Hello, I don't know if this is the right place to ask for help - if not, please direct me to the right place. I have setup kolla-ansible on a single node following the quick start guide [0]. It works fine for a first deployment. I used the stable/2024.2 branch of the kolla-ansible and set the openstack version to 2024.2 in my configuration: globals.yml: --- openstack_region_name: "Kolla-1" openstack_release: 2024.2 kolla_base_distro: "ubuntu" kolla_internal_vip_address: "192.168.122.17" network_interface: "enp1s0" neutron_external_interface: "enp7s0" openstack_logging_debug: "True" --- Now I want to configure identity federation with keycloak as the idp, following the kolla-ansible guide [1]. Logging in with keycloak works, but when returning back to openstack, I get stuck at this url with an error 403: http://192.168.122.17:5000/v3/auth/OS-FEDERATION/identity_providers/keycloak... { "error": { "code": 403, "message": "You are not authorized to perform the requested action.", "title": "Forbidden" } } This is my kolla-ansible configuration for oidc: globals.yml: --- keystone_identity_providers: - name: "keycloak" openstack_domain: "federated_domain" protocol: "openid" identifier: "https://key.example.de/realms/master/" public_name: "keycloak" attribute_mapping: "attribute_mapping_keycloak" metadata_folder: "/etc/kolla/openid/meta-idp" keystone_identity_mappings: - name: "attribute_mapping_keycloak" file: "/etc/kolla/openid/attribute_mapping.json" --- attribute_mapping.json: --- [ { "local": [ { "user": { "name": "{0}", "email": "{1}" }, "group": { "domain": { "name": "federated_domain" }, "name": "federated_users" } } ], "remote": [ { "type": "OIDC-preferred_username" }, { "type": "OIDC-email" } ] } ] --- In the keystone logs, I see this error, but It dosn't make any sense to me. The user is not created in openstack. So I think my mapping is wrong. But from the logs I cannot see if this is the case or if the error is somewhere else. Is it possible to check my mapping or increase the log verbosity so I can track down the error? Or do I have an error in my attribute mapping I need to fix? Cheers Simon keystone.log: --- DEBUG keystone.federation.utils [None req-26e43c00-13ef-4528-916b-01f02d913bdd - - - - - -] Environment variables: {'OIDC-exp': '1746908921', 'OIDC-iat': '1746908021', 'OIDC-auth_time': '1746908021', 'OIDC-jti': 'e95091d5-917f-476e-9c3b-a3bc9781273a', 'OIDC-iss': 'https://key.example.de/realms/master', 'OIDC-aud': 'kolla-1', 'OIDC-sub': '66cb0e3b-6f36-4a9a-a3e5-dff3a101c50b', 'OIDC-typ': 'ID', 'OIDC-azp': 'kolla-1', 'OIDC-nonce': 'WLn2ZbbbzEFXMkX_K0A4AtSqzEV34SicOMgQihdnt9w', 'OIDC-sid': '1c6e9a63-aea1-48c9-a88d-9a797c360527', 'OIDC-acr': '1', 'OIDC-s_hash': 'jmyNoQjZObpgJOA4HXGhxg', 'OIDC-email_verified': '1', 'OIDC-name': 'benutzer-eins user', 'OIDC-preferred_username': 'benutzer-eins', 'OIDC-given_name': 'benutzer-eins', 'OIDC-family_name': 'user', 'OIDC-email': 'benutzer-eins@example.com', 'GATEWAY_INTERFACE': 'CGI/1.1', 'SERVER_PROTOCOL': 'HTTP/1.1', 'REQUEST_METHOD': 'GET', 'QUERY_STRING': 'origin=http://192.168.122.17/auth/websso/', 'REQUEST_URI': '/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso?origin=http://192.168.122.17/auth/websso/', 'SCRIPT_NAME': '', 'PATH_INFO': '/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso', 'PATH_TRANSLATED': '/var/lib/kolla/venv/bin/keystone-wsgi-public/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso', 'HTTP_HOST': '192.168.122.17:5000', 'HTTP_USER_AGENT': 'Mozilla/5.0 (X11; Linux x86_64; rv:136.0) Gecko/20100101 Firefox/136.0', 'HTTP_ACCEPT': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'HTTP_ACCEPT_LANGUAGE': 'de', 'HTTP_ACCEPT_ENCODING': 'gzip, deflate', 'HTTP_REFERER': 'http://192.168.122.17:5000/redirect_uri', 'HTTP_DNT': '1', 'HTTP_COOKIE': 'csrftoken=ZQfGrGsm3XmJ3OswG6NApR5a7f9qs3c6; sessionid=7ujqqerc9cqra57j39m089uddll9nxww; mod_auth_openidc_session=1590534026205f6efcb76a27fa26c26b79a7e9c2', 'HTTP_UPGRADE_INSECURE_REQUESTS': '1', 'HTTP_PRIORITY': 'u=0, i', 'HTTP_X_FORWARDED_FOR': '192.168.122.1', 'HTTP_OIDC_EXP': '1746908921', 