Keystone with AzureAD as openid provider - JWT token could not be validated
Robert Duncan
Robert.Duncan at ncirl.ie
Fri Oct 23 10:05:58 UTC 2020
Found this when trying OS_AUTH_TYPE="v3oidcpassword"
For anybody using AzureAD as idp in Keystone, it is not OIDC compliant - surprised?
keystone will not validate tokens as they are signed for MS graph API essentially
it results in "Apache WWW-Authenticate: Bearer error="invalid_token", error_description="JWT token could not be validated"
keystone attempts to validate the tokens from the metadata using whatever if finds in https://login.microsoftonline.com/<tenant-guid>/v2.0/.well-known/openid-configuration<https://login.microsoftonline.com/6edb49c1-bf72-4eea-8b3f-a7fd0a25b68c/v2.0/.well-known/openid-configuration>
or using an Apache variable in wsgi-keystone.conf called OIDCOAuthVerifyJwksUri
for example - it will reach here https://login.microsoftonline.com/<tenant-guid>/discovery/v2.0/keys<https://login.microsoftonline.com/6edb49c1-bf72-4eea-8b3f-a7fd0a25b68c/discovery/v2.0/keys>
and find keys - however it won't be able to validate the token as MS inserts a nonce before signing them - i.e. the tokens can only be validated by ms graph
additionally, if you try to validate the tokens locally on keystone using Apache variable OIDCOAuthVerifyCertFiles the keys can rotate without warning.
The solution is using the app registration portal in Azure and modify the app registration by selecting 'expose an API' and add a scope - then request this scope on the client using apache variable 'OIDCScope'
https://medium.com/@abhinavsonkar/making-azure-ad-oidc-compliant-5734b70c43ff
Rob Duncan.
________________________________
The information contained and transmitted in this e-mail is confidential information, and is intended only for the named recipient to which it is addressed. The content of this e-mail may not have been sent with the authority of National College of Ireland. Any views or opinions presented are solely those of the author and do not necessarily represent those of National College of Ireland. If the reader of this message is not the named recipient or a person responsible for delivering it to the named recipient, you are notified that the review, dissemination, distribution, transmission, printing or copying, forwarding, or any other use of this message or any part of it, including any attachments, is strictly prohibited. If you have received this communication in error, please delete the e-mail and destroy all record of this communication. Thank you for your assistance.
________________________________
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20201023/9372b12b/attachment-0001.html>
More information about the openstack-discuss
mailing list