Keystone auth method v3oidcpassword throws RESP BODY: Omitted, Content-Type is set to text/html. Only application/json responses have their bodies logged.

Rafael Weingärtner rafaelweingartner at gmail.com
Wed Oct 21 11:25:31 UTC 2020


Because Keystone configs that you have, might not be supporting it. You may
want to take a look at: https://review.opendev.org/#/c/693232/ and
https://review.opendev.org/#/c/695432/, specially this file:
https://review.opendev.org/#/c/695432/38/ansible/roles/keystone/templates/wsgi-keystone.conf.j2

On Wed, Oct 21, 2020 at 7:18 AM Robert Duncan <Robert.Duncan at ncirl.ie>
wrote:

> I'm trying to use openID with
> openstack --versionopenstack 5.2.0
>
> keystoneauth1==3.17.3
> keystonemiddleware==7.0.1
> python-keystoneclient==3.21.0
>
> I have created an RC file like so :
>
> export OS_INTERFACE="public"
> export OS_AUTH_URL="https://openstack:5000/v3"
> export OS_IDENTITY_PROVIDER="<my_idp>"
> export OS_PROTOCOL="openid"
> export OS_CLIENT_ID="<the -id >"
> export OS_CLIENT_SECRET="<the secret>"
> export OS_DISCOVERY_ENDPOINT="https://login.microsoftonline.com/
> <the-tenant-id>/v2.0/.well-known/openid-configuration"
> export OS_IDENTITY_API_VERSION="3"
> export OS_AUTH_TYPE="v3oidcpassword"
> export OS_USERNAME="<AzureAD user>"
> # this is the local openstack project id
> export OS_PROJECT_ID="<The project ID>"
> # set password by querying user
> export OS_PASSWORD=""
> echo "Please enter your O365 Password: "
> read -sr OS_PASSWORD_INPUT
> export OS_PASSWORD=$OS_PASSWORD_INPUT
>
> all is working on Horizon  WebSSO- but I cannot access the API
> the openstack --debug output shows that I get a token from MS
>
> debug info (redacted)
>
>
> command: token issue -> openstackclient.identity.v3.token.IssueToken
> (auth=True)
> Auth plugin v3oidcpassword selected
> auth_config_hook(): {'api_timeout': None, 'verify': True, 'cacert': None,
> 'cert': None, 'key': None, 'baremetal_status_code_retries': '5',
> 'baremetal_introspection_status_code_retries': '5',
> 'image_status_code_retries': '5', 'disable_vendor_agent': {}, 'interface':
> 'public', 'floating_ip_source': 'neutron', 'image_api_use_tasks': False,
> 'image_format': 'qcow2', 'message': '', 'network_api_version': '2',
> 'object_store_api_version': '1', 'secgroup_source': 'neutron', 'status':
> 'active', 'auth': {'project_id': '516706052ebd4f9a89c0b7d7e075754d'},
> 'additional_user_agent': [('osc-lib', '2.0.0')], 'verbose_level': 3,
> 'deferred_help': False, 'debug': True, 'default_domain': 'default',
> 'timing': False, 'auth_url': 'https://openstack.*********:5000/v3',
> 'username': 'r********', 'password': '***', 'identity_provider': '*****',
> 'protocol': 'openid', 'client_id': '*******', 'client_secret': '***',
> 'discovery_endpoint': '
> https://login.microsoftonline.com/*******/v2.0/.well-known/openid-configuration',
> 'beta_command': False, 'identity_api_version': '3',
> 'data_processing_api_version': '1.1', 'container_infra_api_version': '1',
> 'region_name': '', 'auth_type': 'v3oidcpassword', 'networks': []}
> Using auth plugin: v3oidcpassword
> Using parameters {'auth_url': 'https://openstack.******:5000/v3',
> 'project_id': '516706052ebd4f9a89c0b7d7e07575, 'identity_provider':
> '*****', 'protocol': 'openid', 'client_id': '********', 'client_secret':
> '***', 'discovery_endpoint': '
> https://login.microsoftonline.com/*******/v2.0/.well-known/openid-configuration',
