCClaimPrefix "OIDC-"
@@ -63,6 +68,9 @@ LogLevel info
     OIDCResponseType "{{ keystone_federation_oidc_response_type }}"
     OIDCScope "{{ keystone_federation_oidc_scopes }}"
     OIDCMetadataDir {{ keystone_container_federation_oidc_metadata_folder }}
+{% if keystone_federation_oidc_jwks_uri | length > 0 %}
+    OIDCOAuthVerifyJwksUri {{ keystone_federation_oidc_jwks_uri }}
+{% endif %}
 {% if keystone_federation_openid_certificate_key_ids | length > 0 %}
     OIDCOAuthVerifyCertFiles {{ keystone_federation_openid_certificate_key_ids | join(" ") }}
 {% endif %}
@@ -96,7 +104,7 @@ LogLevel info
 
     {# CLI / API authentication endpoint -#}
 {% for idp in keystone_identity_providers %}
-{% if idp.protocol == 'openid' %}
+{% if idp.protocol == 'openid' -%}
     <LocationMatch /v3/OS-FEDERATION/identity_providers/{{ idp.name }}/protocols/{{ idp.protocol }}/auth>
       Require valid-user
       {# Note(jasonanderson): `auth-openidc` is a special auth type that can -#}

doc/source/reference/shared-services/keystone-guide.rst

@@ -88,6 +88,14 @@ below:
       - name: "mappingId1"
         file: "/full/qualified/path/to/mapping/json/file/to/mappingId1"
 
+In some cases it's necessary to add JWKS (JSON Web Key Set) uri.
+It is required for auth-openidc endpoint - which is
+used by OpenStack command line client. Example config shown below:
+
+.. code-block:: yaml
+
+    keystone_federation_oidc_jwks_uri: "https://<AUTH PROVIDER>/<ID>/discovery/v2.0/keys"
+
 Identity providers configurations
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

releasenotes/notes/fix-keystone-oidc-8058917b14b4053c.yaml

@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Fixes Keystone OIDC failing to validate JWT because of missing key
+    on Azure auth-oidc endpoint. Adds new variable containing JWKS uri
+    that delivers missing keys.
+    `LP#1990375 <https://bugs.launchpad.net/kolla-ansible/+bug/1990375>`__