oidc: fix overloading of redirect_uri for cli client

The redirect URI specified in the Apache config for OIDC
was unintentionally serving a dual purpose as a redirect
URI and a handler for command line auth.

As of mod_auth_openidc v2.4.9 this no longer works.
This change splits the paths for command line auth and
the redirect URI into two to work around this.

Change-Id: I27c612cf8537b401c1195ae0892bf5569e2f3858
This commit is contained in:
Andrew Bonney 2023-10-20 13:50:54 +01:00
parent b54478e7e1
commit 2ed76dee5d
4 changed files with 25 additions and 7 deletions

View File

@ -535,7 +535,7 @@ keystone_sp: {}
# oidc_client_id: keystone
# oidc_client_secret: secret
# oidc_crypto_passphrase: random string
# oidc_redirect_uri: https://keystone:5000/v3/OS-FEDERATION/identity_providers/keycloak-idp/protocols/openid/auth
# oidc_redirect_path: /oidc_redirect
# oidc_oauth_introspection_endpoint: endpoint address (optional)
# oidc_oauth_client_id: string (optional)
# oidc_oauth_client_secret: secret (optional)

View File

@ -310,10 +310,10 @@ for mod_auth_openidc OIDC-based deployments.
restrictions for this password. This should be set to a randomly generated
string of a sensible length.
#. ``oidc_redirect_uri`` is the redirect_uri for this OpenID Connect
client; this is a vanity URL that must ONLY point to a path on your
server protected by this module but it must NOT point to any actual
content that needs to be served.
#. ``oidc_redirect_path`` is the path component of the redirect_uri for this
OpenID Connect client; this is a vanity URL that must ONLY point to a path
on your server protected by this module but it must NOT point to any
actual content that needs to be served.
#. ``oidc_claim_prefix`` is the prefix to use when setting claims in the
HTTP headers/environment variables. Defaults to 'OIDC-'.
@ -373,7 +373,7 @@ service provider to an IDP using mod_auth_openidc with CADF notifications on.
oidc_client_id: keystone
oidc_client_secret: <SECRET>
oidc_crypto_passphrase: <RANDOM STRING>
oidc_redirect_uri: https://{{external_lb_vip_address}}:5000/v3/OS-FEDERATION/identity_providers/oidc-idp/protocols/openid/auth
oidc_redirect_path: /oidc_redirect
oidc_auth_request_params: param=some+url+encoded+value&param2=and+another+one
entity_ids:
- 'https://identity-provider/openid-endpoint/'

View File

@ -0,0 +1,13 @@
---
upgrade:
- |
Keystone OIDC parameter 'oidc_redirect_uri' is replaced with
'oidc_redirect_path'. This parameter no longer needs to be set explicitly
unless you run additional services which may collide with the default
on the same port as Keystone. Your OIDC provider may need to be updated
to reflect this change in redirect URI which defaults to the Keystone
public URL plus the path /oidc_redirect.
fixes:
- |
Fixed OpenStack command line OIDC integration where Apache mod_auth_openidc
if >= v2.4.9 including on Ubuntu Jammy.

View File

@ -52,7 +52,7 @@ Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}
OIDCClientID {{ keystone_sp.trusted_idp_list.0.oidc_client_id }}
OIDCClientSecret {{ keystone_sp.trusted_idp_list.0.oidc_client_secret }}
OIDCCryptoPassphrase {{ keystone_sp.trusted_idp_list.0.oidc_crypto_passphrase }}
OIDCRedirectURI {{ keystone_sp.trusted_idp_list.0.oidc_redirect_uri }}
OIDCRedirectURI {{ keystone_service_publicuri }}{{ keystone_sp.trusted_idp_list.0.oidc_redirect_path | default('/oidc_redirect') }}
{% if _keystone_sp_apache_mod_auth_openidc_gte_2_4_11 is defined -%}
OIDCXForwardedHeaders {{ keystone_secure_proxy_ssl_header }}
{% endif -%}
@ -91,6 +91,11 @@ Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}
OIDCClaimDelimiter "{{ keystone_sp.trusted_idp_list.0.oidc_claim_delimiter }}"
{% endif %}
<Location {{ keystone_sp.trusted_idp_list.0.oidc_redirect_path | default('/oidc_redirect') }}>
Require valid-user
AuthType openid-connect
</Location>
<Location /v3/OS-FEDERATION/identity_providers/{{ keystone_sp.trusted_idp_list.0.name }}/protocols/openid/auth>
Require valid-user
AuthType auth-openidc