> 'username': '*****', 'password': '***'}
> Get auth_ref
> REQ: curl -g -i -X GET
> https://login.microsoftonline.com/*****/v2.0/.well-known/openid-configuration
> -H "User-Agent: openstacksdk/0.46.0 keystoneauth1/4.0.0
> python-requests/2.22.0 CPython/3.8.2"
> Starting new HTTPS connection (1): login.microsoftonline.com:443
> https://login.microsoftonline.com:443 "GET
> /******/v2.0/.well-known/openid-configuration HTTP/1.1" 200 1651
> RESP: [200] Access-Control-Allow-Methods: GET, OPTIONS
> Access-Control-Allow-Origin: * Cache-Control: max-age=86400, private
> Content-Length: 1651 Content-Type: application/json; charset=utf-8 Date:
> Wed, 21 Oct 2020 09:37:13 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN"
> Set-Cookie: fpc=AhupGfLmUQlEsKNlR-m0ATg; expires=Fri, 20-Nov-2020 09:37:14
> GMT; path=/; secure; HttpOnly; SameSite=None, esctx=*****: domain=.
> login.microsoftonline.com; path=/; secure; HttpOnly; SameSite=None,
> x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly,
> stsservicecookie=estsfd; path=/; secure; samesite=none; httponly
> Strict-Transport-Security: max-age=31536000; includeSubDomains
> X-Content-Type-Options: nosniff x-ms-ests-server: 2.1.11154.9 - NEULR2
> ProdSlices x-ms-request-id: 0819033b-dcb3-409a-8115-54dc06a31900
> RESP BODY: {"token_endpoint":"
> https://login.microsoftonline.com/*****/oauth2/v2.0/token
> ","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"],"jwks_uri":"
> https://login.microsoftonline.com/****/discovery/v2.0/keys","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":["code","id_token","code
> id_token","id_token
> token"],"scopes_supported":["openid","profile","email","offline_access"],"issuer":"
> https://login.microsoftonline.com/****/v2.0
> ","request_uri_parameter_supported":false,"userinfo_endpoint":"
> https://graph.microsoft.com/oidc/userinfo","authorization_endpoint":"
> https://login.microsoftonline.com/****/oauth2/v2.0/authorize
> ","device_authorization_endpoint":"
> https://login.microsoftonline.com/*****/oauth2/v2.0/devicecode
> ","http_logout_supported":true,"frontchannel_logout_supported":true,"end_session_endpoint":"
> https://login.microsoftonline.com/****/oauth2/v2.0/logout
> ","claims_supported":["sub","iss","cloud_instance_name","cloud_instance_host_name","cloud_graph_host_name","msgraph_host","aud","exp","iat","auth_time","acr","nonce","preferred_username","name","tid","ver","at_hash","c_hash","email"],"tenant_region_scope":"EU","cloud_instance_name":"
> microsoftonline.com","cloud_graph_host_name":"graph.windows.net
> ","msgraph_host":"graph.microsoft.com","rbac_url":"https://pas.windows.net
> "}
> REQ: curl -g -i -X POST
> https://login.microsoftonline.com/******/oauth2/v2.0/token -H
> "User-Agent: openstacksdk/0.46.0 keystoneauth1/4.0.0 python-requests/2.22.0
> CPython/3.8.2" -d '{'username': '*****', 'password': '*****', 'scope':
> 'openid profile', 'grant_type': 'password'}'
> https://login.microsoftonline.com:443 "POST /*****/oauth2/v2.0/token
> HTTP/1.1" 200 3764
> RESP: [200] Cache-Control: no-store, no-cache Content-Length: 3764
> Content-Type: application/json; charset=utf-8 Date: Wed, 21 Oct 2020
> 09:37:14 GMT Expires: -1 P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Pragma:
> no-cache Set-Cookie: fpc=****; expires=Fri, 20-Nov-2020 09:37:14 GMT;
> path=/; secure; HttpOnly; SameSite=None, x-ms-gateway-slice=estsfd; path=/;
> secure; samesite=none; httponly, stsservicecookie=estsfd; path=/; secure;
