keystoneauth

OpenId Connect can not authenticate when using multiples IdPs

Bug #1850226 reported by Pedro Henrique Pereira Martins
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
keystoneauth
In Progress
Undecided
Pedro Henrique Pereira Martins

Bug Description

Versions
========
Keystone: 14.0.1 (Rocky)
Keystoneauth: 3.17.1

Problem description
===================

When we try to use the OpenStack CLI with the OpenId Connect protocol (in an environment with multiple IdPs) to enable federated users to login, we get an error from the CLI while generating the Keystone subject token (not the OIDC access token).

The error happens because when the keystoneauth lib calls the Keystone WSGI (the OIDC proxy) to generate an auth token, it expects an auth token as the response, but it gets an HTML document response. A page for the user choose which IdP he/she desires to use/ in other words, the CLI receives the discovery page HTML .

The actual v3oidcpassword plugin authentication flow is basically :
 - The keystoneauth retrieves the credentials from the configs, like client id, client secret, IdP token URL, user name, password. It (Keystoneauth) uses these data to generate an access_token in the IdP;
 - Pass this access_token to Keystone to retrieve a subject_token;
 - Use this subject_token to then generate the authentication_token for the specified user's groups and domains.

The problem is that in a federation with many IdPs, the Keystone WSGI protected endpoint needs more information than just the access_token, it needs to know which IdP the user wants to use.

Configurations
==============

export OS_PROJECT_ID=63bc11cc05fe4731853aa07166fb45cf
export OS_PROJECT_NAME=project
export OS_PROJECT_DOMAIN_ID=d28c2423e9b546deb37a034bb2134f4d
export OS_AUTH_URL=http://keystone.service/v3
export OS_INTERFACE=internal
export OS_IDENTITY_API_VERSION=3
export OS_REGION_NAME=region
export OS_AUTH_PLUGIN=openid
export OS_AUTH_TYPE=v3oidcpassword
export OS_USERNAME=federation-test
export OS_PASSWORD=federation-test@2019
export OS_IDENTITY_PROVIDER=provider
export OS_CLIENT_ID=keystone.service
export OS_CLIENT_SECRET=d9bd3ecd-800c-42c1-ab52-98f3d94269a2
export OS_OPENID_SCOPE="openid address email profile phone offline_access"
export OS_PROTOCOL=openid
export OS_ACCESS_TOKEN_ENDPOINT=https://keycloak.dev/auth/realms/provider/protocol/openid-connect/token
export OS_ACCESS_TOKEN_TYPE=access_token
export OS_DISCOVERY_ENDPOINT=https://keycloak.dev/auth/realms/provider/.well-known/openid-configuration

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystoneauth (master)

Fix proposed to branch: master
Review: https://review.opendev.org/692140

Changed in keystoneauth:
assignee: nobody → Pedro Henrique Pereira Martins (pedrohpmartins)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystoneauth (master)

Change abandoned by Pedro Henrique Pereira Martins (<email address hidden>) on branch: master
Review: https://review.opendev.org/692140
Reason: The https://review.opendev.org/#/c/693838/1/ solves de problem

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.