
<html>

<head>

<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">

<style type="text/css" style="display:none;"> P {margin-top:0;margin-bottom:0;} </style>

</head>

<body dir="ltr">

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">

I think this should be using  discovery instead of  Apache variables, I'm using kolla-ansible, so  I 'll have to get the key in PEM format from the json document manually</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">

<a href="https://stackoverflow.com/questions/58330545/azure-active-directory-jwt-public-key-changing" id="LPlnk158164">https://stackoverflow.com/questions/58330545/azure-active-directory-jwt-public-key-changing</a><br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">

<br>

</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">

thanks,</div>

<div style="font-family: Calibri, Arial, Helvetica, sans-serif; font-size: 12pt; color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">

Rob.</div>

<div id="appendonsend"></div>

<hr style="display:inline-block;width:98%" tabindex="-1">

<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Rafael Weingärtner <rafaelweingartner@gmail.com><br>

<b>Sent:</b> Wednesday 21 October 2020 19:51<br>

<b>To:</b> Robert Duncan <Robert.Duncan@ncirl.ie><br>

<b>Cc:</b> openstack-discuss@lists.openstack.org <openstack-discuss@lists.openstack.org><br>

<b>Subject:</b> Re: Keystone auth method v3oidcpassword throws RESP BODY: Omitted, Content-Type is set to text/html. Only application/json responses have their bodies logged.</font>

<div> </div>

</div>

<div>

<div dir="ltr">With this patch <a href="https://review.opendev.org/#/c/695432/38/ansible/roles/keystone/templates/wsgi-keystone.conf.j2">

https://review.opendev.org/#/c/695432/38/ansible/roles/keystone/templates/wsgi-keystone.conf.j2</a>, that variable is set. However, if the keys change... you might need to check how the protocol handles that.<br>

</div>

<br>

<div class="x_gmail_quote">

<div dir="ltr" class="x_gmail_attr">On Wed, Oct 21, 2020 at 3:46 PM Robert Duncan <<a href="mailto:Robert.Duncan@ncirl.ie">Robert.Duncan@ncirl.ie</a>> wrote:<br>

</div>

<blockquote class="x_gmail_quote" style="margin:0px 0px 0px 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">

<div dir="ltr">

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

It seems to be valid, at least I can validate it on <a href="http://jwt.io" target="_blank">

jwt.io</a> - it seems I must validate it manually as keystone doesn't pull the keys from metadata</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

There is an Apache variable for:</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

# The fully qualified names of the files that contain the X.509 certificates with the RSA public

<div># keys that can be used for local JWT access token verification.</div>

<div># NB: this is one or more key tuples where a key tuple consists of:</div>

<div>#  [<key-identifier>#]<path-to-cert></div>

<div># and the key identifier part is required when the JWT access token contains a "kid" in its header.</div>

<div># When not defined, no access token validation with statically configured certificates will be performed.</div>

#OIDCOAuthVerifyCertFiles ([<kid>#]<filename>)+<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

AzureAD uses key identifiers in all jwt but without the certificate they cannot be validated, also whenever claims are modified on AzureAD (as they need to be for openstack mapping) a new iey id and certificate is created - they are published at the same location

 with an appid query appended to the well known location</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

<a href="https://login.microsoftonline.com/6edb49c1-bf72-4eea-8b3f-a7fd0a25b68c/v2.0/.well-known/openid-configuration?appid=e6c55763-6c89-4b99-9250-17a21fdeecf1" id="x_gmail-m_-4119535129555250357LPlnk151184" target="_blank">https://login.microsoftonline.com/<tenant>/v2.0/.well-known/openid-configuration?appid=</a>(appid)<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

also these keys rotate, so having a local copy on the keystone server is not a great fix either.</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

thanks,</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

Rob.</div>

<div id="x_gmail-m_-4119535129555250357appendonsend"></div>

<hr style="display:inline-block; width:98%">

<div id="x_gmail-m_-4119535129555250357divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Rafael Weingärtner <<a href="mailto:rafaelweingartner@gmail.com" target="_blank">rafaelweingartner@gmail.com</a>><br>

