From 98929761191e265474459a0b73fdbeb07afd2bb4 Mon Sep 17 00:00:00 2001
From: Jakub Darmach <jakub@stackhpc.com>
Date: Wed, 21 Sep 2022 14:36:53 +0200
Subject: [PATCH] Keystone OIDC JWKS fix

JWT failed to validate on auth-oidc endpoint used by openstack cli
with "could not find key with kid: XX" error. To fix this we need
to use jwks provided in "jwks_uri" by OIDC metadata endpoint.

Missing "ServerName" directive from vhost config causes redirection
to fail in some cases when external tls is enabled.

  - added "keystone_federation_oidc_jwks_uri" variable
  - added "OIDCOAuthVerifyJwksUri" to keystone vhost config
  - added "ServerName" to keystone vhost config
  - jinja templating additional whitespace trimmed to
    correct end result indentation and empty newlines

Closes-bug: 1990375
Change-Id: I4f5c1bd8be8e23cf6299ca4bdfd79e9d98c9a9eb
---
 ansible/roles/keystone/defaults/main.yml             |  1 +
 .../roles/keystone/templates/wsgi-keystone.conf.j2   | 12 ++++++++++--
 .../reference/shared-services/keystone-guide.rst     |  8 ++++++++
 .../notes/fix-keystone-oidc-8058917b14b4053c.yaml    |  7 +++++++
 4 files changed, 26 insertions(+), 2 deletions(-)
 create mode 100644 releasenotes/notes/fix-keystone-oidc-8058917b14b4053c.yaml

diff --git a/ansible/roles/keystone/defaults/main.yml b/ansible/roles/keystone/defaults/main.yml
index c07c0b1fc0..165d6f3d0b 100644
--- a/ansible/roles/keystone/defaults/main.yml
+++ b/ansible/roles/keystone/defaults/main.yml
@@ -220,6 +220,7 @@ keystone_container_federation_oidc_attribute_mappings_folder: "{{ container_conf
 keystone_host_federation_oidc_metadata_folder: "{{ node_config_directory }}/keystone/federation/oidc/metadata"
 keystone_host_federation_oidc_idp_certificate_folder: "{{ node_config_directory }}/keystone/federation/oidc/cert"
 keystone_host_federation_oidc_attribute_mappings_folder: "{{ node_config_directory }}/keystone/federation/oidc/attribute_maps"
+keystone_federation_oidc_jwks_uri: ""
 
 # These variables are used to define multiple trusted Horizon dashboards.
 # keystone_trusted_dashboards: ['<https://dashboardServerOne/auth/websso/>', '<https://dashboardServerTwo/auth/websso/>', '<https://dashboardServerN/auth/websso/>']
diff --git a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2 b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
index bdb096167c..1c82a544d6 100644
--- a/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
+++ b/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
@@ -39,6 +39,11 @@ LogLevel info
 
 
 <VirtualHost *:{{ keystone_public_listen_port }}>
+{# NOTE(darmach): with external tls enabled OIDC redirection fails, as TLS terminated on haproxy keystone is not aware that redirection should use https. -#}
+{# With missing ServerName Keystone Apache uses fqdn, with http. Adding ServerName pointing to keystone_public_url corrects this. -#}
+{% if kolla_enable_tls_external | bool %}
+    ServerName {{ keystone_public_url }}
+{% endif %}
     WSGIDaemonProcess keystone-public processes={{ keystone_api_workers }} threads=1 user=keystone group=keystone display-name=keystone-public
     WSGIProcessGroup keystone-public
     WSGIScriptAlias / {{ binary_path }}/keystone-wsgi-public
@@ -55,7 +60,7 @@ LogLevel info
     SSLEngine on
     SSLCertificateFile /etc/keystone/certs/keystone-cert.pem
     SSLCertificateKeyFile /etc/keystone/certs/keystone-key.pem
-{% endif %}
+{% endif -%}
 
 {% if keystone_enable_federation_openid %}
     OIDCClaimPrefix "OIDC-"
@@ -63,6 +68,9 @@ LogLevel info
     OIDCResponseType "{{ keystone_federation_oidc_response_type }}"
     OIDCScope "{{ keystone_federation_oidc_scopes }}"
     OIDCMetadataDir {{ keystone_container_federation_oidc_metadata_folder }}
+{% if keystone_federation_oidc_jwks_uri | length > 0 %}
+    OIDCOAuthVerifyJwksUri {{ keystone_federation_oidc_jwks_uri }}
+{% endif %}
 {% if keystone_federation_openid_certificate_key_ids | length > 0 %}
     OIDCOAuthVerifyCertFiles {{ keystone_federation_openid_certificate_key_ids | join(" ") }}
 {% endif %}
@@ -96,7 +104,7 @@ LogLevel info
 
     {# CLI / API authentication endpoint -#}
 {% for idp in keystone_identity_providers %}
-{% if idp.protocol == 'openid' %}
+{% if idp.protocol == 'openid' -%}
     <LocationMatch /v3/OS-FEDERATION/identity_providers/{{ idp.name }}/protocols/{{ idp.protocol }}/auth>
       Require valid-user
       {# Note(jasonanderson): `auth-openidc` is a special auth type that can -#}
diff --git a/doc/source/reference/shared-services/keystone-guide.rst b/doc/source/reference/shared-services/keystone-guide.rst
index 9a51c93316..dc3d766c54 100644
--- a/doc/source/reference/shared-services/keystone-guide.rst
+++ b/doc/source/reference/shared-services/keystone-guide.rst
@@ -88,6 +88,14 @@ below:
       - name: "mappingId1"
         file: "/full/qualified/path/to/mapping/json/file/to/mappingId1"
 
+In some cases it's necessary to add JWKS (JSON Web Key Set) uri.
+It is required for auth-openidc endpoint - which is
+used by OpenStack command line client. Example config shown below:
+
+.. code-block:: yaml
+
+    keystone_federation_oidc_jwks_uri: "https://<AUTH PROVIDER>/<ID>/discovery/v2.0/keys"
+
 Identity providers configurations
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
diff --git a/releasenotes/notes/fix-keystone-oidc-8058917b14b4053c.yaml b/releasenotes/notes/fix-keystone-oidc-8058917b14b4053c.yaml
new file mode 100644
index 0000000000..d25c700528
--- /dev/null
+++ b/releasenotes/notes/fix-keystone-oidc-8058917b14b4053c.yaml
@@ -0,0 +1,7 @@
+---
+fixes:
+  - |
+    Fixes Keystone OIDC failing to validate JWT because of missing key
+    on Azure auth-oidc endpoint. Adds new variable containing JWKS uri
+    that delivers missing keys.
+    `LP#1990375 <https://bugs.launchpad.net/kolla-ansible/+bug/1990375>`__