skyline apiserver

在接入keycloak时，/api/openstack/skyline/api/v1/websso有报错

Bug #1993091 reported by chengpeng on 2022-10-17

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	skyline apiserver	New	Undecided	Unassigned

Bug Description

在使用open ID进行登录时，skyline有报错：

/api/openstack/skyline/api/v1/websso

2022-10-14 15:38:45.777 | ERROR | skyline_apiserver.api.v1.login:websso:247 - Object of type Token is not JSON serializable

Revision history for this message

conna (yangshaoxue) wrote on 2022-10-17:

前置准备
本文以 google openid client 为例
- Openid client 已配置，并获取客户端 ID 和客户端 Secret
- 设置 openstack 域名并编辑 /etc/hosts 配置 hosts （可选）
如
# /etc/hosts
<openstack_ip> openstack.org

- 命令行配置
# group
openstack group create --domain default --description "Federation User Group" federation_group

# project
openstack project create --domain default --description "Federation Demo Project" federation_demo_project

# role
openstack role add --domain default --group <group_uuid> admin

# idp
# 以 google idp 为例
openstack identity provider create --domain default myidp --remote-id https://accounts.google.com

# 创建并编辑 google-mapping-rules.json 文件
# mapping
openstack mapping create google-idp-mapping --rules ./google-mapping-rules.json

# protocol
openstack federation protocol create openid --identity-provider myidp --mapping google-idp-mapping

Keystone 配置
编辑 wsgi 配置
<VirtualHost *:5000>

    OIDCClaimPrefix "OIDC-"
    OIDCResponseType "id_token"
    OIDCScope "openid email profile"
    OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
    OIDCClientID <ID>
    OIDCClientSecret <Secret>
    OIDCCryptoPassphrase openstack
    OIDCRedirectURI http://<openstack_host>:5000/v3/auth/OS-FEDERATION/websso
    OIDCRedirectURI http://<openstack_host>:5000/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/openid/websso
    <Location ~ "/v3/auth/OS-FEDERATION/websso/openid">
      AuthType openid-connect
      Require valid-user
    </Location>
    <Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/openid/websso">
      AuthType openid-connect
      Require valid-user
    </Location>
</VirtualHost>

编辑 keystone 配置
[federation]
remote_id_attribute = HTTP_OIDC_ISS
trusted_dashboard = <skyline_websso_url>
# 例
# trusted_dashboard = https://<openstack_ip>:9999/api/openstack/skyline/api/v1/websso

[auth]
methods = ..., openid

Skyline 配置
编辑 skyline 配置
openstack:
sso_enabled: true

测试
使用域名打开 openstack 页面
在下拉框中选择 openid，点击登录按钮，跳转 openid 认证页面，登录成功后重定向到 skyline 首页即为成功

附
Skyline 配置文件
sso_enabled 默认值 False
sso_protocols 默认值 ["openid",]
sso_region 默认值 RegionOne
Skyline sso 相关 API
POST /api/v1/websso
Name In Type
token Form str

前置准备
本文以 google openid client 为例
- Openid client 已配置，并获取客户端 ID 和 客户端 Secret
- 设置 openstack 域名并编辑 /etc/hosts 配置 hosts （可选）
如
# /etc/hosts
<openstack_ip> openstack.org

- 命令行配置
# group
openstack group create --domain default --description "Federation User Group" federation_group

# project
openstack project create --domain default --description "Federation Demo Project" federation_demo_project

# role
openstack role add --domain default --group <group_uuid> admin

# idp
# 以 google idp 为例
openstack identity provider create --domain default myidp --remote-id https://accounts.google.com

# 创建并编辑 google-mapping-rules.json 文件
# mapping
openstack mapping create google-idp-mapping --rules ./google-mapping-rules.json

# protocol
openstack federation protocol create openid --identity-provider myidp --mapping google-idp-mapping

Keystone 配置
编辑 wsgi 配置
<VirtualHost *:5000> 
    
    OIDCClaimPrefix "OIDC-"
    OIDCResponseType "id_token"
    OIDCScope "openid email profile"
    OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
    OIDCClientID <ID>
    OIDCClientSecret <Secret> 
    OIDCCryptoPassphrase openstack
    OIDCRedirectURI http://<openstack_host>:5000/v3/auth/OS-FEDERATION/websso
    OIDCRedirectURI http://<openstack_host>:5000/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/openid/websso
    <Location ~ "/v3/auth/OS-FEDERATION/websso/openid">
      AuthType openid-connect
      Require valid-user
    </Location>
    <Location ~ "/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/openid/websso">
      AuthType openid-connect
      Require valid-user
    </Location>
</VirtualHost>

[auth]
methods = ..., openid

Skyline 配置
编辑 skyline 配置
openstack:
  sso_enabled: true

测试
使用域名打开 openstack 页面
在下拉框中选择 openid，点击登录按钮，跳转 openid 认证页面，登录成功后重定向到 skyline 首页即为成功

附
Skyline 配置文件
sso_enabled 默认值 False
sso_protocols 默认值 ["openid",]
sso_region 默认值 RegionOne
Skyline sso 相关 API
POST /api/v1/websso
Name  In   Type
token Form str

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.