<b>Sent:</b> Wednesday 21 October 2020 19:10<br>

<b>To:</b> Robert Duncan <<a href="mailto:Robert.Duncan@ncirl.ie" target="_blank">Robert.Duncan@ncirl.ie</a>><br>

<b>Cc:</b> <a href="mailto:openstack-discuss@lists.openstack.org" target="_blank">

openstack-discuss@lists.openstack.org</a> <<a href="mailto:openstack-discuss@lists.openstack.org" target="_blank">openstack-discuss@lists.openstack.org</a>><br>

<b>Subject:</b> Re: Keystone auth method v3oidcpassword throws RESP BODY: Omitted, Content-Type is set to text/html. Only application/json responses have their bodies logged.</font>

<div> </div>

</div>

<div>

<div dir="ltr">It seems that your token is invalid. Maybe you need to enable something in the IdP, such as the implicit flow. Maybe, it is a good idea to enable DEBUG log level in Keystone WSCGI and/or your IdP.<br>

</div>

<br>

<div>

<div dir="ltr">On Wed, Oct 21, 2020 at 9:33 AM Robert Duncan <<a href="mailto:Robert.Duncan@ncirl.ie" target="_blank">Robert.Duncan@ncirl.ie</a>> wrote:<br>

</div>

<blockquote style="margin:0px 0px 0px 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">

<div dir="ltr">

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

Thanks Rafael, I can see a small difference in <a href="https://review.opendev.org/#/c/695432/38/ansible/roles/keystone/templates/wsgi-keystone.conf.j2" id="x_gmail-m_-4119535129555250357x_gmail-m_3774108951744312730LPlnk688741" target="_blank">https://review.opendev.org/#/c/695432/38/ansible/roles/keystone/templates/wsgi-keystone.conf.j2</a></div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

specifically, in my wsgi-keystone the API is protected with AuthType openid-connect</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

I have changed wsgi-keystone to use the authtype auth-openidc</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

now I am getting 401 because:</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

"POST /v3/OS-FEDERATION/identity_providers/****/protocols/openid/auth HTTP/1.1" 401 381

<div>RESP: [401] Content-Length: 381 Content-Type: text/html; charset=iso-8859-1 Date: Wed, 21 Oct 2020 12:28:33 GMT Server: Apache WWW-Authenticate: Bearer error="invalid_token", error_description="JWT token could not be validated"</div>

<div>RESP BODY: Omitted, Content-Type is set to text/html; charset=iso-8859-1. Only application/json responses have their bodies logged.</div>

<div>Request returned failure status: 401</div>

<div>Unauthorized (HTTP 401)</div>

<div>Traceback (most recent call last):</div>

<div>  File "/usr/lib/python3/dist-packages/cliff/app.py", line 393, in run_subcommand</div>

<div>    self.prepare_to_run_command(cmd)</div>

<div>  File "/usr/lib/python3/dist-packages/osc_lib/shell.py", line 493, in prepare_to_run_command</div>

<div>    self.client_manager.auth_ref</div>

<div>  File "/usr/lib/python3/dist-packages/osc_lib/clientmanager.py", line 202, in auth_ref</div>

<div>    self._auth_ref = self.auth.get_auth_ref(self.session)</div>

<div>  File "/usr/lib/python3/dist-packages/keystoneauth1/identity/v3/federation.py", line 65, in get_auth_ref</div>

<div>    auth_ref = self.get_unscoped_auth_ref(session)</div>

<div>  File "/usr/lib/python3/dist-packages/keystoneauth1/identity/v3/oidc.py", line 262, in get_unscoped_auth_ref</div>

<div>    response = self._get_keystone_token(session, access_token)</div>

<div>  File "/usr/lib/python3/dist-packages/keystoneauth1/identity/v3/oidc.py", line 219, in _get_keystone_token</div>

<div>    auth_response = <a href="http://session.post" target="_blank">session.post</a>(self.federated_token_url,</div>

<div>  File "/usr/lib/python3/dist-packages/keystoneauth1/session.py", line 1131, in post</div>

<div>    return self.request(url, 'POST', **kwargs)</div>

<div>  File "/usr/lib/python3/dist-packages/keystoneauth1/session.py", line 968, in request</div>