'HTTP_OIDC_IAT': '1746908021', 'HTTP_OIDC_JTI': 'e95091d5-917f-476e-9c3b-a3bc9781273a', 'HTTP_OIDC_ISS': 'https://key.example.de/realms/master', 'HTTP_OIDC_AUD': 'kolla-1', 'HTTP_OIDC_SUB': '66cb0e3b-6f36-4a9a-a3e5-dff3a101c50b', 'HTTP_OIDC_TYP': 'ID', 'HTTP_OIDC_AZP': 'kolla-1', 'HTTP_OIDC_NONCE': 'WLn2ZbbbzEFXMkX_K0A4AtSqzEV34SicOMgQihdnt9w', 'HTTP_OIDC_SID': '1c6e9a63-aea1-48c9-a88d-9a797c360527', 'HTTP_OIDC_ACR': '1', 'HTTP_OIDC_NAME': 'benutzer-eins user', 'HTTP_OIDC_EMAIL': 'benutzer-eins@example.com', 'SERVER_SIGNATURE': '', 'SERVER_SOFTWARE': 'Apache', 'SERVER_NAME': '192.168.122.17', 'SERVER_ADDR': '192.168.122.16', 'SERVER_PORT': '5000', 'REMOTE_ADDR': '192.168.122.1', 'DOCUMENT_ROOT': '/var/www/html', 'REQUEST_SCHEME': 'http', 'CONTEXT_PREFIX': '', 'CONTEXT_DOCUMENT_ROOT': '/var/www/html', 'SERVER_ADMIN': '[no address given]', 'SCRIPT_FILENAME': '/var/lib/kolla/venv/bin/keystone-wsgi-public', 'REMOTE_PORT': '52286', 'REMOTE_USER': '66cb0e3b-6f36-4a9a-a3e5-dff3a101c50b@key.example.de/realms/master', 'AUTH_TYPE': 'openid-connect', 'mod_wsgi.script_name': '', 'mod_wsgi.path_info': '/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso', 'mod_wsgi.process_group': 'keystone-public', 'mod_wsgi.application_group': '', 'mod_wsgi.callable_object': 'application', 'mod_wsgi.request_handler': 'wsgi-script', 'mod_wsgi.handler_script': '', 'mod_wsgi.script_reloading': '1', 'mod_wsgi.listener_host': '192.168.122.16', 'mod_wsgi.listener_port': '5000', 'mod_wsgi.enable_sendfile': '0', 'mod_wsgi.ignore_activity': '0', 'mod_wsgi.request_start': '1746908021678260', 'mod_wsgi.request_id': 'tGAWuHXKmNw', 'mod_wsgi.connection_id': 'UeMTuPXKmNw', 'mod_wsgi.queue_start': '1746908021679103', 'mod_wsgi.daemon_connects': '1', 'mod_wsgi.daemon_restarts': '0', 'mod_wsgi.daemon_start': '1746908021679325', 'mod_wsgi.script_start': '1746908021679510', 'wsgi.version': (1, 0), 'wsgi.multithread': False, 'wsgi.multiprocess': True, 'wsgi.run_once': False, 'wsgi.url_scheme': 'http', 'wsgi.errors': <_io.TextIOWrapper name='<wsgi.errors>' encoding='utf-8'>, 'wsgi.input': <oslo_middleware.sizelimit.LimitingReader object at 0x71e1c5cf85f0>, 'wsgi.input_terminated': True, 'wsgi.file_wrapper': <class 'mod_wsgi.FileWrapper'>, 'apache.version': (2, 4, 58), 'mod_wsgi.version': (5, 0, 0), 'mod_wsgi.total_requests': 54, 'mod_wsgi.thread_id': 1, 'mod_wsgi.thread_requests': 54, 'werkzeug.proxy_fix.orig': {'REMOTE_ADDR': '192.168.122.16', 'wsgi.url_scheme': 'http', 'HTTP_HOST': '192.168.122.17:5000', 'SERVER_NAME': '192.168.122.17', 'SERVER_PORT': '5000', 'SCRIPT_NAME': ''}, 'webob.adhoc_attrs': {'response': <_AuthTokenResponse at 0x71e1c5b5c2f0 200 OK>}, 'webob.is_body_seekable': False, 'openstack.request_id': 'req-26e43c00-13ef-4528-916b-01f02d913bdd', 'keystone.token_auth': <keystonemiddleware.auth_token._user_plugin.UserAuthPlugin object at 0x71e1c5b5efc0>, 'keystone.oslo_request_context': <keystone.common.context.RequestContext object at 0x71e1c5b5e270>, 'werkzeug.request': <Request 'http://192.168.122.17:5000/v3/auth/OS-FEDERATION/identity_providers/keycloak...' [GET]>} get_assertion_params_from_env /var/lib/kolla/venv/lib/python3.12/site-packages/keystone/federation/utils.py:453 ERROR keystone.server.flask.application [None req-26e43c00-13ef-4528-916b-01f02d913bdd - - - - - -] You are not authorized to perform the requested action.: keystone.exception.Forbidden: You are not authorized to perform the requested action. ERROR keystone.server.flask.application Traceback (most recent call last): ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.12/site-packages/flask_restful/__init__.py", line 295, in error_router ERROR keystone.server.flask.application return self.handle_error(e) ERROR keystone.server.flask.application ^^^^^^^^^^^^^^^^^^^^ ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.12/site-packages/flask_restful/__init__.py", line 310, in handle_error ERROR keystone.server.flask.application _handle_flask_propagate_exceptions_config(current_app, e) ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.12/site-packages/flask/app.py", line 