Closed killermoehre closed 1 year ago
berendt
commented
1 year ago Have you already compared this configuration with the testbed configuration? Arvid & Juan added the Keystone/Keycloak integration there.
@JuanPTM @reqa Can you please have a look on this issue?
killermoehre
commented
1 year ago I added the testbed config last week, so I'm quite sure it's current.
berendt
commented
1 year ago Then we have to wait for Juan & Arvid. They have integrated it and know how to do it.
Is OIDC a must? If not, https://github.com/vexxhost/keystone-keycloak-backend could be an alternative that is worth a look. This is a keystone plugin that allows to integrate a Keycloak like LDAP.
killermoehre
commented
1 year ago We want the role assignments as well, so yes, OIDC is set.
JuanPTM
commented
1 year ago Hello @killermoehre, first of all the template for the wsgi-keystone.conf seems correct although that doesn't show the final config file. The config file is on the nodes in /etc/kolla/keystone/wsgi-keystone.conf.
I do not know the reason of this error at first sight, but it looks like an error on keystone, the keystone logs can be found in /var/log/kolla/keystone/keystone-apache-public-error.log.
This error might be related to policy config, a missmatch on the configuration between keycloak/keystone or a few more causes. To help you a bit better I'd need a bit more info, the error log and the configuration for keystone.
killermoehre
commented
1 year ago Is there any way to share the config and logs non-public? Else I'm redacting for too much and it might become a garbled mess.
reqa
commented
1 year ago If you have to redact then it's a business case of yours and that should probably be handled in your company, just to be careful regarding data protection. I'd suggest you create a test setup first that is not customer related. Sharing something similar to the following information regarding your configuration could be useful:
export OS_CLOUD=admin
openstack identity provider list
openstack federation protocol list --identity-provider keycloak && \
openstack mapping show -f json "$(openstack federation protocol show -f json --identity-provider keycloak openid | jq -r .mapping)"When we debug things like this I usually set LogLevel debug in testbed-node-0:/etc/kolla/keystone/wsgi-keystone.conf and restart the container, clear browser caches, re-trigger authentication and check keystone-apache-public-error.log.
killermoehre
commented
1 year ago If you have to redact then it's a business case of yours and that should probably be handled in your company, just to be careful regarding data protection.
Not the answer I expected, but oh well.
Here is the keystone-apache-public-error.log with the failed login request.
