Uploaded image for project: 'Red Hat OpenStack Services on OpenShift'
  1. Red Hat OpenStack Services on OpenShift
  2. OSPRH-9668

BZ#2307307 [Regression] changes to the way mod_auth_oidc handles headers break federation

XMLWordPrintable

    • 2
    • False
    • Hide

      None

      Show
      None
    • False
    • ?
    • ?
    • ?
    • ?
    • None
    • 2
    • DFG Security: UC Sprint 100, DFG Security: UC Sprint 101, DFG Security: UC Sprint 102
    • Important

      Description of problem:

      An update to the way mod_auth_openidc in 2.4.x changes the way that it handles headers as well as the remote_id_attribute. This breaks our current implementation of OIDC federation, where the claim is now missing the fields necessary to correctly map the federated user. Fields containing underscores are being removed by Apache.

      Version-Release number of selected component (if applicable):
      17.1.3

      How reproducible:
      Always with our recommended federation configuration.

      Steps to Reproduce:
      1. Configure OSP to use OIDC federation
      2. Attempt to login via the Horizon dashboard
      3. Keystone will return a 403, unable to find the correct user_id field for mapping

      Actual results:
      Keystone will return a 403, enabling insecure_debug will show that the OIDC-preferred_username is missing

      Expected results:
      The user should be redirected to the Horizon dashboard after successfully authenticating.

      Additional info:
      The fix is to remove OIDCPassClaimsAs headers from keystones httpd configuration and to change the remote_id_attribute to OIDC-iss in the keystone configuration file.

            dwilde@redhat.com Dave Wilde
            dwilde@redhat.com Dave Wilde
            rhos-dfg-security
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: