puppet-keystone

Module sets invalid OIDCRedirectURI when using openidc

Bug #2002490 reported by dafero
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
puppet-keystone
Fix Released
Undecided
Unassigned

Bug Description

Hi everyone,

I am trying to configure OpenStack to use Keycloak as an Identity Provider so we can use Single Sign-On on Horizon.

I am petty much following the official docs: https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html

One of the issues I encountered is that the puppet module sets the wrong OIDCRedirectURI values:

https://opendev.org/openstack/puppet-keystone/src/branch/master/templates/openidc.conf.erb#L49

According to mod_auth_openidc docs: https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf#L8

# The redirect_uri for this OpenID Connect client; this is a vanity URL
# that must ONLY point to a path on your server protected by this module
# but it must NOT point to any actual content that needs to be served.

However the module configures 2 OIDCRedirectURI that point to actual content. This breaks the authentication flow.

My proposal: only configure ONE OIDCRedirectURI that points to a vanity URL, for example: .../protocols/openid/websso/redirect_url

If there are no objections, I will open a change to address this issue.

Thank you,
Daniel.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to puppet-keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/puppet-keystone/+/869823

OpenStack Infra (hudson-openstack)
Changed in puppet-keystone:
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to puppet-keystone (master)

Reviewed: https://review.opendev.org/c/openstack/puppet-keystone/+/869823
Committed: https://opendev.org/openstack/puppet-keystone/commit/bad291ff1f8b13ecc6b74ffb26ca5752744ae2c1
Submitter: "Zuul (22348)"
Branch: master

commit bad291ff1f8b13ecc6b74ffb26ca5752744ae2c1
Author: Daniel Fernández <email address hidden>
Date: Fri Jan 13 11:03:09 2023 +0100

    Fix OIDCRedirectURI value

    The current configuration includes two OIDCRedirectURI but it does not
    work and breaks authentication flow. We should configure only a single
    record. Also, the content is based on the quite old keystone guide.

    This fixes the OIDCRedirectURI entity and updates the configuration
    based on the latest keystone guide.

    Closes-Bug: #2002490
    Change-Id: If5afb4ac3b5b29f81673af039eeb7736f04a7441

Changed in puppet-keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/puppet-keystone 22.0.0

This issue was fixed in the openstack/puppet-keystone 22.0.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.