/var/log/kolla/keystone/keystone-apache-public-error.log:2023-08-31 09:07:08.543460 2023-08-31 09:07:08.543 25 DEBUG keystone.server.flask.request_processing.req_logging [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] REQUEST_METHOD: `GET` log_request_info /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/server/flask/request_processing/req_logging.py:27\x1b[00m
/var/log/kolla/keystone/keystone-apache-public-error.log:2023-08-31 09:07:08.543692 2023-08-31 09:07:08.543 25 DEBUG keystone.server.flask.request_processing.req_logging [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] SCRIPT_NAME: `` log_request_info /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/server/flask/request_processing/req_logging.py:28\x1b[00m
/var/log/kolla/keystone/keystone-apache-public-error.log:2023-08-31 09:07:08.543921 2023-08-31 09:07:08.543 25 DEBUG keystone.server.flask.request_processing.req_logging [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] PATH_INFO: `/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso` log_request_info /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/server/flask/request_processing/req_logging.py:29\x1b[00m
/var/log/kolla/keystone/keystone-apache-public-error.log:2023-08-31 09:07:08.544463 2023-08-31 09:07:08.544 25 DEBUG keystone.api._shared.authentication [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] No 'external' plugin is registered. authenticate /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/api/_shared/authentication.py:141\x1b[00m
/var/log/kolla/keystone/keystone-apache-public-error.log:2023-08-31 09:07:08.545131 2023-08-31 09:07:08.544 25 DEBUG keystone.federation.utils [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] Environment variables: {'OIDC-sub': '9aa80391-bb0d-46b8-a8e6-bab1b8ef3837', 'OIDC-email_verified': '1', 'OIDC-objectGUID': 'SkhR2SFntEqki5puft+j4Q==', 'OIDC-name': 'Silvio Knizek', 'OIDC-preferred_username': 'silvio.knizek@customer.domain.tld', 'OIDC-given_name': 'Silvio', 'OIDC-family_name': 'Knizek', 'OIDC-email': 'knizek@b1-systems.de', 'OIDC-exp': '1693473128', 'OIDC-iat': '1693472828', 'OIDC-auth_time': '1693472827', 'OIDC-jti': 'd8080dea-4a33-4a03-983c-35fe823d9dbc', 'OIDC-iss': 'https://auth.keycloak.tld/realms/customer', 'OIDC-aud': 'openstack', 'OIDC-typ': 'ID', 'OIDC-azp': 'openstack', 'OIDC-nonce': '7KJEPPo72HfRBjpv9_wLSpFs2HsMShiUIzeNt92sT30', 'OIDC-session_state': '8f17d709-a9d5-4ecd-817e-8bee34bb5a65', 'OIDC-at_hash': '_Syga9bgdQvDzDKGkj_dhg', 'OIDC-acr': '1', 'OIDC-sid': '8f17d709-a9d5-4ecd-817e-8bee34bb5a65', 'OIDC_access_token': 'eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJpeDNic1JrRDRKV3JfN3dqLXJ0bF9ESlp0MU4xUTZRdExHal95UzhibVg0In0.eyJleHAiOjE2OTM0NzMxMjgsImlhdCI6MTY5MzQ3MjgyOCwiYXV0aF90aW1lIjoxNjkzNDcyODI3LCJqdGkiOiJlNjU1ZTZlNi1jNDUyLTQwZDktYjE1Ny1kNmI4OTQwM2FlNTciLCJpc3MiOiJodHRwczovL2F1dGgudmlwLWxhYi5pbmZyYS5pbC50aGxyei5kZS9yZWFsbXMvdGxyeiIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI5YWE4MDM5MS1iYjBkLTQ2YjgtYThlNi1iYWIxYjhlZjM4MzciLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJvcGVuc3RhY2siLCJub25jZSI6IjdLSkVQUG83MkhmUkJqcHY5X3dMU3BGczJIc01TaGlVSXplTnQ5MnNUMzAiLCJzZXNzaW9uX3N0YXRlIjoiOGYxN2Q3MDktYTlkNS00ZWNkLTgxN2UtOGJlZTM0YmI1YTY1IiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwczovL2FwaS1leHRlcm4uY2wudGhsdi5kZTo1MDAwIiwiaHR0cHM6Ly9ob3Jpem9uLmNsLnRobHYuZGUiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImRlZmF1bHQtcm9sZXMtdGxyeiIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwic2lkIjoiOGYxN2Q3MDktYTlkNS00ZWNkLTgxN2UtOGJlZTM0YmI1YTY1IiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJTaWx2aW8gS25pemVrIiwicHJlZmVycmVkX3VzZXJuYW1lIjoic2lsdmlvLmtuaXpla0B0bHJ6LnRodWVyaW5nZW4uZGUiLCJnaXZlbl9uYW1lIjoiU2lsdmlvIiwiZmFtaWx5X25hbWUiOiJLbml6ZWsiLCJlbWFpbCI6ImtuaXpla0BiMS1zeXN0ZW1zLmRlIn0.XeYywQX3Nd0d19uPUadHXxqP8nlCO_aWFseuzHgMafCR0rAakkzMJxYjwYQoqB3OTJ0_8USWpUTl5M_BWbxgqCsQZYiREpORostlEoIiAceyoarhfgytIW_oHyJtUJmYq6i2kYzPXeCWc8BO2-hjxrVij4OPBxpcA0_mVIIqWCoojmlcwmk-7FdacTVa_rEEaVkyuF7YWyd-e03OJqtVKdVm2CD6mweWxA_UI8zSsL5UHVafXEtSromH0NKyT7uOaOq8-ACUsGVa3wAJ4azGG3BIDnMm4X-esRSMEt9u-leY6rFYOYtg8lsE5kCtS1ZwSriSeV3ZTRaDPk9kHKaR8g', 'OIDC_access_token_expires': '1693473128', 'GATEWAY_INTERFACE': 'CGI/1.1', 'SERVER_PROTOCOL': 'HTTP/1.1', 'REQUEST_METHOD': 'GET', 'QUERY_STRING': 'origin=https://horizon.internal.domain.tld/auth/websso/', 'REQUEST_URI': '/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso?origin=https://horizon.internal.domain.tld/auth/websso/', 'SCRIPT_NAME': '', 'PATH_INFO': '/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso', 'PATH_TRANSLATED': '/var/lib/kolla/venv/bin/keystone-wsgi-public/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso', 'HTTP_HOST': 'api-extern.internal.domain.tld:5000', 'HTTP_USER_AGENT': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0', 'HTTP_ACCEPT': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/jxl,image/webp,*/*;q=0.8', 'HTTP_ACCEPT_LANGUAGE': 'de,en;q=0.5', 'HTTP_ACCEPT_ENCODING': 'gzip, deflate, br', 'HTTP_DNT': '1', 'HTTP_COOKIE': 'mod_auth_openidc_session=d0486333-338f-4584-8f39-8d1614fe9690', 'HTTP_UPGRADE_INSECURE_REQUESTS': '1', 'HTTP_SEC_FETCH_DEST': 'document', 'HTTP_SEC_FETCH_MODE': 'navigate', 'HTTP_SEC_FETCH_SITE': 'none', 'HTTP_SEC_FETCH_USER': '?1', 'HTTP_SEC_GPC': '1', 'HTTP_X_FORWARDED_PROTO': 'https', 'HTTP_X_FORWARDED_FOR': '10.252.0.102', 'HTTP_OIDC_SUB': '9aa80391-bb0d-46b8-a8e6-bab1b8ef3837', 'HTTP_OIDC_OBJECTGUID': 'SkhR2SFntEqki5puft+j4Q==', 'HTTP_OIDC_NAME': 'Silvio Knizek', 'HTTP_OIDC_EMAIL': 'knizek@b1-systems.de', 'HTTP_OIDC_EXP': '1693473128', 'HTTP_OIDC_IAT': '1693472828', 'HTTP_OIDC_JTI': 'd8080dea-4a33-4a03-983c-35fe823d9dbc', 'HTTP_OIDC_ISS': 'https://auth.keycloak.tld/realms/customer', 'HTTP_OIDC_AUD': 'openstack', 