> samesite=none; httponly Strict-Transport-Security: max-age=31536000;
> includeSubDomains X-Content-Type-Options: nosniff x-ms-ests-server:
> 2.1.11154.9 - WEULR1 ProdSlices x-ms-request-id:
> 92d66fde-6763-4be2-b1cf-00fd18bc1800
> RESP BODY: {"token_type":"Bearer","scope":"email openid profile
> 00000003-0000-0000-c000-000000000000/User.Read","expires_in":3599,"ext_expires_in":3599,"access_token":"<the
> access token>","id_token":"<the id token>"}
> REQ: curl -g -i -X POST https://openstack***:5000/v3/OS-FEDERATION/identity_providers/***/protocols/openid/auth
> -H "Authorization:
> {SHA256}aff774c8663ee647a08aefcea698f8c30e1d1cc8d85a3d55a17cae53defd8955"
> -H "User-Agent: openstacksdk/0.46.0 keystoneauth1/4.0.0
> python-requests/2.22.0 CPython/3.8.2"
> Starting new HTTPS connection (1): openstack.****:5000
> https://openstack.***:5000 "POST
> /v3/OS-FEDERATION/identity_providers/****/protocols/openid/auth HTTP/1.1"
> 200 541
> RESP: [200] Content-Length: 541 Content-Type: text/html Date: Wed, 21 Oct
> 2020 09:37:14 GMT Server: Apache
> RESP BODY: Omitted, Content-Type is set to text/html. Only
> application/json responses have their bodies logged.
> Expecting value: line 1 column 1 (char 0)
> Traceback (most recent call last):
>   File "/usr/lib/python3/dist-packages/cliff/app.py", line 393, in
> run_subcommand
>     self.prepare_to_run_command(cmd)
>   File "/usr/lib/python3/dist-packages/osc_lib/shell.py", line 493, in
> prepare_to_run_command
>     self.client_manager.auth_ref
>   File "/usr/lib/python3/dist-packages/osc_lib/clientmanager.py", line
> 202, in auth_ref
>     self._auth_ref = self.auth.get_auth_ref(self.session)
>   File
> "/usr/lib/python3/dist-packages/keystoneauth1/identity/v3/federation.py",
> line 65, in get_auth_ref
>     auth_ref = self.get_unscoped_auth_ref(session)
>   File "/usr/lib/python3/dist-packages/keystoneauth1/identity/v3/oidc.py",
> line 265, in get_unscoped_auth_ref
>     return access.create(resp=response)
>   File "/usr/lib/python3/dist-packages/keystoneauth1/access/access.py",
> line 36, in create
>     body = resp.json()
>   File "/usr/lib/python3/dist-packages/requests/models.py", line 897, in
> json
>     return complexjson.loads(self.text, **kwargs)
>
> what's gone wrong?
>
> thanks,
> Rob.
>
> ------------------------------
>
> The information contained and transmitted in this e-mail is confidential
> information, and is intended only for the named recipient to which it is
> addressed. The content of this e-mail may not have been sent with the
> authority of National College of Ireland. Any views or opinions presented
> are solely those of the author and do not necessarily represent those of
> National College of Ireland. If the reader of this message is not the named
> recipient or a person responsible for delivering it to the named recipient,
> you are notified that the review, dissemination, distribution,
> transmission, printing or copying, forwarding, or any other use of this
> message or any part of it, including any attachments, is strictly
> prohibited. If you have received this communication in error, please delete
> the e-mail and destroy all record of this communication. Thank you for your
> assistance.
> ------------------------------
>


-- 
Rafael Weingärtner
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20201021/2e13b3d7/attachment-0001.html>


More information about the openstack-discuss mailing list