openstack/openstack-ansible-os_keystone
Code Issues Proposed changes

oidc: fix overloading of redirect_uri for cli client

Browse Source 
The redirect URI specified in the Apache config for OIDC
was unintentionally serving a dual purpose as a redirect
URI and a handler for command line auth.

As of mod_auth_openidc v2.4.9 this no longer works.
This change splits the paths for command line auth and
the redirect URI into two to work around this.

Change-Id: I27c612cf8537b401c1195ae0892bf5569e2f3858
This commit is contained in:
Andrew Bonney 2023-10-20 13:50:54 +01:00
parent b54478e7e1
commit 2ed76dee5d
4 changed files with 25 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
defaults/main.yml
View File

@ -535,7 +535,7 @@ keystone_sp: {}
# oidc_client_id: keystone # oidc_client_id: keystone
# oidc_client_secret: secret # oidc_client_secret: secret
# oidc_crypto_passphrase: random string # oidc_crypto_passphrase: random string
# oidc_redirect_uri: https://keystone:5000/v3/OS-FEDERATION/identity_providers/keycloak-idp/protocols/openid/auth # oidc_redirect_path: /oidc_redirect
# oidc_oauth_introspection_endpoint: endpoint address (optional) # oidc_oauth_introspection_endpoint: endpoint address (optional)
# oidc_oauth_client_id: string (optional) # oidc_oauth_client_id: string (optional)
# oidc_oauth_client_secret: secret (optional) # oidc_oauth_client_secret: secret (optional)

10
doc/source/configure-federation-sp.rst
View File

@ -310,10 +310,10 @@ for mod_auth_openidc OIDC-based deployments.
restrictions for this password. This should be set to a randomly generated restrictions for this password. This should be set to a randomly generated
string of a sensible length. string of a sensible length.
#. ``oidc_redirect_uri`` is the redirect_uri for this OpenID Connect #. ``oidc_redirect_path`` is the path component of the redirect_uri for this
client; this is a vanity URL that must ONLY point to a path on your OpenID Connect client; this is a vanity URL that must ONLY point to a path
server protected by this module but it must NOT point to any actual on your server protected by this module but it must NOT point to any
content that needs to be served. actual content that needs to be served.
#. ``oidc_claim_prefix`` is the prefix to use when setting claims in the #. ``oidc_claim_prefix`` is the prefix to use when setting claims in the
HTTP headers/environment variables. Defaults to 'OIDC-'. HTTP headers/environment variables. Defaults to 'OIDC-'.
@ -373,7 +373,7 @@ service provider to an IDP using mod_auth_openidc with CADF notifications on.
oidc_client_id: keystone oidc_client_id: keystone
oidc_client_secret: <SECRET> oidc_client_secret: <SECRET>
oidc_crypto_passphrase: <RANDOM STRING> oidc_crypto_passphrase: <RANDOM STRING>
oidc_redirect_uri: https://{{external_lb_vip_address}}:5000/v3/OS-FEDERATION/identity_providers/oidc-idp/protocols/openid/auth oidc_redirect_path: /oidc_redirect
oidc_auth_request_params: param=some+url+encoded+value&param2=and+another+one oidc_auth_request_params: param=some+url+encoded+value&param2=and+another+one
entity_ids: entity_ids:
- 'https://identity-provider/openid-endpoint/' - 'https://identity-provider/openid-endpoint/'

13
releasenotes/notes/oidc-fix-redirect-uri-5909172a1db5457f.yaml Normal file
View File

@ -0,0 +1,13 @@
---
upgrade:
- |
Keystone OIDC parameter 'oidc_redirect_uri' is replaced with
'oidc_redirect_path'. This parameter no longer needs to be set explicitly
unless you run additional services which may collide with the default
on the same port as Keystone. Your OIDC provider may need to be updated
to reflect this change in redirect URI which defaults to the Keystone
public URL plus the path /oidc_redirect.
fixes:
- |
Fixed OpenStack command line OIDC integration where Apache mod_auth_openidc
if >= v2.4.9 including on Ubuntu Jammy.

7
templates/keystone-httpd.conf.j2
View File

@ -52,7 +52,7 @@ Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}
OIDCClientID {{ keystone_sp.trusted_idp_list.0.oidc_client_id }} OIDCClientID {{ keystone_sp.trusted_idp_list.0.oidc_client_id }}
OIDCClientSecret {{ keystone_sp.trusted_idp_list.0.oidc_client_secret }} OIDCClientSecret {{ keystone_sp.trusted_idp_list.0.oidc_client_secret }}
OIDCCryptoPassphrase {{ keystone_sp.trusted_idp_list.0.oidc_crypto_passphrase }} OIDCCryptoPassphrase {{ keystone_sp.trusted_idp_list.0.oidc_crypto_passphrase }}
OIDCRedirectURI {{ keystone_sp.trusted_idp_list.0.oidc_redirect_uri }} OIDCRedirectURI {{ keystone_service_publicuri }}{{ keystone_sp.trusted_idp_list.0.oidc_redirect_path | default('/oidc_redirect') }}
{% if _keystone_sp_apache_mod_auth_openidc_gte_2_4_11 is defined -%} {% if _keystone_sp_apache_mod_auth_openidc_gte_2_4_11 is defined -%}
OIDCXForwardedHeaders {{ keystone_secure_proxy_ssl_header }} OIDCXForwardedHeaders {{ keystone_secure_proxy_ssl_header }}
{% endif -%} {% endif -%}
@ -91,6 +91,11 @@ Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}
OIDCClaimDelimiter "{{ keystone_sp.trusted_idp_list.0.oidc_claim_delimiter }}" OIDCClaimDelimiter "{{ keystone_sp.trusted_idp_list.0.oidc_claim_delimiter }}"
{% endif %} {% endif %}
<Location {{ keystone_sp.trusted_idp_list.0.oidc_redirect_path | default('/oidc_redirect') }}>
Require valid-user
AuthType openid-connect
</Location>
<Location /v3/OS-FEDERATION/identity_providers/{{ keystone_sp.trusted_idp_list.0.name }}/protocols/openid/auth> <Location /v3/OS-FEDERATION/identity_providers/{{ keystone_sp.trusted_idp_list.0.name }}/protocols/openid/auth>
Require valid-user Require valid-user
AuthType auth-openidc AuthType auth-openidc