<div>    raise exceptions.from_response(resp, method, url)</div>

<div>keystoneauth1.exceptions.http.Unauthorized: Unauthorized (HTTP 401)</div>

<div>clean_up IssueToken: Unauthorized (HTTP 401)</div>

END return value: 1<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

much appricated</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

Rob.</div>

<div id="x_gmail-m_-4119535129555250357x_gmail-m_3774108951744312730appendonsend">

</div>

<hr style="display:inline-block; width:98%">

<div id="x_gmail-m_-4119535129555250357x_gmail-m_3774108951744312730divRplyFwdMsg" dir="ltr">

<font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Rafael Weingärtner <<a href="mailto:rafaelweingartner@gmail.com" target="_blank">rafaelweingartner@gmail.com</a>><br>

<b>Sent:</b> Wednesday 21 October 2020 12:25<br>

<b>To:</b> Robert Duncan <<a href="mailto:Robert.Duncan@ncirl.ie" target="_blank">Robert.Duncan@ncirl.ie</a>><br>

<b>Cc:</b> <a href="mailto:openstack-discuss@lists.openstack.org" target="_blank">

openstack-discuss@lists.openstack.org</a> <<a href="mailto:openstack-discuss@lists.openstack.org" target="_blank">openstack-discuss@lists.openstack.org</a>><br>

<b>Subject:</b> Re: Keystone auth method v3oidcpassword throws RESP BODY: Omitted, Content-Type is set to text/html. Only application/json responses have their bodies logged.</font>

<div> </div>

</div>

<div>

<div dir="ltr">Because Keystone configs that you have, might not be supporting it. You may want to take a look at:

<a href="https://review.opendev.org/#/c/693232/" target="_blank">https://review.opendev.org/#/c/693232/</a> and

<a href="https://review.opendev.org/#/c/695432/" target="_blank">https://review.opendev.org/#/c/695432/</a>, specially this file:

<a href="https://review.opendev.org/#/c/695432/38/ansible/roles/keystone/templates/wsgi-keystone.conf.j2" target="_blank">

https://review.opendev.org/#/c/695432/38/ansible/roles/keystone/templates/wsgi-keystone.conf.j2</a></div>

<br>

<div>

<div dir="ltr">On Wed, Oct 21, 2020 at 7:18 AM Robert Duncan <<a href="mailto:Robert.Duncan@ncirl.ie" target="_blank">Robert.Duncan@ncirl.ie</a>> wrote:<br>

</div>

<blockquote style="margin:0px 0px 0px 0.8ex; border-left:1px solid rgb(204,204,204); padding-left:1ex">

<div dir="ltr">

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

I'm trying to use openID with </div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

openstack --versionopenstack 5.2.0<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

keystoneauth1==3.17.3

<div>keystonemiddleware==7.0.1</div>

python-keystoneclient==3.21.0<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

I have created an RC file like so :</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

export OS_INTERFACE="public"

<div>export OS_AUTH_URL="<a href="https://openstack:5000/v3" target="_blank">https://openstack:5000/v3</a>"</div>

<div>export OS_IDENTITY_PROVIDER="<my_idp>"</div>

<div>export OS_PROTOCOL="openid"</div>

<div>export OS_CLIENT_ID="<the -id >"</div>

<div>export OS_CLIENT_SECRET="<the secret>"</div>

<div>export OS_DISCOVERY_ENDPOINT="<a href="https://login.microsoftonline.com/" target="_blank">https://login.microsoftonline.com/</a><the-tenant-id>/v2.0/.well-known/openid-configuration"</div>

<div>export OS_IDENTITY_API_VERSION="3"</div>

<div>export OS_AUTH_TYPE="v3oidcpassword"</div>

<div>export OS_USERNAME="<AzureAD user>"</div>

<div># this is the local openstack project id</div>

<div>export OS_PROJECT_ID="<The project ID>"</div>

<div># set password by querying user</div>

<div>export OS_PASSWORD=""</div>

<div>echo "Please enter your O365 Password: "</div>

<div>read -sr OS_PASSWORD_INPUT</div>

export OS_PASSWORD=$OS_PASSWORD_INPUT<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

all is working on Horizon  WebSSO- but I cannot access the API</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

the openstack --debug output shows that I get a token from MS </div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

debug info (redacted)</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

command: token issue -> openstackclient.identity.v3.token.IssueToken (auth=True)

