[keystone] Keystone Single Sign-On for REST API Access
Hello OpenStack Community, and greetings especially to the Keystone experts among you.
I'm currently co-administering an OpenStack 17.1.3 cluster with a few compute nodes and three controllers. For a better user experience, we've enabled Single Sign-On using OIDC for Horizon, which is working fabulously. To do that, the [mod_auth_openidc module](https://github.com/OpenIDC/mod_auth_openidc) is configured for httpd on the controller nodes. However, we're now facing a novel scenario for us. Basically, we want to interact with the OpenStack REST APIs - but not using a usual token request to `/v3/auth/tokens`, but using Single Sign-On. We've looked at the authentication request that Horizon makes to Keystone after successful authentication with the SSO provider. As far as we can tell: 1. After successful authentication with the SSO identity provider, Keystone redirects back to the redirect URI with a grant_id, id_token and state in the URL fragments (after # in the URL). 2. The redirect URI is `/v3/auth/OS-FEDERATION/websso/openid`, which contains HTML that will read the fragments and POST them as form data to somewhere. 3. Those fragments get POSTed to `/v3/auth/OS-FEDERATION/websso/openid`. 4. The response from Keystone is an HTML document containing an auth token, rigged to get POSTed to Horizon at `/dashboard/auth/websso/` (presumably to start a fresh session). So far, so good.
The [Keystone federation documentation](https://docs.openstack.org/keystone/latest/admin/federation/introduction.htm...) does show the [Horizon flow](https://docs.openstack.org/keystone/latest/admin/federation/introduction.htm...) in action. I can replicate it in part using cURL, by doing the same requests to the same endpoints that my browser does. However, I do not understand or see a request to `/v3/auth/OS-FEDERATION/websso/mapped` where Keystone actually issues a token. Instead, after the `id_token`, `grant_id`, etc. are POSTed to `/v3/auth/OS-FEDERATION/websso/openid`, Keystone responds with an HTML document containing the token (see step 4. in my earlier list). I've only seen this working for Horizon in an actual browser, though. Am I misunderstanding the documentation?
Right above that in the documentation, there is a section about an unrelated [OpenID Connect Authentication Flow](https://docs.openstack.org/keystone/latest/admin/federation/introduction.htm...). It contains a graphic in which the first request made is a GET request to `/secure`. A direct GET request yields a `404`, so I assume this is a placeholder for any protected resource. However, if I request any protected resource without a valid token, I do not receive a 302 as the graphic would seem to suggest. Is this a behavior that would need to be configured, first?
In short: How does one end up with an unscoped token when trying to SSO against Keystone from something that is not Horizon?
I'm just wondering if I am on the correct path in trying to modify the `10-keystone.wsgi` in `/etc/httpd/conf.d/` to use [multiple providers](https://github.com/OpenIDC/mod_auth_openidc/wiki/Multiple-Providers). If, after starting the SSO process, I end up with a `grant_id` and an `id_token`, where do I post this to to get a Keystone token in return?
After going through the documentation, I am still at a loss. I would appreciate any help. Thank you for your time.
On 15/07/2024 12:17, leon.amtmann@ibm.com wrote:
In short: How does one end up with an unscoped token when trying to SSO against Keystone from something that is not Horizon?
Is this helpful? https://github.com/IFCA-Advanced-Computing/keystoneauth-oidc
We use this to authenticate cli with keystone/SSO.
Given this works for cli, you should be able to use the underlying openstacksdk library and keystoneauth-oidc to get a token in order to interact with the APIs, if i've understood correctly what you want to achieve.
Jonathan.
FYI, we have another approach as well here:
https://github.com/vexxhost/keystoneauth-websso
From: Jonathan Rosser jonathan.rosser@rd.bbc.co.uk Date: Monday, July 15, 2024 at 8:18 AM To: openstack-discuss@lists.openstack.org openstack-discuss@lists.openstack.org Subject: Re: [keystone] Keystone Single Sign-On for REST API Access [You don't often get email from jonathan.rosser@rd.bbc.co.uk. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
On 15/07/2024 12:17, leon.amtmann@ibm.com wrote:
In short: How does one end up with an unscoped token when trying to SSO against Keystone from something that is not Horizon?
Is this helpful? https://can01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com...https://github.com/IFCA-Advanced-Computing/keystoneauth-oidc
We use this to authenticate cli with keystone/SSO.
Given this works for cli, you should be able to use the underlying openstacksdk library and keystoneauth-oidc to get a token in order to interact with the APIs, if i've understood correctly what you want to achieve.
Jonathan.
This looks very promising. I'll spend a few hours looking at the code and checking what API requests the CLI plugins make where. This should help a lot. Thanks to both of you for the suggestions.
participants (4)
-
Jonathan Rosser
-
Leon Amtmann
-
leon.amtmann@ibm.com
-
Mohammed Naser