From 2ed76dee5d5e0d10e3af818428178926518a99cd Mon Sep 17 00:00:00 2001
From: Andrew Bonney <andrew.bonney@bbc.co.uk>
Date: Fri, 20 Oct 2023 13:50:54 +0100
Subject: [PATCH] oidc: fix overloading of redirect_uri for cli client

The redirect URI specified in the Apache config for OIDC
was unintentionally serving a dual purpose as a redirect
URI and a handler for command line auth.

As of mod_auth_openidc v2.4.9 this no longer works.
This change splits the paths for command line auth and
the redirect URI into two to work around this.

Change-Id: I27c612cf8537b401c1195ae0892bf5569e2f3858
---
 defaults/main.yml                                   |  2 +-
 doc/source/configure-federation-sp.rst              | 10 +++++-----
 .../oidc-fix-redirect-uri-5909172a1db5457f.yaml     | 13 +++++++++++++
 templates/keystone-httpd.conf.j2                    |  7 ++++++-
 4 files changed, 25 insertions(+), 7 deletions(-)
 create mode 100644 releasenotes/notes/oidc-fix-redirect-uri-5909172a1db5457f.yaml

diff --git a/defaults/main.yml b/defaults/main.yml
index 572a6c98..501ce683 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -535,7 +535,7 @@ keystone_sp: {}
 #       oidc_client_id: keystone
 #       oidc_client_secret: secret
 #       oidc_crypto_passphrase: random string
-#       oidc_redirect_uri: https://keystone:5000/v3/OS-FEDERATION/identity_providers/keycloak-idp/protocols/openid/auth
+#       oidc_redirect_path: /oidc_redirect
 #       oidc_oauth_introspection_endpoint: endpoint address (optional)
 #       oidc_oauth_client_id: string (optional)
 #       oidc_oauth_client_secret: secret (optional)
diff --git a/doc/source/configure-federation-sp.rst b/doc/source/configure-federation-sp.rst
index 4050ba45..f446d5f9 100644
--- a/doc/source/configure-federation-sp.rst
+++ b/doc/source/configure-federation-sp.rst
@@ -310,10 +310,10 @@ for mod_auth_openidc OIDC-based deployments.
    restrictions for this password. This should be set to a randomly generated
    string of a sensible length.
 
-#. ``oidc_redirect_uri`` is the redirect_uri for this OpenID Connect
-   client; this is a vanity URL that must ONLY point to a path on your
-   server protected by this module but it must NOT point to any actual
-   content that needs to be served.
+#. ``oidc_redirect_path`` is the path component of the redirect_uri for this
+   OpenID Connect client; this is a vanity URL that must ONLY point to a path
+   on your server protected by this module but it must NOT point to any
+   actual content that needs to be served.
 
 #. ``oidc_claim_prefix`` is the prefix to use when setting claims in the
    HTTP headers/environment variables. Defaults to 'OIDC-'.
@@ -373,7 +373,7 @@ service provider to an IDP using mod_auth_openidc with CADF notifications on.
             oidc_client_id: keystone
             oidc_client_secret: <SECRET>
             oidc_crypto_passphrase: <RANDOM STRING>
-            oidc_redirect_uri: https://{{external_lb_vip_address}}:5000/v3/OS-FEDERATION/identity_providers/oidc-idp/protocols/openid/auth
+            oidc_redirect_path: /oidc_redirect
             oidc_auth_request_params: param=some+url+encoded+value&param2=and+another+one
             entity_ids:
               - 'https://identity-provider/openid-endpoint/'
diff --git a/releasenotes/notes/oidc-fix-redirect-uri-5909172a1db5457f.yaml b/releasenotes/notes/oidc-fix-redirect-uri-5909172a1db5457f.yaml
new file mode 100644
index 00000000..b81fb03e
--- /dev/null
+++ b/releasenotes/notes/oidc-fix-redirect-uri-5909172a1db5457f.yaml
@@ -0,0 +1,13 @@
+---
+upgrade:
+  - |
+    Keystone OIDC parameter 'oidc_redirect_uri' is replaced with
+    'oidc_redirect_path'. This parameter no longer needs to be set explicitly
+    unless you run additional services which may collide with the default
+    on the same port as Keystone. Your OIDC provider may need to be updated
+    to reflect this change in redirect URI which defaults to the Keystone
+    public URL plus the path /oidc_redirect.
+fixes:
+  - |
+    Fixed OpenStack command line OIDC integration where Apache mod_auth_openidc
+    if >= v2.4.9 including on Ubuntu Jammy.
diff --git a/templates/keystone-httpd.conf.j2 b/templates/keystone-httpd.conf.j2
index 74961cc8..918eb511 100644
--- a/templates/keystone-httpd.conf.j2
+++ b/templates/keystone-httpd.conf.j2
@@ -52,7 +52,7 @@ Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}
     OIDCClientID {{ keystone_sp.trusted_idp_list.0.oidc_client_id }}
     OIDCClientSecret {{ keystone_sp.trusted_idp_list.0.oidc_client_secret }}
     OIDCCryptoPassphrase {{ keystone_sp.trusted_idp_list.0.oidc_crypto_passphrase }}
-    OIDCRedirectURI {{ keystone_sp.trusted_idp_list.0.oidc_redirect_uri }}
+    OIDCRedirectURI {{ keystone_service_publicuri }}{{ keystone_sp.trusted_idp_list.0.oidc_redirect_path | default('/oidc_redirect') }}
     {% if _keystone_sp_apache_mod_auth_openidc_gte_2_4_11 is defined -%}
     OIDCXForwardedHeaders {{ keystone_secure_proxy_ssl_header }}
     {% endif -%}
@@ -91,6 +91,11 @@ Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}
     OIDCClaimDelimiter "{{ keystone_sp.trusted_idp_list.0.oidc_claim_delimiter }}"
     {% endif %}
 
+    <Location {{ keystone_sp.trusted_idp_list.0.oidc_redirect_path | default('/oidc_redirect') }}>
+      Require valid-user
+      AuthType openid-connect
+    </Location>
+
     <Location /v3/OS-FEDERATION/identity_providers/{{ keystone_sp.trusted_idp_list.0.name }}/protocols/openid/auth>
       Require valid-user
       AuthType auth-openidc