← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1694591] [NEW] Horizon gives 401 authorization error after oidc configuration

 

Public bug reported:

I have configured OIDC with keystone.
I have followed the steps mentioned in the official documentation. But when i try to log into horizon, i get a 401 error:
{"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}

The OIDC configuration is as shown below:
# Configure OIDC
OIDCClaimPrefix "OIDC-"
OIDCResponseType "id_token"
OIDCScope "openid email profile"
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID <Google Client ID>
OIDCClientSecret <Google Client Secret>
OIDCCryptoPassphrase openstack
OIDCRedirectURI http://<SP fqdn>/identity/v3/OS-FEDERATION/identity_providers/myidp/protocols/mapped/auth
OIDCRedirectURI http://<SP fqdn>/identity/v3/auth/OS-FEDERATION/websso
OIDCRedirectURI http://<SP fqdn>/identity/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/mapped/websso

# For keystone
<LocationMatch /identity/v3/OS-FEDERATION/identity_providers/.*?/protocols/mapped/auth>
  AuthType openid-connect
  Require valid-user
  LogLevel debug
</LocationMatch>

# For horizon
<Location ~ "/identity/v3/auth/OS-FEDERATION/websso/mapped">
  AuthType openid-connect
  Require valid-user
</Location>
<Location ~ "/identity/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/mapped/websso">
  AuthType openid-connect
  Require valid-user
</Location>


source accr/admin/admin
export OS_IDENTITY_API_VERSION=3
openstack domain create federated_domain
openstack group create federated_users
openstack role add --group federated_users --domain federated_domain admin
openstack identity provider create --remote-id https://accounts.google.com myidp

export remote_type=REMOTE_USER
export remote_type=HTTP_OIDC_EMAIL
cat > rules.json <<EOF
[
    {
        "local": [
            {
                "user": {
                    "name": "{0}"
                },
                "group": {
                    "domain": {
                        "name": "Default"
                    },
                    "name": "federated_users"
                }
            }
        ],
        "remote": [
            {
                "type": "${remote_type}"
            }
        ]
    }
]
EOF
openstack mapping create --rules rules.json myidp_mapping
openstack federation protocol create mapped --mapping myidp_mapping --identity-provider myidp

** Affects: keystone
     Importance: Undecided
         Status: New


** Tags: error horizon keystone

** Tags removed: errro
** Tags added: error

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1694591

Title:
  Horizon gives 401 authorization error after oidc configuration

Status in OpenStack Identity (keystone):
  New

Bug description:
  I have configured OIDC with keystone.
  I have followed the steps mentioned in the official documentation. But when i try to log into horizon, i get a 401 error:
  {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}

  The OIDC configuration is as shown below:
  # Configure OIDC
  OIDCClaimPrefix "OIDC-"
  OIDCResponseType "id_token"
  OIDCScope "openid email profile"
  OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
  OIDCClientID <Google Client ID>
  OIDCClientSecret <Google Client Secret>
  OIDCCryptoPassphrase openstack
  OIDCRedirectURI http://<SP fqdn>/identity/v3/OS-FEDERATION/identity_providers/myidp/protocols/mapped/auth
  OIDCRedirectURI http://<SP fqdn>/identity/v3/auth/OS-FEDERATION/websso
  OIDCRedirectURI http://<SP fqdn>/identity/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/mapped/websso

  # For keystone
  <LocationMatch /identity/v3/OS-FEDERATION/identity_providers/.*?/protocols/mapped/auth>
    AuthType openid-connect
    Require valid-user
    LogLevel debug
  </LocationMatch>

  # For horizon
  <Location ~ "/identity/v3/auth/OS-FEDERATION/websso/mapped">
    AuthType openid-connect
    Require valid-user
  </Location>
  <Location ~ "/identity/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/mapped/websso">
    AuthType openid-connect
    Require valid-user
  </Location>

  
  source accr/admin/admin
  export OS_IDENTITY_API_VERSION=3
  openstack domain create federated_domain
  openstack group create federated_users
  openstack role add --group federated_users --domain federated_domain admin
  openstack identity provider create --remote-id https://accounts.google.com myidp

  export remote_type=REMOTE_USER
  export remote_type=HTTP_OIDC_EMAIL
  cat > rules.json <<EOF
  [
      {
          "local": [
              {
                  "user": {
                      "name": "{0}"
                  },
                  "group": {
                      "domain": {
                          "name": "Default"
                      },
                      "name": "federated_users"
                  }
              }
          ],
          "remote": [
              {
                  "type": "${remote_type}"
              }
          ]
      }
  ]
  EOF
  openstack mapping create --rules rules.json myidp_mapping
  openstack federation protocol create mapped --mapping myidp_mapping --identity-provider myidp

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1694591/+subscriptions


Follow ups