<div>Auth plugin v3oidcpassword selected</div>

<div>auth_config_hook(): {'api_timeout': None, 'verify': True, 'cacert': None, 'cert': None, 'key': None, 'baremetal_status_code_retries': '5', 'baremetal_introspection_status_code_retries': '5', 'image_status_code_retries': '5', 'disable_vendor_agent': {},

 'interface': 'public', 'floating_ip_source': 'neutron', 'image_api_use_tasks': False, 'image_format': 'qcow2', 'message': '', 'network_api_version': '2', 'object_store_api_version': '1', 'secgroup_source': 'neutron', 'status': 'active', 'auth': {'project_id':

 '516706052ebd4f9a89c0b7d7e075754d'}, 'additional_user_agent': [('osc-lib', '2.0.0')], 'verbose_level': 3, 'deferred_help': False, 'debug': True, 'default_domain': 'default', 'timing': False, 'auth_url': '<a href="https://openstack." target="_blank">https://openstack.</a>*********:5000/v3',

 'username': 'r********', 'password': '***', 'identity_provider': '*****', 'protocol': 'openid', 'client_id': '*******', 'client_secret': '***', 'discovery_endpoint': '<a href="https://login.microsoftonline.com/*******/v2.0/.well-known/openid-configuration" target="_blank">https://login.microsoftonline.com/*******/v2.0/.well-known/openid-configuration</a>',

 'beta_command': False, 'identity_api_version': '3', 'data_processing_api_version': '1.1', 'container_infra_api_version': '1', 'region_name': '', 'auth_type': 'v3oidcpassword', 'networks': []}</div>

<div>Using auth plugin: v3oidcpassword</div>

<div>Using parameters {'auth_url': '<a href="https://openstack." target="_blank">https://openstack.</a>******:5000/v3', 'project_id': '516706052ebd4f9a89c0b7d7e07575, 'identity_provider': '*****', 'protocol': 'openid', 'client_id': '********', 'client_secret':

 '***', 'discovery_endpoint': '<a href="https://login.microsoftonline.com/*******/v2.0/.well-known/openid-configuration" target="_blank">https://login.microsoftonline.com/*******/v2.0/.well-known/openid-configuration</a>', 'username': '*****', 'password': '***'}</div>

<div>Get auth_ref</div>

<div>REQ: curl -g -i -X GET <a href="https://login.microsoftonline.com/*****/v2.0/.well-known/openid-configuration" target="_blank">

https://login.microsoftonline.com/*****/v2.0/.well-known/openid-configuration</a> -H "User-Agent: openstacksdk/0.46.0 keystoneauth1/4.0.0 python-requests/2.22.0 CPython/3.8.2"</div>

<div>Starting new HTTPS connection (1): <a href="http://login.microsoftonline.com:443" target="_blank">

login.microsoftonline.com:443</a></div>

<div><a href="https://login.microsoftonline.com:443" target="_blank">https://login.microsoftonline.com:443</a> "GET /******/v2.0/.well-known/openid-configuration HTTP/1.1" 200 1651</div>

<div>RESP: [200] Access-Control-Allow-Methods: GET, OPTIONS Access-Control-Allow-Origin: * Cache-Control: max-age=86400, private Content-Length: 1651 Content-Type: application/json; charset=utf-8 Date: Wed, 21 Oct 2020 09:37:13 GMT P3P: CP="DSP CUR OTPi IND

 OTRi ONL FIN" Set-Cookie: fpc=AhupGfLmUQlEsKNlR-m0ATg; expires=Fri, 20-Nov-2020 09:37:14 GMT; path=/; secure; HttpOnly; SameSite=None, esctx=*****: domain=.<a href="http://login.microsoftonline.com" target="_blank">login.microsoftonline.com</a>; path=/; secure;

