Allow for a custom OIDCRedirectURI in keystone_wsgi.conf

Could you please explain more details about your expectation ?

I didn't get the expected behavior from the description, because

- The keystone::federation::openidc::keystone_url option can take arbitrary values so you can customize keystone base url as you like

- The current template allows customization of identity provider name in url and I'm not really aware of the case where other parts may need to be customized

I guess this is what we really need ? https://review.opendev.org/c/openstack/puppet-keystone/+/910637

I'm sorry for not being able to explain myself.

First of all, my keystone instance has two IPs, one private (my-keystone.example.com) and one public (my-endpoint.example.com)

Then I have two OIDCRedirectURI entries in /etc/httpd/conf.d/10-keystone_wsgi.conf:

OIDCRedirectURI "https://my-endpoint.example.com:42000/v3/auth/OS-FEDERATION/identity_providers/my-idp/protocols/openid/websso"
OIDCRedirectURI "https://my-endpoint.example.com:42000/v3/auth/OS-FEDERATION/websso/openid"

As the template is

OIDCRedirectURI "<%= @keystone_url -%>/v3/auth/OS-FEDERATION/identity_providers/<%=scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/auth"

setting keystone::federation::openidc::keystone_url I wouldn't be able to set the first URI end to /websso (but it's the issue you linked and it should work with the horizon directives in the same templates), but I don't know how could I insert the second URI

I'm still unsure if that 2nd OIDCRedirectURI is required (is it even accepted by mod_auth_openidc) ?

My understanding was that OIDCRedirectURI is used for openidc auth in keystone and it should be redirected to /v3/OS-FEDERATION/identity_providers/my-idp/protocols/openid/auth , while we don't need redirect to rui for websso because the url is dierecated to by horizon directly but I might be wrong.

Yes, not only it is accepted, but seems to be essential.

If there is only the first URI, the OIDC login fails with the error "Invalid Request. The OpenID Connect callback URL received an invalid request"

If there is only the second URI, it fails with 401 unauthorized

I assume you are trying to use SSO. Can you try adding OIDCRedirectURI in the opposite order ?

OIDCRedirectURI "https://my-endpoint.example.com:42000/v3/auth/OS-FEDERATION/websso/openid"
OIDCRedirectURI "https://my-endpoint.example.com:42000/v3/auth/OS-FEDERATION/identity_providers/my-idp/protocols/openid/websso"

I guess this does not work because only the 2nd value takes effect.
According to https://github.com/OpenIDC/mod_auth_openidc/issues/200 mod_auth_openidc does not support mutliple redirect uri. Probably we did something seriously wrong here.

So, I made some tests, using only one URI:

OIDCRedirectURI "https://my-endpoint.example.com:42000/v3/auth/OS-FEDERATION/websso/openid" - works (my bad, yesterday something went wrong)

OIDCRedirectURI "https://my-endpoint.example.com:42000/v3/auth/OS-FEDERATION/identity_providers/my-idp/protocols/openid/websso" - does not work

OIDCRedirectURI "https://my-endpoint.example.com:42000/v3/auth/OS-FEDERATION/identity_providers/my-idp/protocols/openid" - also works, and if I understood this should be the result once https://review.opendev.org/c/openstack/puppet-keystone/+/910637 is implemented

OIDCRedirectURI "https://my-endpoint.example.com:42000/v3/auth/OS-FEDERATION/identity_providers/my-idp/protocols/openid/auth" - works if edited manually, when generated setting keystone::federation::openidc::keystone_url to https://my-endpoint.example.com:42000 instead of https://my-keystone.example.com:5000, it fails with invalid redirect URI, so I guess keystone::federation::openidc::keystone_url is also used somewhere else

Thanks. These are quite helpful.

Do you mind testing one more scenario ?

What happens if you set WEBSSO_IDP_MAPPING in horizon ?

https://docs.openstack.org/horizon/latest/configuration/settings.html#websso-idp-mapping

Wit this set horizon may use the longer websso endpoint uri and I'd like to know if we have to switch the redirect uri.