'HTTP_OIDC_TYP': 'ID', 'HTTP_OIDC_AZP': 'openstack', 'HTTP_OIDC_NONCE': '7KJEPPo72HfRBjpv9_wLSpFs2HsMShiUIzeNt92sT30', 'HTTP_OIDC_ACR': '1', 'HTTP_OIDC_SID': '8f17d709-a9d5-4ecd-817e-8bee34bb5a65', 'SERVER_SIGNATURE': '', 'SERVER_SOFTWARE': 'Apache', 'SERVER_NAME': 'api-extern.internal.domain.tld', 'SERVER_ADDR': '10.40.64.223', 'SERVER_PORT': '5000', 'REMOTE_ADDR': '10.252.0.102', 'DOCUMENT_ROOT': '/var/www/html', 'REQUEST_SCHEME': 'http', 'CONTEXT_PREFIX': '', 'CONTEXT_DOCUMENT_ROOT': '/var/www/html', 'SERVER_ADMIN': '[no address given]', 'SCRIPT_FILENAME': '/var/lib/kolla/venv/bin/keystone-wsgi-public', 'REMOTE_PORT': '46866', 'REMOTE_USER': '9aa80391-bb0d-46b8-a8e6-bab1b8ef3837@auth.keycloak.tld/realms/customer', 'AUTH_TYPE': 'openid-connect', 'mod_wsgi.script_name': '', 'mod_wsgi.path_info': '/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso', 'mod_wsgi.process_group': 'keystone-public', 'mod_wsgi.application_group': '', 'mod_wsgi.callable_object': 'application', 'mod_wsgi.request_handler': 'wsgi-script', 'mod_wsgi.handler_script': '', 'mod_wsgi.script_reloading': '1', 'mod_wsgi.listener_host': '10.40.64.223', 'mod_wsgi.listener_port': '5000', 'mod_wsgi.enable_sendfile': '0', 'mod_wsgi.ignore_activity': '0', 'mod_wsgi.request_start': '1693472828540396', 'mod_wsgi.request_id': '7MVhXjzNoNI', 'mod_wsgi.queue_start': '1693472828542157', 'mod_wsgi.daemon_connects': '1', 'mod_wsgi.daemon_restarts': '0', 'mod_wsgi.daemon_start': '1693472828542239', 'mod_wsgi.script_start': '1693472828542368', 'wsgi.version': (1, 0), 'wsgi.multithread': False, 'wsgi.multiprocess': True, 'wsgi.run_once': False, 'wsgi.url_scheme': 'https', 'wsgi.errors': <_io.TextIOWrapper name='<wsgi.errors>' encoding='utf-8'>, 'wsgi.input': <oslo_middleware.sizelimit.LimitingReader object at 0x7f2ec4969840>, 'wsgi.input_terminated': True, 'wsgi.file_wrapper': <class 'mod_wsgi.FileWrapper'>, 'apache.version': (2, 4, 52), 'mod_wsgi.version': (4, 9, 0), 'mod_wsgi.total_requests': 7122, 'mod_wsgi.thread_id': 1, 'mod_wsgi.thread_requests': 7122, 'werkzeug.proxy_fix.orig': {'REMOTE_ADDR': '10.40.64.222', 'wsgi.url_scheme': 'http', 'HTTP_HOST': 'api-extern.internal.domain.tld:5000', 'SERVER_NAME': 'api-extern.internal.domain.tld', 'SERVER_PORT': '5000', 'SCRIPT_NAME': ''}, 'webob.adhoc_attrs': {'response': <_AuthTokenResponse at 0x7f2ec4cab730 200 OK>}, 'webob.is_body_seekable': False, 'openstack.request_id': 'req-cad18c26-a893-483d-a8b3-b1cb19c50914', 'keystone.token_auth': <keystonemiddleware.auth_token._user_plugin.UserAuthPlugin object at 0x7f2ec4a9af80>, 'keystone.oslo_request_context': <keystone.common.context.RequestContext object at 0x7f2ec4a995a0>, 'werkzeug.request': <Request 'https://api-extern.internal.domain.tld:5000/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso?origin=https:%2F%2Fhorizon.internal.domain.tld%2Fauth%2Fwebsso%2F' [GET]>} get_assertion_params_from_env /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/federation/utils.py:439\x1b[00m