 HttpOnly; SameSite=None, x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly, stsservicecookie=estsfd; path=/; secure; samesite=none; httponly Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff x-ms-ests-server:

 2.1.11154.9 - NEULR2 ProdSlices x-ms-request-id: 0819033b-dcb3-409a-8115-54dc06a31900</div>

<div>RESP BODY: {"token_endpoint":"<a href="https://login.microsoftonline.com/*****/oauth2/v2.0/token" target="_blank">https://login.microsoftonline.com/*****/oauth2/v2.0/token</a>","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"],"jwks_uri":"<a href="https://login.microsoftonline.com/****/discovery/v2.0/keys" target="_blank">https://login.microsoftonline.com/****/discovery/v2.0/keys</a>","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":["code","id_token","code

 id_token","id_token token"],"scopes_supported":["openid","profile","email","offline_access"],"issuer":"<a href="https://login.microsoftonline.com/****/v2.0" target="_blank">https://login.microsoftonline.com/****/v2.0</a>","request_uri_parameter_supported":false,"userinfo_endpoint":"<a href="https://graph.microsoft.com/oidc/userinfo" target="_blank">https://graph.microsoft.com/oidc/userinfo</a>","authorization_endpoint":"<a href="https://login.microsoftonline.com/****/oauth2/v2.0/authorize" target="_blank">https://login.microsoftonline.com/****/oauth2/v2.0/authorize</a>","device_authorization_endpoint":"<a href="https://login.microsoftonline.com/*****/oauth2/v2.0/devicecode" target="_blank">https://login.microsoftonline.com/*****/oauth2/v2.0/devicecode</a>","http_logout_supported":true,"frontchannel_logout_supported":true,"end_session_endpoint":"<a href="https://login.microsoftonline.com/****/oauth2/v2.0/logout" target="_blank">https://login.microsoftonline.com/****/oauth2/v2.0/logout</a>","claims_supported":["sub","iss","cloud_instance_name","cloud_instance_host_name","cloud_graph_host_name","msgraph_host","aud","exp","iat","auth_time","acr","nonce","preferred_username","name","tid","ver","at_hash","c_hash","email"],"tenant_region_scope":"EU","cloud_instance_name":"<a href="http://microsoftonline.com" target="_blank">microsoftonline.com</a>","cloud_graph_host_name":"<a href="http://graph.windows.net" target="_blank">graph.windows.net</a>","msgraph_host":"<a href="http://graph.microsoft.com" target="_blank">graph.microsoft.com</a>","rbac_url":"<a href="https://pas.windows.net" target="_blank">https://pas.windows.net</a>"}</div>

<div>REQ: curl -g -i -X POST <a href="https://login.microsoftonline.com/******/oauth2/v2.0/token" target="_blank">

https://login.microsoftonline.com/******/oauth2/v2.0/token</a> -H "User-Agent: openstacksdk/0.46.0 keystoneauth1/4.0.0 python-requests/2.22.0 CPython/3.8.2" -d '{'username': '*****', 'password': '*****', 'scope': 'openid profile', 'grant_type': 'password'}'</div>

<div><a href="https://login.microsoftonline.com:443" target="_blank">https://login.microsoftonline.com:443</a> "POST /*****/oauth2/v2.0/token HTTP/1.1" 200 3764</div>

<div>RESP: [200] Cache-Control: no-store, no-cache Content-Length: 3764 Content-Type: application/json; charset=utf-8 Date: Wed, 21 Oct 2020 09:37:14 GMT Expires: -1 P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Pragma: no-cache Set-Cookie: fpc=****; expires=Fri,

 20-Nov-2020 09:37:14 GMT; path=/; secure; HttpOnly; SameSite=None, x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly, stsservicecookie=estsfd; path=/; secure; samesite=none; httponly Strict-Transport-Security: max-age=31536000; includeSubDomains

 X-Content-Type-Options: nosniff x-ms-ests-server: 2.1.11154.9 - WEULR1 ProdSlices x-ms-request-id: 92d66fde-6763-4be2-b1cf-00fd18bc1800</div>

<div>RESP BODY: {"token_type":"Bearer","scope":"email openid profile 00000003-0000-0000-c000-000000000000/User.Read","expires_in":3599,"ext_expires_in":3599,"access_token":"<the access token>","id_token":"<the id token>"}</div>

