Keystone auth method v3oidcpassword throws RESP BODY: Omitted, Content-Type is set to text/html. Only application/json responses have their bodies logged.

Robert Duncan Robert.Duncan at ncirl.ie
Wed Oct 21 12:33:56 UTC 2020 

Thanks Rafael, I can see a small difference in https://review.opendev.org/#/c/695432/38/ansible/roles/keystone/templates/wsgi-keystone.conf.j2
specifically, in my wsgi-keystone the API is protected with AuthType openid-connect
I have changed wsgi-keystone to use the authtype auth-openidc

now I am getting 401 because:

"POST /v3/OS-FEDERATION/identity_providers/****/protocols/openid/auth HTTP/1.1" 401 381
RESP: [401] Content-Length: 381 Content-Type: text/html; charset=iso-8859-1 Date: Wed, 21 Oct 2020 12:28:33 GMT Server: Apache WWW-Authenticate: Bearer error="invalid_token", error_description="JWT token could not be validated"
RESP BODY: Omitted, Content-Type is set to text/html; charset=iso-8859-1. Only application/json responses have their bodies logged.
Request returned failure status: 401
Unauthorized (HTTP 401)
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/cliff/app.py", line 393, in run_subcommand
    self.prepare_to_run_command(cmd)
  File "/usr/lib/python3/dist-packages/osc_lib/shell.py", line 493, in prepare_to_run_command
    self.client_manager.auth_ref
  File "/usr/lib/python3/dist-packages/osc_lib/clientmanager.py", line 202, in auth_ref
    self._auth_ref = self.auth.get_auth_ref(self.session)
  File "/usr/lib/python3/dist-packages/keystoneauth1/identity/v3/federation.py", line 65, in get_auth_ref
    auth_ref = self.get_unscoped_auth_ref(session)
  File "/usr/lib/python3/dist-packages/keystoneauth1/identity/v3/oidc.py", line 262, in get_unscoped_auth_ref
    response = self._get_keystone_token(session, access_token)
  File "/usr/lib/python3/dist-packages/keystoneauth1/identity/v3/oidc.py", line 219, in _get_keystone_token
    auth_response = session.post(self.federated_token_url,
  File "/usr/lib/python3/dist-packages/keystoneauth1/session.py", line 1131, in post
    return self.request(url, 'POST', **kwargs)
  File "/usr/lib/python3/dist-packages/keystoneauth1/session.py", line 968, in request
    raise exceptions.from_response(resp, method, url)
keystoneauth1.exceptions.http.Unauthorized: Unauthorized (HTTP 401)
clean_up IssueToken: Unauthorized (HTTP 401)
END return value: 1

much appricated
Rob.
________________________________
From: Rafael Weingärtner <rafaelweingartner at gmail.com>
Sent: Wednesday 21 October 2020 12:25
To: Robert Duncan <Robert.Duncan at ncirl.ie>
Cc: openstack-discuss at lists.openstack.org <openstack-discuss at lists.openstack.org>
Subject: Re: Keystone auth method v3oidcpassword throws RESP BODY: Omitted, Content-Type is set to text/html. Only application/json responses have their bodies logged.

Because Keystone configs that you have, might not be supporting it. You may want to take a look at: https://review.opendev.org/#/c/693232/ and https://review.opendev.org/#/c/695432/, specially this file: https://review.opendev.org/#/c/695432/38/ansible/roles/keystone/templates/wsgi-keystone.conf.j2

On Wed, Oct 21, 2020 at 7:18 AM Robert Duncan <Robert.Duncan at ncirl.ie<mailto:Robert.Duncan at ncirl.ie>> wrote:
I'm trying to use openID with
openstack --versionopenstack 5.2.0

keystoneauth1==3.17.3
keystonemiddleware==7.0.1
python-keystoneclient==3.21.0

I have created an RC file like so :

export OS_INTERFACE="public"
export OS_AUTH_URL="https://openstack:5000/v3"
export OS_IDENTITY_PROVIDER="<my_idp>"
export OS_PROTOCOL="openid"
export OS_CLIENT_ID="<the -id >"
export OS_CLIENT_SECRET="<the secret>"
export OS_DISCOVERY_ENDPOINT="https://login.microsoftonline.com/<the-tenant-id>/v2.0/.well-known/openid-configuration"
export OS_IDENTITY_API_VERSION="3"
export OS_AUTH_TYPE="v3oidcpassword"
export OS_USERNAME="<AzureAD user>"
# this is the local openstack project id
export OS_PROJECT_ID="<The project ID>"
# set password by querying user
export OS_PASSWORD=""
echo "Please enter your O365 Password: "
read -sr OS_PASSWORD_INPUT
export OS_PASSWORD=$OS_PASSWORD_INPUT