/var/log/kolla/keystone/keystone-apache-public-error.log:2023-08-31 09:07:08.557388 2023-08-31 09:07:08.556 25 DEBUG keystone.federation.utils [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] assertion data: {'OIDC-sub': '9aa80391-bb0d-46b8-a8e6-bab1b8ef3837', 'OIDC-email_verified': '1', 'OIDC-objectGUID': 'SkhR2SFntEqki5puft+j4Q==', 'OIDC-name': 'Silvio Knizek', 'OIDC-preferred_username': 'silvio.knizek@customer.domain.tld', 'OIDC-given_name': 'Silvio', 'OIDC-family_name': 'Knizek', 'OIDC-email': 'knizek@b1-systems.de', 'OIDC-exp': '1693473128', 'OIDC-iat': '1693472828', 'OIDC-auth_time': '1693472827', 'OIDC-jti': 'd8080dea-4a33-4a03-983c-35fe823d9dbc', 'OIDC-iss': 'https://auth.keycloak.tld/realms/customer', 'OIDC-aud': 'openstack', 'OIDC-typ': 'ID', 'OIDC-azp': 'openstack', 'OIDC-nonce': '7KJEPPo72HfRBjpv9_wLSpFs2HsMShiUIzeNt92sT30', 'OIDC-session_state': '8f17d709-a9d5-4ecd-817e-8bee34bb5a65', 'OIDC-at_hash': '_Syga9bgdQvDzDKGkj_dhg', 'OIDC-acr': '1', 'OIDC-sid': '8f17d709-a9d5-4ecd-817e-8bee34bb5a65', 'OIDC_access_token': 'eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJpeDNic1JrRDRKV3JfN3dqLXJ0bF9ESlp0MU4xUTZRdExHal95UzhibVg0In0.eyJleHAiOjE2OTM0NzMxMjgsImlhdCI6MTY5MzQ3MjgyOCwiYXV0aF90aW1lIjoxNjkzNDcyODI3LCJqdGkiOiJlNjU1ZTZlNi1jNDUyLTQwZDktYjE1Ny1kNmI4OTQwM2FlNTciLCJpc3MiOiJodHRwczovL2F1dGgudmlwLWxhYi5pbmZyYS5pbC50aGxyei5kZS9yZWFsbXMvdGxyeiIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI5YWE4MDM5MS1iYjBkLTQ2YjgtYThlNi1iYWIxYjhlZjM4MzciLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJvcGVuc3RhY2siLCJub25jZSI6IjdLSkVQUG83MkhmUkJqcHY5X3dMU3BGczJIc01TaGlVSXplTnQ5MnNUMzAiLCJzZXNzaW9uX3N0YXRlIjoiOGYxN2Q3MDktYTlkNS00ZWNkLTgxN2UtOGJlZTM0YmI1YTY1IiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwczovL2FwaS1leHRlcm4uY2wudGhsdi5kZTo1MDAwIiwiaHR0cHM6Ly9ob3Jpem9uLmNsLnRobHYuZGUiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImRlZmF1bHQtcm9sZXMtdGxyeiIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwic2lkIjoiOGYxN2Q3MDktYTlkNS00ZWNkLTgxN2UtOGJlZTM0YmI1YTY1IiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJTaWx2aW8gS25pemVrIiwicHJlZmVycmVkX3VzZXJuYW1lIjoic2lsdmlvLmtuaXpla0B0bHJ6LnRodWVyaW5nZW4uZGUiLCJnaXZlbl9uYW1lIjoiU2lsdmlvIiwiZmFtaWx5X25hbWUiOiJLbml6ZWsiLCJlbWFpbCI6ImtuaXpla0BiMS1zeXN0ZW1zLmRlIn0.XeYywQX3Nd0d19uPUadHXxqP8nlCO_aWFseuzHgMafCR0rAakkzMJxYjwYQoqB3OTJ0_8USWpUTl5M_BWbxgqCsQZYiREpORostlEoIiAceyoarhfgytIW_oHyJtUJmYq6i2kYzPXeCWc8BO2-hjxrVij4OPBxpcA0_mVIIqWCoojmlcwmk-7FdacTVa_rEEaVkyuF7YWyd-e03OJqtVKdVm2CD6mweWxA_UI8zSsL5UHVafXEtSromH0NKyT7uOaOq8-ACUsGVa3wAJ4azGG3BIDnMm4X-esRSMEt9u-leY6rFYOYtg8lsE5kCtS1ZwSriSeV3ZTRaDPk9kHKaR8g', 'OIDC_access_token_expires': '1693473128', 'GATEWAY_INTERFACE': 