[puppet] Configure openid with Keycloak IdP in Keystone

Fernandez Rodriguez Daniel daniel.fernandez at epfl.ch
Wed Nov 16 16:01:54 UTC 2022 

Hello,


this is a bit of a long shot but maybe some of you succesfully configured Openstack to use Keycloak as an Identity Provider so we can use Single Sign-On on Horizon.


To install and configure OpenStack Keystone I am using 'stable/xena' version of the https://github.com/openstack/puppet-keystone . Likewise for Horizon. So far so good.


I would like to enable openid in Keystone so I can have Single Sign-On via Horizon.


I am pretty much following the official docs: https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html with the help of the puppet module.


To do it I included the class:


include ::keystone::federation::openidc

And configured some hiera variables:

keystone::federation::openidc::keystone_url: "https://openstackdev.loadbalancer:5000"
keystone::federation::openidc::methods: 'password,token,oauth1,mapped,openid'
keystone::federation::openidc::idp_name: 'keycloak'
keystone::federation::openidc::openidc_provider_metadata_url: 'https://keycloak_server/auth/realms/BBP/.well-known/openid-configuration'
keystone::federation::openidc::openidc_client_id: 'a_keycloak_client'
keystone::federation::openidc::openidc_client_secret: <redacted>
keystone::federation::openidc::openidc_crypto_passphrase: <redacted>
keystone::federation::openidc::remote_id_attribute: 'HTTP_OIDC_ISS'

And this is the resulting relevant configuration in /etc/httpd/conf.d/10-keystone_wsgi.conf

  [...]
  OIDCClaimPrefix "OIDC-"
  OIDCResponseType "id_token"
  OIDCScope "openid email profile"
  OIDCProviderMetadataURL "https://keycloak_server/auth/realms/BBP/.well-known/openid-configuration"
  OIDCClientID "a_keycloak_client"
  OIDCClientSecret <redacted>
  OIDCCryptoPassphrase <redacted>


  # The following directives are necessary to support websso from Horizon
  # (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html)
  OIDCRedirectURI "https://openstackdev.loadbalancer:5000/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso"
  OIDCRedirectURI "https://openstackdev.loadbalancer:5000/v3/auth/OS-FEDERATION/websso/openid"

  <LocationMatch "/v3/auth/OS-FEDERATION/websso/openid">
      AuthType "openid-connect"
      Require valid-user
  </LocationMatch>

  <LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso">
      AuthType "openid-connect"
      Require valid-user
  </LocationMatch>
------------------------------------------------------------------------------------------------------------------------------------------------------------------------

But unfortunately this does not work. First of all, the OIDCRedirectURI the module set points to a valid URL with content.
So I manually changed them by:

  OIDCRedirectURI "https://openstackdev.loadbalancer:5000/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso/redirect_url"
  OIDCRedirectURI "https://openstackdev.loadbalancer:5000/v3/auth/OS-FEDERATION/websso/openid/redirect_url"

After changing that now I get redirected to the Keycloak login page and I am able to enter my username and pass, after the login is done I get redirected to: https://openstackdev.loadbalancer:5000/v3/auth/OS-FEDERATION/websso/openid?origin=https://<https://openstackdev.loadbalancer:5000/v3/auth/OS-FEDERATION/websso/openid?origin=https://openstackdev./dashboard/auth/websso/>openstackdev.loadbalancer<https://openstackdev.loadbalancer:5000/v3/auth/OS-FEDERATION/websso/openid?origin=https://openstackdev./dashboard/auth/websso/>/dashboard/auth/websso/ and it shows the following error:

error

code    404
message "Could not find Identity Provider: https://keycloak_server/auth/realms/BBP<https://bbpauth.epfl.ch/auth/realms/BBP>."
title   "Not Found"




And in: /var/log/keystone/keystone.log

{"message": "Could not find Identity Provider: https://keycloak_server/auth/realms/BBP.", "asctime": "2022-11-16 16:24:56", "name": "keystone.server.flask.application", "msg": "Could not find Identity Provider: https://keycloak_server/auth/realms/BBP.", "args": [], "levelname": "WARNING", "levelno": 30, "pathname": "/usr/lib/python3.6/site-packages/keystone/server/flask/application.py", "filename": "application.py", "module": "application", "lineno": 87, "funcname": "_handle_keystone_exception", "created": 1668612296.6284614, "msecs": 628.4613609313965, "relative_created": 32117.148637771606, "thread": 140579135473408, "thread_name": "Dummy-1", "process_name": "MainProcess", "process": 3051629, "traceback": null, "hostname": "bbpcb030.bbp.epfl.ch", "error_summary": "keystone.exception.IdentityProviderNotFound: Could not find Identity Provider: https://keycloak_server/auth/realms/BBP.", "context": {"user_name": null, "project_name": null, "domain_name": null, "user_domain_name": null, "project_domain_name": null, "user": null, "tenant": null, "system_scope": null, "project": null, "domain": null, "user_domain": null, "project_domain": null, "is_admin": false, "read_only": false, "show_deleted": false, "auth_token": null, "request_id": "req-5187f72d-cb4b-470f-9635-6c05565707eb", "global_request_id": null, "resource_uuid": null, "roles": [], "user_identity": "- - - - -", "is_admin_project": true}, "extra": {"project": null, "version": "unknown"}}

And this is how I configured the identity provider, mapping and federation protocol.

# openstack identity provider show keycloak
+-------------------+-----------------------------------------+
| Field             | Value                                   |
+-------------------+-----------------------------------------+
| authorization_ttl | None                                    |
| description       | None                                    |
| domain_id         | 96a75a2b29b5411497a9971c14a2167c        |
| enabled           | True                                    |
| id                | keycloak                                |
| remote_ids        | https://keycloak_server/auth/realms/BBP |
+-------------------+-----------------------------------------+
# openstack mapping show openid_mapping
+-------+----------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value                                                                                                                                                          |
+-------+----------------------------------------------------------------------------------------------------------------------------------------------------------------+
| id    | openid_mapping                                                                                                                                                 |
| rules | [{'local': [{'user': {'name': '{0}'}, 'group': {'domain': {'name': 'Default'}, 'name': 'federated_users'}}], 'remote': [{'type': 'OIDC-preferred_username'}]}] |
+-------+----------------------------------------------------------------------------------------------------------------------------------------------------------------+
# openstack federation protocol show --identity-provider keycloak openid
+---------+----------------+
| Field   | Value          |
+---------+----------------+
| id      | openid         |
| mapping | openid_mapping |
+---------+----------------+

Can someone please give me a hand with this?

Thank you very much,
Daniel.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.openstack.org/pipermail/openstack-discuss/attachments/20221116/d3724dee/attachment-0001.htm>

More information about the openstack-discuss mailing list