all is working on Horizon  WebSSO- but I cannot access the API
the openstack --debug output shows that I get a token from MS

debug info (redacted)


command: token issue -> openstackclient.identity.v3.token.IssueToken (auth=True)
Auth plugin v3oidcpassword selected
auth_config_hook(): {'api_timeout': None, 'verify': True, 'cacert': None, 'cert': None, 'key': None, 'baremetal_status_code_retries': '5', 'baremetal_introspection_status_code_retries': '5', 'image_status_code_retries': '5', 'disable_vendor_agent': {}, 'interface': 'public', 'floating_ip_source': 'neutron', 'image_api_use_tasks': False, 'image_format': 'qcow2', 'message': '', 'network_api_version': '2', 'object_store_api_version': '1', 'secgroup_source': 'neutron', 'status': 'active', 'auth': {'project_id': '516706052ebd4f9a89c0b7d7e075754d'}, 'additional_user_agent': [('osc-lib', '2.0.0')], 'verbose_level': 3, 'deferred_help': False, 'debug': True, 'default_domain': 'default', 'timing': False, 'auth_url': 'https://openstack.*********:5000/v3', 'username': 'r********', 'password': '***', 'identity_provider': '*****', 'protocol': 'openid', 'client_id': '*******', 'client_secret': '***', 'discovery_endpoint': 'https://login.microsoftonline.com/*******/v2.0/.well-known/openid-configuration', 'beta_command': False, 'identity_api_version': '3', 'data_processing_api_version': '1.1', 'container_infra_api_version': '1', 'region_name': '', 'auth_type': 'v3oidcpassword', 'networks': []}
Using auth plugin: v3oidcpassword
Using parameters {'auth_url': 'https://openstack.******:5000/v3', 'project_id': '516706052ebd4f9a89c0b7d7e07575, 'identity_provider': '*****', 'protocol': 'openid', 'client_id': '********', 'client_secret': '***', 'discovery_endpoint': 'https://login.microsoftonline.com/*******/v2.0/.well-known/openid-configuration', 'username': '*****', 'password': '***'}
Get auth_ref
REQ: curl -g -i -X GET https://login.microsoftonline.com/*****/v2.0/.well-known/openid-configuration -H "User-Agent: openstacksdk/0.46.0 keystoneauth1/4.0.0 python-requests/2.22.0 CPython/3.8.2"
Starting new HTTPS connection (1): login.microsoftonline.com:443<http://login.microsoftonline.com:443>
https://login.microsoftonline.com:443 "GET /******/v2.0/.well-known/openid-configuration HTTP/1.1" 200 1651
RESP: [200] Access-Control-Allow-Methods: GET, OPTIONS Access-Control-Allow-Origin: * Cache-Control: max-age=86400, private Content-Length: 1651 Content-Type: application/json; charset=utf-8 Date: Wed, 21 Oct 2020 09:37:13 GMT P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Set-Cookie: fpc=AhupGfLmUQlEsKNlR-m0ATg; expires=Fri, 20-Nov-2020 09:37:14 GMT; path=/; secure; HttpOnly; SameSite=None, esctx=*****: domain=.login.microsoftonline.com<http://login.microsoftonline.com>; path=/; secure; HttpOnly; SameSite=None, x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly, stsservicecookie=estsfd; path=/; secure; samesite=none; httponly Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff x-ms-ests-server: 2.1.11154.9 - NEULR2 ProdSlices x-ms-request-id: 0819033b-dcb3-409a-8115-54dc06a31900
RESP BODY: {"token_endpoint":"https://login.microsoftonline.com/*****/oauth2/v2.0/token","token_endpoint_auth_methods_supported":["client_secret_post","private_key_jwt","client_secret_basic"],"jwks_uri":"https://login.microsoftonline.com/****/discovery/v2.0/keys","response_modes_supported":["query","fragment","form_post"],"subject_types_supported":["pairwise"],"id_token_signing_alg_values_supported":["RS256"],"response_types_supported":["code","id_token","code id_token","id_token token"],"scopes_supported":["openid","profile","email","offline_access"],"issuer":"https://login.microsoftonline.com/****/v2.0","request_uri_parameter_supported":false,"userinfo_endpoint":"https://graph.microsoft.com/oidc/userinfo","authorization_endpoint":"https://login.microsoftonline.com/****/oauth2/v2.0/authorize","device_authorization_endpoint":"https://login.microsoftonline.com/*****/oauth2/v2.0/devicecode","http_logout_supported":true,"frontchannel_logout_supported":true,"end_session_endpoint":"https://login.microsoftonline.com/****/oauth2/v2.0/logout","claims_supported":["sub","iss","cloud_instance_name","cloud_instance_host_name","cloud_graph_host_name","msgraph_host","aud","exp","iat","auth_time","acr","nonce","preferred_username","name","tid","ver","at_hash","c_hash","email"],"tenant_region_scope":"EU","cloud_instance_name":"microsoftonline.com<http://microsoftonline.com>","cloud_graph_host_name":"graph.windows.net<http://graph.windows.net>","msgraph_host":"graph.microsoft.com<http://graph.microsoft.com>","rbac_url":"https://pas.windows.net"}