<div>REQ: curl -g -i -X POST <a href="https://openstack" target="_blank">https://openstack</a>***:5000/v3/OS-FEDERATION/identity_providers/***/protocols/openid/auth -H "Authorization: {SHA256}aff774c8663ee647a08aefcea698f8c30e1d1cc8d85a3d55a17cae53defd8955"

 -H "User-Agent: openstacksdk/0.46.0 keystoneauth1/4.0.0 python-requests/2.22.0 CPython/3.8.2"</div>

<div>Starting new HTTPS connection (1): openstack.****:5000</div>

<div><a href="https://openstack." target="_blank">https://openstack.</a>***:5000 "POST /v3/OS-FEDERATION/identity_providers/****/protocols/openid/auth HTTP/1.1" 200 541</div>

<div>RESP: [200] Content-Length: 541 Content-Type: text/html Date: Wed, 21 Oct 2020 09:37:14 GMT Server: Apache</div>

<div>RESP BODY: Omitted, Content-Type is set to text/html. Only application/json responses have their bodies logged.</div>

<div>Expecting value: line 1 column 1 (char 0)</div>

<div>Traceback (most recent call last):</div>

<div>  File "/usr/lib/python3/dist-packages/cliff/app.py", line 393, in run_subcommand</div>

<div>    self.prepare_to_run_command(cmd)</div>

<div>  File "/usr/lib/python3/dist-packages/osc_lib/shell.py", line 493, in prepare_to_run_command</div>

<div>    self.client_manager.auth_ref</div>

<div>  File "/usr/lib/python3/dist-packages/osc_lib/clientmanager.py", line 202, in auth_ref</div>

<div>    self._auth_ref = self.auth.get_auth_ref(self.session)</div>

<div>  File "/usr/lib/python3/dist-packages/keystoneauth1/identity/v3/federation.py", line 65, in get_auth_ref</div>

<div>    auth_ref = self.get_unscoped_auth_ref(session)</div>

<div>  File "/usr/lib/python3/dist-packages/keystoneauth1/identity/v3/oidc.py", line 265, in get_unscoped_auth_ref</div>

<div>    return access.create(resp=response)</div>

<div>  File "/usr/lib/python3/dist-packages/keystoneauth1/access/access.py", line 36, in create</div>

<div>    body = resp.json()</div>

<div>  File "/usr/lib/python3/dist-packages/requests/models.py", line 897, in json</div>

    return complexjson.loads(self.text, **kwargs)<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

what's gone wrong?</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

<br>

</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

thanks,</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

Rob.</div>

<div style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:12pt; color:rgb(0,0,0); background-color:rgb(255,255,255)">

<br>

</div>

<u></u>

<hr>

<p><span style="font-family:"Arial","sans-serif"; font-size:8pt">The information contained and transmitted in this e-mail is confidential information, and is intended only for the named recipient to which it is addressed. The content of this e-mail may not

 have been sent with the authority of National College of Ireland. Any views or opinions presented are solely those of the author and do not necessarily represent those of National College of Ireland. If the reader of this message is not the named recipient

 or a person responsible for delivering it to the named recipient, you are notified that the review, dissemination, distribution, transmission, printing or copying, forwarding, or any other use of this message or any part of it, including any attachments, is

 strictly prohibited. If you have received this communication in error, please delete the e-mail and destroy all record of this communication. Thank you for your assistance.<u></u><u></u></span></p>

<hr>

</div>

</blockquote>

</div>

<br clear="all">

<br>

-- <br>

<div dir="ltr">

<div dir="ltr">Rafael Weingärtner</div>

</div>

</div>

</div>

</blockquote>

</div>

<br clear="all">

<br>

-- <br>

<div dir="ltr">

<div dir="ltr">Rafael Weingärtner</div>

</div>

</div>

</div>

</blockquote>

</div>

<br clear="all">

<br>

-- <br>

<div dir="ltr" class="x_gmail_signature">

<div dir="ltr">Rafael Weingärtner</div>

</div>

</div>

</body>

</html>