From 01a8c1fcabcf9d64b48fc1ca4b425aa3ca80c670 Mon Sep 17 00:00:00 2001 From: pedro Date: Mon, 11 Nov 2019 14:34:19 -0300 Subject: [PATCH] Update OIDC documentation to handle bearer access token flow Also add a section of multiple Identity Providers configuration. Change-Id: I398b151904c9c5c9d0c3ab4358074e8adcfd1b6c --- doc/source/admin/federation/openidc.inc | 147 +++++++++++++++++++++++- 1 file changed, 146 insertions(+), 1 deletion(-) diff --git a/doc/source/admin/federation/openidc.inc b/doc/source/admin/federation/openidc.inc index f6c4794473..716ddfbb6e 100644 --- a/doc/source/admin/federation/openidc.inc +++ b/doc/source/admin/federation/openidc.inc @@ -59,6 +59,7 @@ options: OIDCResponseType "id_token" OIDCScope "openid email profile" OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration + OIDCOAuthVerifyJwksUri https://www.googleapis.com/oauth2/v3/certs OIDCClientID OIDCClientSecret OIDCCryptoPassphrase @@ -68,7 +69,13 @@ options: Identity Provider to send to the Service Provider. ``OIDCClientID`` and ``OIDCClientSecret`` must be generated and obtained from the Identity Provider. ``OIDCProviderMetadataURL`` is a URL from which the Service Provider will fetch -the Identity Provider's metadata. ``OIDCRedirectURI`` is a vanity URL that must +the Identity Provider's metadata. ``OIDCOAuthVerifyJwksUri`` is a URL from +which the Service Provider will download the public key from the Identity +Provider to check if the user's access token is valid or not, this configuration +must be used while using the AuthType ``auth-openidc``, when using the AuthType +``openid-connect`` and the OIDCProviderMetadataURL is configured, this property +will not be necessary. +``OIDCRedirectURI`` is a vanity URL that must point to a protected path that does not have any content, such as an extension of the protected federated auth path. @@ -92,6 +99,12 @@ Configure each protected path to use the ``openid-connect`` AuthType: AuthType openid-connect +.. note:: + To add support to Bearer Access Token authentication flow that is used by + applications that do not adopt the browser flow, such the OpenStack CLI, you + will need to change the AuthType from ``openid-connect`` to + ``auth-openidc``. + Do the same for the WebSSO auth paths if using horizon: .. code-block:: apache @@ -118,6 +131,138 @@ Remember to reload Apache after altering the VirtualHost: ``OIDCClaimPrefix`` to ``OIDC-``, then a typical remote value to check for is: ``HTTP_OIDC_ISS``. +Configuring Multiple Identity Providers +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +To configure multiples Identity Providers in your environment you will need to +set your OIDC options like the following options: + +.. code-block:: apache + + OIDCClaimPrefix "OIDC-" + OIDCResponseType "id_token" + OIDCScope "openid email profile" + OIDCMetadataDir + OIDCCryptoPassphrase + OIDCRedirectURI https://sp.keystone.example.org/redirect_uri + OIDCOAuthVerifyCertFiles # # # + +The ``OIDCOAuthVerifyCertFiles`` is a tuple separated with `space` +containing the key-id (kid) of the Issuer's public key and a path to +the Issuer certificate. The separator ``#`` is used to split the (``kid``) +and the public certificate address + +The metadata folder configured in the option ``OIDCMetadataDir`` must have all +your Identity Providers configurations, the name of the files will be +the name (with path) of the Issuers like: + +.. code-block:: + + - + | + - accounts.google.com.client + | + - accounts.google.com.conf + | + - accounts.google.com.provider + | + - keycloak.example.org%2Fauth%2Frealms%2Fidp.client + | + - keycloak.example.org%2Fauth%2Frealms%2Fidp.conf + | + - keycloak.example.org%2Fauth%2Frealms%2Fidp.provider + +.. note:: + The name of the file must be url-encoded if needed, as the Apache2 mod_auth_openidc + will get the raw value from the query parameter ``iss`` from the http request + and check if there is a metadata with this name, as the query parameter is + url-encoded, so the metadata file name need to be encoded too. For example, if you have an + Issuer with ``/`` in the URL, then you need to escape it to ``%2F`` by + applying a URL escape in the file name. + +The content of these files must be a JSON like + +``accounts.google.com.client``: + +.. code-block:: json + + { + "client_id":"", + "client_secret":"" + } + +The ``.client`` file handles the SP credentials in the Issuer. + +``accounts.google.com.conf``: + +This file will be a JSON that overrides some of OIDC options. The options +that are able to be overridden are listed in the +`OpenID Connect Apache2 plugin documentation`_. + +.. _`OpenID Connect Apache2 plugin documentation`: https://github.com/zmartzone/mod_auth_openidc/wiki/Multiple-Providers#opclient-configuration + +If you do not want to override the config values, you can leave this file as +an empty JSON like ``{}``. + +``accounts.google.com.provider``: + +This file will contain all specifications about the IdentityProvider. To +simplify, you can just use the JSON returned in the ``.well-known`` endpoint: + +.. code-block:: json + + { + "issuer": "https://accounts.google.com", + "authorization_endpoint": "https://accounts.google.com/o/oauth2/v2/auth", + "token_endpoint": "https://oauth2.googleapis.com/token", + "userinfo_endpoint": "https://openidconnect.googleapis.com/v1/userinfo", + "revocation_endpoint": "https://oauth2.googleapis.com/revoke", + "jwks_uri": "https://www.googleapis.com/oauth2/v3/certs", + "response_types_supported": [ + "code", + "token", + "id_token", + "code token", + "code id_token", + "token id_token", + "code token id_token", + "none" + ], + "subject_types_supported": [ + "public" + ], + "id_token_signing_alg_values_supported": [ + "RS256" + ], + "scopes_supported": [ + "openid", + "email", + "profile" + ], + "token_endpoint_auth_methods_supported": [ + "client_secret_post", + "client_secret_basic" + ], + "claims_supported": [ + "aud", + "email", + "email_verified", + "exp", + "family_name", + "given_name", + "iat", + "iss", + "locale", + "name", + "picture", + "sub" + ], + "code_challenge_methods_supported": [ + "plain", + "S256" + ] + } + Continue configuring keystone ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~