yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1694591] Re: Horizon gives 401 authorization error after oidc configuration

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1694591@xxxxxxxxxxxxxxxxxx>
Date: Sun, 24 Sep 2017 04:18:45 -0000
Reply-to: Bug 1694591 <1694591@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

[Expired for OpenStack Identity (keystone) because there has been no
activity for 60 days.]

** Changed in: keystone
       Status: Incomplete => Expired

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1694591

Title:
  Horizon gives 401 authorization error after oidc configuration

Status in OpenStack Identity (keystone):
  Expired

Bug description:
  I have configured OIDC with keystone.
  I have followed the steps mentioned in the official documentation. But when i try to log into horizon, i get a 401 error:
  {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}

  The OIDC configuration is as shown below:
  # Configure OIDC
  OIDCClaimPrefix "OIDC-"
  OIDCResponseType "id_token"
  OIDCScope "openid email profile"
  OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
  OIDCClientID <Google Client ID>
  OIDCClientSecret <Google Client Secret>
  OIDCCryptoPassphrase openstack
  OIDCRedirectURI http://<SP fqdn>/identity/v3/OS-FEDERATION/identity_providers/myidp/protocols/mapped/auth
  OIDCRedirectURI http://<SP fqdn>/identity/v3/auth/OS-FEDERATION/websso
  OIDCRedirectURI http://<SP fqdn>/identity/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/mapped/websso

  # For keystone
  <LocationMatch /identity/v3/OS-FEDERATION/identity_providers/.*?/protocols/mapped/auth>
    AuthType openid-connect
    Require valid-user
    LogLevel debug
  </LocationMatch>

  # For horizon
  <Location ~ "/identity/v3/auth/OS-FEDERATION/websso/mapped">
    AuthType openid-connect
    Require valid-user
  </Location>
  <Location ~ "/identity/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/mapped/websso">
    AuthType openid-connect
    Require valid-user
  </Location>

  
  source accr/admin/admin
  export OS_IDENTITY_API_VERSION=3
  openstack domain create federated_domain
  openstack group create federated_users
  openstack role add --group federated_users --domain federated_domain admin
  openstack identity provider create --remote-id https://accounts.google.com myidp

  export remote_type=REMOTE_USER
  export remote_type=HTTP_OIDC_EMAIL
  cat > rules.json <<EOF
  [
      {
          "local": [
              {
                  "user": {
                      "name": "{0}"
                  },
                  "group": {
                      "domain": {
                          "name": "Default"
                      },
                      "name": "federated_users"
                  }
              }
          ],
          "remote": [
              {
                  "type": "${remote_type}"
              }
          ]
      }
  ]
  EOF
  openstack mapping create --rules rules.json myidp_mapping
  openstack federation protocol create mapped --mapping myidp_mapping --identity-provider myidp

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1694591/+subscriptions

References

[Bug 1694591] [NEW] Horizon gives 401 authorization error after oidc configuration
From: sanjana, 2017-05-31