> What happens if you set WEBSSO_IDP_MAPPING in horizon ?

In this scenario, how should I set OIDCRedirectURI? Or it shouldn't be set at all?

My guess is that

OIDCRedirectURI "https://my-endpoint.example.com:42000/v3/auth/OS-FEDERATION/websso/openid" - does not work

OIDCRedirectURI "https://my-endpoint.example.com:42000/v3/auth/OS-FEDERATION/identity_providers/my-idp/protocols/openid/websso" - but this works

I though to take some time to deploy keycloak in my local env to test the behavior by myself but have been pulled by multiple post-release problems we have to sort out before 2024.1 release now . Sorry for asking too many things to you...

> Sorry for asking too many things to you

No thank you for your time, I'm sorry I can't provide test results faster - I'm also engaged in other tasks, and even in a development environment I can test changes only in certain timeframes

I'm back, sorry for the delay, didn't have an open testing timeframe

I was able to test now and:
* OIDCRedirectURI "https://my-endpoint.example.com:42000/v3/auth/OS-FEDERATION/websso/openid" - works (unexpectedly)
* OIDCRedirectURI "https://my-endpoint.example.com:42000/v3/auth/OS-FEDERATION/identity_providers/my-idp/protocols/openid/websso" works but then the SSO returns
    Error="invalid_grant", error_description="Invalid redirect uri does not match one of the registered values."

I guess that this is related to our internal SSO config, which I don't have access to...

Fix proposed to branch: master
Review: https://review.opendev.org/c/openstack/puppet-keystone/+/922328

Reviewed: https://review.opendev.org/c/openstack/puppet-keystone/+/922328
Committed: https://opendev.org/openstack/puppet-keystone/commit/68e091978887937a46bf9dd389e4b9d85079ac59
Submitter: "Zuul (22348)"
Branch: master

commit 68e091978887937a46bf9dd389e4b9d85079ac59
Author: Francesco Di Nucci <email address hidden>
Date: Wed Jun 19 16:20:32 2024 +0200

    feat: add a param for arbitrary federation OIDCRedirectURI

    Allows to override federation OIDCRedirectURI generated from
    keystone_url and idp_name with an arbitrary URI. Use case example [1]
    DISCLAIMER necessary - currently I work at INFN, the research institute
    behind INDIGO IAM

    [1] https://indigo-dc.gitbook.io/keystone-with-oidc-documentation/admin-iam-conf/admin-multi-conf

    Closes-Bug: #2055041
    Change-Id: I82bdbf832c4716e6a700fae9296f043f676dbafe

Fix proposed to branch: stable/2024.1
Review: https://review.opendev.org/c/openstack/puppet-keystone/+/929004

Reviewed: https://review.opendev.org/c/openstack/puppet-keystone/+/929004
Committed: https://opendev.org/openstack/puppet-keystone/commit/5512e49da257d2340598dd5b7d762025b81bc87f
Submitter: "Zuul (22348)"
Branch: stable/2024.1

commit 5512e49da257d2340598dd5b7d762025b81bc87f
Author: Francesco Di Nucci <email address hidden>
Date: Wed Jun 19 16:20:32 2024 +0200

    feat: add a param for arbitrary federation OIDCRedirectURI

    Allows to override federation OIDCRedirectURI generated from
    keystone_url and idp_name with an arbitrary URI. Use case example [1]
    DISCLAIMER necessary - currently I work at INFN, the research institute
    behind INDIGO IAM

    [1] https://indigo-dc.gitbook.io/keystone-with-oidc-documentation/admin-iam-conf/admin-multi-conf

    Closes-Bug: #2055041
    Change-Id: I82bdbf832c4716e6a700fae9296f043f676dbafe
    (cherry picked from commit 68e091978887937a46bf9dd389e4b9d85079ac59)

This issue was fixed in the openstack/puppet-keystone 25.0.0 release.