880, in full_dispatch_request ERROR keystone.server.flask.application rv = self.dispatch_request() ERROR keystone.server.flask.application ^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.12/site-packages/flask/app.py", line 865, in dispatch_request ERROR keystone.server.flask.application return self.ensure_sync(self.view_functions[rule.endpoint])(**view_args) # type: ignore[no-any-return] ERROR keystone.server.flask.application ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.12/site-packages/flask_restful/__init__.py", line 489, in wrapper ERROR keystone.server.flask.application resp = resource(*args, **kwargs) ERROR keystone.server.flask.application ^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.12/site-packages/flask/views.py", line 110, in view ERROR keystone.server.flask.application return current_app.ensure_sync(self.dispatch_request)(**kwargs) # type: ignore[no-any-return] ERROR keystone.server.flask.application ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.12/site-packages/flask_restful/__init__.py", line 604, in dispatch_request ERROR keystone.server.flask.application resp = meth(*args, **kwargs) ERROR keystone.server.flask.application ^^^^^^^^^^^^^^^^^^^^^ ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.12/site-packages/keystone/server/flask/common.py", line 1133, in wrapper ERROR keystone.server.flask.application return f(*args, **kwargs) ERROR keystone.server.flask.application ^^^^^^^^^^^^^^^^^^ ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.12/site-packages/keystone/api/auth.py", line 403, in get ERROR keystone.server.flask.application return self._perform_auth(idp_id, protocol_id) ERROR keystone.server.flask.application ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.12/site-packages/keystone/api/auth.py", line 396, in _perform_auth ERROR keystone.server.flask.application token = authentication.federated_authenticate_for_token( ERROR keystone.server.flask.application ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.12/site-packages/keystone/api/_shared/authentication.py", line 276, in federated_authenticate_for_token ERROR keystone.server.flask.application return authenticate_for_token(auth) ERROR keystone.server.flask.application ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.12/site-packages/keystone/api/_shared/authentication.py", line 201, in authenticate_for_token ERROR keystone.server.flask.application authenticate(auth_info, auth_context) ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.12/site-packages/keystone/api/_shared/authentication.py", line 169, in authenticate ERROR keystone.server.flask.application resp = method.authenticate(auth_info.get_method_data(method_name)) ERROR keystone.server.flask.application ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.12/site-packages/keystone/auth/plugins/mapped.py", line 59, in authenticate ERROR keystone.server.flask.application response_data = handle_unscoped_token( ERROR keystone.server.flask.application ^^^^^^^^^^^^^^^^^^^^^^ ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.12/site-packages/keystone/auth/plugins/mapped.py", line 273, in handle_unscoped_token ERROR keystone.server.flask.application mapped_properties, mapping_id = apply_mapping_filter( ERROR keystone.server.flask.application ^^^^^^^^^^^^^^^^^^^^^ ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.12/site-packages/keystone/auth/plugins/mapped.py", line 380, in apply_mapping_filter ERROR keystone.server.flask.application utils.validate_idp(idp, protocol, assertion) ERROR keystone.server.flask.application File "/var/lib/kolla/venv/lib/python3.12/site-packages/keystone/federation/utils.py", line 354, in validate_idp ERROR keystone.server.flask.application raise exception.Forbidden(msg) ERROR keystone.server.flask.application keystone.exception.Forbidden: You are not authorized to perform the requested action. --- [0] https://docs.openstack.org/kolla-ansible/latest/user/quickstart.html [1] https://docs.openstack.org/kolla-ansible/latest/contributor/setup-identity-p...