search

OSC / ondemand

Supercomputing. Seamlessly. Open, Interactive HPC Via the Web
https://openondemand.org/
MIT License
267 stars 100 forks source link

OpenID Connect ood_portal.yml translates incorrectly to ood-portal.conf #2037

Open brandon-biggs opened 2 years ago

brandon-biggs commented 2 years ago

Hi,

I hope this hasn't already been presented and resolved. I checked release notes and other issues, but I didn't find anything about this specific issue.

General info: OnDemand 1.8.20 CentOS 7

Specific Issue: After I edit /etc/ood/config/ood_portal.yml to implement OpenID Connect as defined in the documentation here, and run /opt/ood/ood-portal-generator/sbin/update_ood_portal there seems to be an incorrect update to ood-portal.conf.

Example -

Here is my odic config from ood_portal.yml based on the documentation. Redacted the actual urls and ids.

auth:
  - 'AuthType openid-connect'
  - 'Require valid-user'

logout_redirect: "/oidc?logout=https%3A%2F%ondemand.com"
user_map_cmd: '/opt/ood/ood_auth_map/bin/ood_auth_map.regex'

oidc_uri: 'https://oidc-server.com/oidc'
oidc_provider_metadata_url: "https://oidc-server.com/.well-known/openid-configuration"
oidc_client_id: "abc123"
oidc_client_secret: "abc123secret"
oidc_remote_user_claim: "preferred_username"
oidc_scope: "openid profile email groups"
oidc_session_inactivity_timeout: 28800
oidc_session_max_duration: 28800
oidc_state_max_number_of_cookies: "10 true"
oidc_settings:
  OIDCPassIDTokenAs: "serialized"
  OIDCPassRefreshToken: "On"
  OIDCPassClaimsAs: "environment"
  OIDCStripCookies: "mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1"

After this is in place, I run 

$ /opt/ood/ood-portal-generator/sbin/update_ood_portal

cp -p <CERTS>
chown ondemand-dex:ondemand-dex /etc/ood/dex/crt.crt
cp -p /etc/pki/tls/private/key.key /etc/ood/dex/key.key
chown ondemand-dex:ondemand-dex /etc/ood/dex/key.key

Generating new Apache config at: '/opt/rh/httpd24/root/etc/httpd/conf.d/ood-portal.conf'
chown root:apache /opt/rh/httpd24/root/etc/httpd/conf.d/ood-portal.conf
chmod 640 /opt/rh/httpd24/root/etc/httpd/conf.d/ood-portal.conf
Generating Apache config checksum file: '/etc/ood/config/ood_portal.sha256sum'
No change in the Dex config.
Completed successfully!

Restart the httpd24-httpd service now.

Suggested command:
    sudo systemctl try-restart httpd24-httpd.service httpd24-htcacheclean.service

I can then restart the service just fine, however accessing the page doesn't seem to work correctly. So I look at ood-portal.conf and see the following in the oidc section:

OIDCProviderMetadataURL https://ondemand.com:5554/.well-known/openid-configuration
  OIDCClientID ondemand.com
  OIDCClientSecret xyz123 (No idea what this actually is)
  OIDCRedirectURI https://ondemand.com/oidc
  OIDCRemoteUserClaim email
  OIDCScope "openid profile email groups"
  OIDCCryptoPassphrase fgh123
  OIDCSessionInactivityTimeout 28800
  OIDCSessionMaxDuration 28800
  OIDCStateMaxNumberOfCookies 10 true
  OIDCCookieSameSite Off
  OIDCPassClaimsAs environment
  OIDCPassIDTokenAs serialized
  OIDCPassRefreshToken On
  OIDCStripCookies mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1

It seems my oidc metadata url and other pieces of information don't translate correctly. I tried finding the issue in /opt/ood/ood-portal-generator but haven't been able to find it yet. I wanted to bring this up. If it's already been fixed, I apologize for using an older version of OnDemand :)

Let me know if there's any other information I can provide. Thanks.

┆Issue is synchronized with this Asana task by Unito

johrstrom commented 1 year ago

OMG I'm terribly sorry that we're just now commenting on this ticket. Are you still having issues (almost a full year later)?