'CGI/1.1', 'SERVER_PROTOCOL': 'HTTP/1.1', 'REQUEST_METHOD': 'GET', 'QUERY_STRING': 'origin=https://horizon.internal.domain.tld/auth/websso/', 'REQUEST_URI': '/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso?origin=https://horizon.internal.domain.tld/auth/websso/', 'SCRIPT_NAME': '', 'PATH_INFO': '/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso', 'PATH_TRANSLATED': '/var/lib/kolla/venv/bin/keystone-wsgi-public/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso', 'HTTP_HOST': 'api-extern.internal.domain.tld:5000', 'HTTP_USER_AGENT': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0', 'HTTP_ACCEPT': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/jxl,image/webp,*/*;q=0.8', 'HTTP_ACCEPT_LANGUAGE': 'de,en;q=0.5', 'HTTP_ACCEPT_ENCODING': 'gzip, deflate, br', 'HTTP_DNT': '1', 'HTTP_COOKIE': 'mod_auth_openidc_session=d0486333-338f-4584-8f39-8d1614fe9690', 'HTTP_UPGRADE_INSECURE_REQUESTS': '1', 'HTTP_SEC_FETCH_DEST': 'document', 'HTTP_SEC_FETCH_MODE': 'navigate', 'HTTP_SEC_FETCH_SITE': 'none', 'HTTP_SEC_FETCH_USER': '?1', 'HTTP_SEC_GPC': '1', 'HTTP_X_FORWARDED_PROTO': 'https', 'HTTP_X_FORWARDED_FOR': '10.252.0.102', 'HTTP_OIDC_SUB': '9aa80391-bb0d-46b8-a8e6-bab1b8ef3837', 'HTTP_OIDC_OBJECTGUID': 'SkhR2SFntEqki5puft+j4Q==', 'HTTP_OIDC_NAME': 'Silvio Knizek', 'HTTP_OIDC_EMAIL': 'knizek@b1-systems.de', 'HTTP_OIDC_EXP': '1693473128', 'HTTP_OIDC_IAT': '1693472828', 'HTTP_OIDC_JTI': 'd8080dea-4a33-4a03-983c-35fe823d9dbc', 'HTTP_OIDC_ISS': 'https://auth.keycloak.tld/realms/customer', 'HTTP_OIDC_AUD': 'openstack', 'HTTP_OIDC_TYP': 'ID', 'HTTP_OIDC_AZP': 'openstack', 'HTTP_OIDC_NONCE': '7KJEPPo72HfRBjpv9_wLSpFs2HsMShiUIzeNt92sT30', 'HTTP_OIDC_ACR': '1', 'HTTP_OIDC_SID': '8f17d709-a9d5-4ecd-817e-8bee34bb5a65', 'SERVER_SIGNATURE': '', 'SERVER_SOFTWARE': 'Apache', 'SERVER_NAME': 'api-extern.internal.domain.tld', 'SERVER_ADDR': '10.40.64.223', 'SERVER_PORT': '5000', 'REMOTE_ADDR': '10.252.0.102', 'DOCUMENT_ROOT': '/var/www/html', 'REQUEST_SCHEME': 'http', 'CONTEXT_PREFIX': '', 'CONTEXT_DOCUMENT_ROOT': '/var/www/html', 'SERVER_ADMIN': '[no address given]', 'SCRIPT_FILENAME': '/var/lib/kolla/venv/bin/keystone-wsgi-public', 'REMOTE_PORT': '46866', 'REMOTE_USER': '9aa80391-bb0d-46b8-a8e6-bab1b8ef3837@auth.keycloak.tld/realms/customer', 'AUTH_TYPE': 'openid-connect', 'mod_wsgi.script_name': '', 'mod_wsgi.path_info': '/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso', 'mod_wsgi.process_group': 'keystone-public', 'mod_wsgi.application_group': '', 'mod_wsgi.callable_object': 'application', 'mod_wsgi.request_handler': 'wsgi-script', 'mod_wsgi.handler_script': '', 'mod_wsgi.script_reloading': '1', 'mod_wsgi.listener_host': '10.40.64.223', 'mod_wsgi.listener_port': '5000', 'mod_wsgi.enable_sendfile': '0', 'mod_wsgi.ignore_activity': '0', 'mod_wsgi.request_start': '1693472828540396', 