REQ: curl -g -i -X POST https://login.microsoftonline.com/******/oauth2/v2.0/token -H "User-Agent: openstacksdk/0.46.0 keystoneauth1/4.0.0 python-requests/2.22.0 CPython/3.8.2" -d '{'username': '*****', 'password': '*****', 'scope': 'openid profile', 'grant_type': 'password'}'
https://login.microsoftonline.com:443 "POST /*****/oauth2/v2.0/token HTTP/1.1" 200 3764
RESP: [200] Cache-Control: no-store, no-cache Content-Length: 3764 Content-Type: application/json; charset=utf-8 Date: Wed, 21 Oct 2020 09:37:14 GMT Expires: -1 P3P: CP="DSP CUR OTPi IND OTRi ONL FIN" Pragma: no-cache Set-Cookie: fpc=****; expires=Fri, 20-Nov-2020 09:37:14 GMT; path=/; secure; HttpOnly; SameSite=None, x-ms-gateway-slice=estsfd; path=/; secure; samesite=none; httponly, stsservicecookie=estsfd; path=/; secure; samesite=none; httponly Strict-Transport-Security: max-age=31536000; includeSubDomains X-Content-Type-Options: nosniff x-ms-ests-server: 2.1.11154.9 - WEULR1 ProdSlices x-ms-request-id: 92d66fde-6763-4be2-b1cf-00fd18bc1800
RESP BODY: {"token_type":"Bearer","scope":"email openid profile 00000003-0000-0000-c000-000000000000/User.Read","expires_in":3599,"ext_expires_in":3599,"access_token":"<the access token>","id_token":"<the id token>"}
REQ: curl -g -i -X POST https://openstack***:5000/v3/OS-FEDERATION/identity_providers/***/protocols/openid/auth -H "Authorization: {SHA256}aff774c8663ee647a08aefcea698f8c30e1d1cc8d85a3d55a17cae53defd8955" -H "User-Agent: openstacksdk/0.46.0 keystoneauth1/4.0.0 python-requests/2.22.0 CPython/3.8.2"
Starting new HTTPS connection (1): openstack.****:5000
https://openstack.***:5000 "POST /v3/OS-FEDERATION/identity_providers/****/protocols/openid/auth HTTP/1.1" 200 541
RESP: [200] Content-Length: 541 Content-Type: text/html Date: Wed, 21 Oct 2020 09:37:14 GMT Server: Apache
RESP BODY: Omitted, Content-Type is set to text/html. Only application/json responses have their bodies logged.
Expecting value: line 1 column 1 (char 0)
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/cliff/app.py", line 393, in run_subcommand
    self.prepare_to_run_command(cmd)
  File "/usr/lib/python3/dist-packages/osc_lib/shell.py", line 493, in prepare_to_run_command
    self.client_manager.auth_ref
  File "/usr/lib/python3/dist-packages/osc_lib/clientmanager.py", line 202, in auth_ref
    self._auth_ref = self.auth.get_auth_ref(self.session)
  File "/usr/lib/python3/dist-packages/keystoneauth1/identity/v3/federation.py", line 65, in get_auth_ref
    auth_ref = self.get_unscoped_auth_ref(session)
  File "/usr/lib/python3/dist-packages/keystoneauth1/identity/v3/oidc.py", line 265, in get_unscoped_auth_ref
    return access.create(resp=response)
  File "/usr/lib/python3/dist-packages/keystoneauth1/access/access.py", line 36, in create
    body = resp.json()
  File "/usr/lib/python3/dist-packages/requests/models.py", line 897, in json
    return complexjson.loads(self.text, **kwargs)

what's gone wrong?

thanks,
Rob.

________________________________

The information contained and transmitted in this e-mail is confidential information, and is intended only for the named recipient to which it is addressed. The content of this e-mail may not have been sent with the authority of National College of Ireland. Any views or opinions presented are solely those of the author and do not necessarily represent those of National College of Ireland. If the reader of this message is not the named recipient or a person responsible for delivering it to the named recipient, you are notified that the review, dissemination, distribution, transmission, printing or copying, forwarding, or any other use of this message or any part of it, including any attachments, is strictly prohibited. If you have received this communication in error, please delete the e-mail and destroy all record of this communication. Thank you for your assistance.

________________________________


--
Rafael Weingärtner
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-discuss/attachments/20201021/871a869c/attachment-0001.html>

More information about the openstack-discuss mailing list