oidc: fix overloading of redirect_uri for cli client

The redirect URI specified in the Apache config for OIDC was unintentionally serving a dual purpose as a redirect URI and a handler for command line auth. As of mod_auth_openidc v2.4.9 this no longer works. This change splits the paths for command line auth and the redirect URI into two to work around this. Change-Id: I27c612cf8537b401c1195ae0892bf5569e2f3858
2023-10-20 13:50:54 +01:00 · 2023-10-20 13:50:54 +01:00 · 2ed76dee5d
parent b54478e7e1
commit 2ed76dee5d
4 changed files with 25 additions and 7 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -535,7 +535,7 @@ keystone_sp: {}
 #       oidc_client_id: keystone
 #       oidc_client_secret: secret
 #       oidc_crypto_passphrase: random string
-#       oidc_redirect_uri: https://keystone:5000/v3/OS-FEDERATION/identity_providers/keycloak-idp/protocols/openid/auth
+#       oidc_redirect_path: /oidc_redirect
 #       oidc_oauth_introspection_endpoint: endpoint address (optional)
 #       oidc_oauth_client_id: string (optional)
 #       oidc_oauth_client_secret: secret (optional)
--- a/doc/source/configure-federation-sp.rst
+++ b/doc/source/configure-federation-sp.rst
@ -310,10 +310,10 @@ for mod_auth_openidc OIDC-based deployments.
   restrictions for this password. This should be set to a randomly generated
   string of a sensible length.

-#. ``oidc_redirect_uri`` is the redirect_uri for this OpenID Connect
-   client; this is a vanity URL that must ONLY point to a path on your
-   server protected by this module but it must NOT point to any actual
-   content that needs to be served.
+#. ``oidc_redirect_path`` is the path component of the redirect_uri for this
+   OpenID Connect client; this is a vanity URL that must ONLY point to a path
+   on your server protected by this module but it must NOT point to any
+   actual content that needs to be served.

 #. ``oidc_claim_prefix`` is the prefix to use when setting claims in the
   HTTP headers/environment variables. Defaults to 'OIDC-'.
@ -373,7 +373,7 @@ service provider to an IDP using mod_auth_openidc with CADF notifications on.
            oidc_client_id: keystone
            oidc_client_secret: <SECRET>
            oidc_crypto_passphrase: <RANDOM STRING>
-            oidc_redirect_uri: https://{{external_lb_vip_address}}:5000/v3/OS-FEDERATION/identity_providers/oidc-idp/protocols/openid/auth
+            oidc_redirect_path: /oidc_redirect
            oidc_auth_request_params: param=some+url+encoded+value&param2=and+another+one
            entity_ids:
              - 'https://identity-provider/openid-endpoint/'
--- a/releasenotes/notes/oidc-fix-redirect-uri-5909172a1db5457f.yaml
+++ b/releasenotes/notes/oidc-fix-redirect-uri-5909172a1db5457f.yaml
@ -0,0 +1,13 @@
+---
+upgrade:
+  - |
+    Keystone OIDC parameter 'oidc_redirect_uri' is replaced with
+    'oidc_redirect_path'. This parameter no longer needs to be set explicitly
+    unless you run additional services which may collide with the default
+    on the same port as Keystone. Your OIDC provider may need to be updated
+    to reflect this change in redirect URI which defaults to the Keystone
+    public URL plus the path /oidc_redirect.
+fixes:
+  - |
+    Fixed OpenStack command line OIDC integration where Apache mod_auth_openidc
+    if >= v2.4.9 including on Ubuntu Jammy.
--- a/templates/keystone-httpd.conf.j2
+++ b/templates/keystone-httpd.conf.j2
@ -52,7 +52,7 @@ Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}
    OIDCClientID {{ keystone_sp.trusted_idp_list.0.oidc_client_id }}
    OIDCClientSecret {{ keystone_sp.trusted_idp_list.0.oidc_client_secret }}
    OIDCCryptoPassphrase {{ keystone_sp.trusted_idp_list.0.oidc_crypto_passphrase }}
-    OIDCRedirectURI {{ keystone_sp.trusted_idp_list.0.oidc_redirect_uri }}
+    OIDCRedirectURI {{ keystone_service_publicuri }}{{ keystone_sp.trusted_idp_list.0.oidc_redirect_path | default('/oidc_redirect') }}
    {% if _keystone_sp_apache_mod_auth_openidc_gte_2_4_11 is defined -%}
    OIDCXForwardedHeaders {{ keystone_secure_proxy_ssl_header }}
    {% endif -%}
@ -91,6 +91,11 @@ Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}
    OIDCClaimDelimiter "{{ keystone_sp.trusted_idp_list.0.oidc_claim_delimiter }}"
    {% endif %}

+    <Location {{ keystone_sp.trusted_idp_list.0.oidc_redirect_path | default('/oidc_redirect') }}>
+      Require valid-user
+      AuthType openid-connect
+    </Location>
+
    <Location /v3/OS-FEDERATION/identity_providers/{{ keystone_sp.trusted_idp_list.0.name }}/protocols/openid/auth>
      Require valid-user
      AuthType auth-openidc