'mod_wsgi.request_id': '7MVhXjzNoNI', 'mod_wsgi.queue_start': '1693472828542157', 'mod_wsgi.daemon_connects': '1', 'mod_wsgi.daemon_restarts': '0', 'mod_wsgi.daemon_start': '1693472828542239', 'mod_wsgi.script_start': '1693472828542368', 'wsgi.version': (1, 0), 'wsgi.multithread': False, 'wsgi.multiprocess': True, 'wsgi.run_once': False, 'wsgi.url_scheme': 'https', 'wsgi.errors': <_io.TextIOWrapper name='<wsgi.errors>' encoding='utf-8'>, 'wsgi.input': <oslo_middleware.sizelimit.LimitingReader object at 0x7f2ec4969840>, 'wsgi.input_terminated': True, 'wsgi.file_wrapper': <class 'mod_wsgi.FileWrapper'>, 'apache.version': (2, 4, 52), 'mod_wsgi.version': (4, 9, 0), 'mod_wsgi.total_requests': 7122, 'mod_wsgi.thread_id': 1, 'mod_wsgi.thread_requests': 7122, 'werkzeug.proxy_fix.orig': {'REMOTE_ADDR': '10.40.64.222', 'wsgi.url_scheme': 'http', 'HTTP_HOST': 'api-extern.internal.domain.tld:5000', 'SERVER_NAME': 'api-extern.internal.domain.tld', 'SERVER_PORT': '5000', 'SCRIPT_NAME': ''}, 'webob.adhoc_attrs': {'response': <_AuthTokenResponse at 0x7f2ec4cab730 200 OK>}, 'webob.is_body_seekable': False, 'openstack.request_id': 'req-cad18c26-a893-483d-a8b3-b1cb19c50914', 'keystone.token_auth': <keystonemiddleware.auth_token._user_plugin.UserAuthPlugin object at 0x7f2ec4a9af80>, 'keystone.oslo_request_context': <keystone.common.context.RequestContext object at 0x7f2ec4a995a0>, 'werkzeug.request': <Request 'https://api-extern.internal.domain.tld:5000/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso?origin=https:%2F%2Fhorizon.internal.domain.tld%2Fauth%2Fwebsso%2F' [GET]>} process /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/federation/utils.py:534\x1b[00m
/var/log/kolla/keystone/keystone-apache-public-error.log:2023-08-31 09:07:08.557804 2023-08-31 09:07:08.557 25 DEBUG keystone.federation.utils [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] assertion: {'OIDC-sub': ['9aa80391-bb0d-46b8-a8e6-bab1b8ef3837'], 'OIDC-email_verified': ['1'], 'OIDC-objectGUID': ['SkhR2SFntEqki5puft+j4Q=='], 'OIDC-name': ['Silvio Knizek'], 'OIDC-preferred_username': ['silvio.knizek@customer.domain.tld'], 'OIDC-given_name': ['Silvio'], 'OIDC-family_name': ['Knizek'], 'OIDC-email': ['knizek@b1-systems.de'], 'OIDC-exp': ['1693473128'], 'OIDC-iat': ['1693472828'], 'OIDC-auth_time': ['1693472827'], 'OIDC-jti': ['d8080dea-4a33-4a03-983c-35fe823d9dbc'], 'OIDC-iss': ['https://auth.keycloak.tld/realms/customer'], 'OIDC-aud': ['openstack'], 'OIDC-typ': ['ID'], 'OIDC-azp': ['openstack'], 'OIDC-nonce': ['7KJEPPo72HfRBjpv9_wLSpFs2HsMShiUIzeNt92sT30'], 'OIDC-session_state': ['8f17d709-a9d5-4ecd-817e-8bee34bb5a65'], 'OIDC-at_hash': ['_Syga9bgdQvDzDKGkj_dhg'], 'OIDC-acr': ['1'], 'OIDC-sid': ['8f17d709-a9d5-4ecd-817e-8bee34bb5a65'], 