[keystone] Keystone Single Sign-On for REST API Access
Hello OpenStack Community, and greetings especially to the Keystone experts among you. I'm currently co-administering an OpenStack 17.1.3 cluster with a few compute nodes and three controllers. For a better user experience, we've enabled Single Sign-On using OIDC for Horizon, which is working fabulously. To do that, the [mod_auth_openidc module](https://github.com/OpenIDC/mod_auth_openidc) is configured for httpd on the controller nodes. However, we're now facing a novel scenario for us. Basically, we want to interact with the OpenStack REST APIs - but not using a usual token request to `/v3/auth/tokens`, but using Single Sign-On. We've looked at the authentication request that Horizon makes to Keystone after successful authentication with the SSO provider. As far as we can tell: 1. After successful authentication with the SSO identity provider, Keystone redirects back to the redirect URI with a grant_id, id_token and state in the URL fragments (after # in the URL). 2. The redirect URI is `/v3/auth/OS-FEDERATION/websso/openid`, which contains HTML that will read the fragments and POST them as form data to somewhere. 3. Those fragments get POSTed to `/v3/auth/OS-FEDERATION/websso/openid`. 4. The response from Keystone is an HTML document containing an auth token, rigged to get POSTed to Horizon at `/dashboard/auth/websso/` (presumably to start a fresh session). So far, so good. The [Keystone federation documentation](https://docs.openstack.org/keystone/latest/admin/federation/introduction.htm...) does show the [Horizon flow](https://docs.openstack.org/keystone/latest/admin/federation/introduction.htm...) in action. I can replicate it in part using cURL, by doing the same requests to the same endpoints that my browser does. However, I do not understand or see a request to `/v3/auth/OS-FEDERATION/websso/mapped` where Keystone actually issues a token. Instead, after the `id_token`, `grant_id`, etc. are POSTed to `/v3/auth/OS-FEDERATION/websso/openid`, Keystone responds with an HTML document containing the token (see step 4. in my earlier list). I've only seen this working for Horizon in an actual browser, though. Am I misunderstanding the documentation? Right above that in the documentation, there is a section about an unrelated [OpenID Connect Authentication Flow](https://docs.openstack.org/keystone/latest/admin/federation/introduction.htm...). It contains a graphic in which the first request made is a GET request to `/secure`. A direct GET request yields a `404`, so I assume this is a placeholder for any protected resource. However, if I request any protected resource without a valid token, I do not receive a 302 as the graphic would seem to suggest. Is this a behavior that would need to be configured, first? In short: How does one end up with an unscoped token when trying to SSO against Keystone from something that is not Horizon? I'm just wondering if I am on the correct path in trying to modify the `10-keystone.wsgi` in `/etc/httpd/conf.d/` to use [multiple providers](https://github.com/OpenIDC/mod_auth_openidc/wiki/Multiple-Providers). If, after starting the SSO process, I end up with a `grant_id` and an `id_token`, where do I post this to to get a Keystone token in return? After going through the documentation, I am still at a loss. I would appreciate any help. Thank you for your time.
On 15/07/2024 12:17, leon.amtmann@ibm.com wrote:
In short: How does one end up with an unscoped token when trying to SSO against Keystone from something that is not Horizon?
Is this helpful? https://github.com/IFCA-Advanced-Computing/keystoneauth-oidc We use this to authenticate cli with keystone/SSO. Given this works for cli, you should be able to use the underlying openstacksdk library and keystoneauth-oidc to get a token in order to interact with the APIs, if i've understood correctly what you want to achieve. Jonathan.
FYI, we have another approach as well here: https://github.com/vexxhost/keystoneauth-websso From: Jonathan Rosser <jonathan.rosser@rd.bbc.co.uk> Date: Monday, July 15, 2024 at 8:18 AM To: openstack-discuss@lists.openstack.org <openstack-discuss@lists.openstack.org> Subject: Re: [keystone] Keystone Single Sign-On for REST API Access [You don't often get email from jonathan.rosser@rd.bbc.co.uk. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] On 15/07/2024 12:17, leon.amtmann@ibm.com wrote:
In short: How does one end up with an unscoped token when trying to SSO against Keystone from something that is not Horizon?
Is this helpful? https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2FIFCA-Advanced-Computing%2Fkeystoneauth-oidc&data=05%7C02%7Cmnaser%40vexxhost.com%7Cacd2f17d880d45147c4b08dca4c849a9%7C54e2b12264054dafa35bf65edc45c621%7C0%7C0%7C638566427334123522%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=zVDooRG2LRQbGu8pGoOTIpi4vRmtoTZukdrzZpEo02I%3D&reserved=0<https://github.com/IFCA-Advanced-Computing/keystoneauth-oidc> We use this to authenticate cli with keystone/SSO. Given this works for cli, you should be able to use the underlying openstacksdk library and keystoneauth-oidc to get a token in order to interact with the APIs, if i've understood correctly what you want to achieve. Jonathan.
This looks very promising. I'll spend a few hours looking at the code and checking what API requests the CLI plugins make where. This should help a lot. Thanks to both of you for the suggestions.
participants (4)
-
Jonathan Rosser
-
Leon Amtmann
-
leon.amtmann@ibm.com
-
Mohammed Naser