'OIDC_access_token': ['eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJpeDNic1JrRDRKV3JfN3dqLXJ0bF9ESlp0MU4xUTZRdExHal95UzhibVg0In0.eyJleHAiOjE2OTM0NzMxMjgsImlhdCI6MTY5MzQ3MjgyOCwiYXV0aF90aW1lIjoxNjkzNDcyODI3LCJqdGkiOiJlNjU1ZTZlNi1jNDUyLTQwZDktYjE1Ny1kNmI4OTQwM2FlNTciLCJpc3MiOiJodHRwczovL2F1dGgudmlwLWxhYi5pbmZyYS5pbC50aGxyei5kZS9yZWFsbXMvdGxyeiIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI5YWE4MDM5MS1iYjBkLTQ2YjgtYThlNi1iYWIxYjhlZjM4MzciLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJvcGVuc3RhY2siLCJub25jZSI6IjdLSkVQUG83MkhmUkJqcHY5X3dMU3BGczJIc01TaGlVSXplTnQ5MnNUMzAiLCJzZXNzaW9uX3N0YXRlIjoiOGYxN2Q3MDktYTlkNS00ZWNkLTgxN2UtOGJlZTM0YmI1YTY1IiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwczovL2FwaS1leHRlcm4uY2wudGhsdi5kZTo1MDAwIiwiaHR0cHM6Ly9ob3Jpem9uLmNsLnRobHYuZGUiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImRlZmF1bHQtcm9sZXMtdGxyeiIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwic2lkIjoiOGYxN2Q3MDktYTlkNS00ZWNkLTgxN2UtOGJlZTM0YmI1YTY1IiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJTaWx2aW8gS25pemVrIiwicHJlZmVycmVkX3VzZXJuYW1lIjoic2lsdmlvLmtuaXpla0B0bHJ6LnRodWVyaW5nZW4uZGUiLCJnaXZlbl9uYW1lIjoiU2lsdmlvIiwiZmFtaWx5X25hbWUiOiJLbml6ZWsiLCJlbWFpbCI6ImtuaXpla0BiMS1zeXN0ZW1zLmRlIn0.XeYywQX3Nd0d19uPUadHXxqP8nlCO_aWFseuzHgMafCR0rAakkzMJxYjwYQoqB3OTJ0_8USWpUTl5M_BWbxgqCsQZYiREpORostlEoIiAceyoarhfgytIW_oHyJtUJmYq6i2kYzPXeCWc8BO2-hjxrVij4OPBxpcA0_mVIIqWCoojmlcwmk-7FdacTVa_rEEaVkyuF7YWyd-e03OJqtVKdVm2CD6mweWxA_UI8zSsL5UHVafXEtSromH0NKyT7uOaOq8-ACUsGVa3wAJ4azGG3BIDnMm4X-esRSMEt9u-leY6rFYOYtg8lsE5kCtS1ZwSriSeV3ZTRaDPk9kHKaR8g'], 'OIDC_access_token_expires': ['1693473128'], 'GATEWAY_INTERFACE': ['CGI/1.1'], 'SERVER_PROTOCOL': ['HTTP/1.1'], 'REQUEST_METHOD': ['GET'], 'QUERY_STRING': ['origin=https://horizon.internal.domain.tld/auth/websso/'], 'REQUEST_URI': ['/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso?origin=https://horizon.internal.domain.tld/auth/websso/'], 'SCRIPT_NAME': [''], 'PATH_INFO': ['/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso'], 'PATH_TRANSLATED': ['/var/lib/kolla/venv/bin/keystone-wsgi-public/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso'], 'HTTP_HOST': ['api-extern.internal.domain.tld:5000'], 'HTTP_USER_AGENT': ['Mozilla/5.0 (X11', ' Linux x86_64', ' rv:109.0) Gecko/20100101 Firefox/117.0'], 'HTTP_ACCEPT': ['text/html,application/xhtml+xml,application/xml', 'q=0.9,image/avif,image/jxl,image/webp,*/*', 'q=0.8'], 'HTTP_ACCEPT_LANGUAGE': ['de,en', 'q=0.5'], 'HTTP_ACCEPT_ENCODING': ['gzip, deflate, br'], 'HTTP_DNT': ['1'], 'HTTP_COOKIE': ['mod_auth_openidc_session=d0486333-338f-4584-8f39-8d1614fe9690'], 'HTTP_UPGRADE_INSECURE_REQUESTS': ['1'], 'HTTP_SEC_FETCH_DEST': ['document'], 'HTTP_SEC_FETCH_MODE': ['navigate'], 'HTTP_SEC_FETCH_SITE': ['none'], 'HTTP_SEC_FETCH_USER': ['?1'], 'HTTP_SEC_GPC': ['1'], 'HTTP_X_FORWARDED_PROTO': ['https'], 'HTTP_X_FORWARDED_FOR': ['10.252.0.102'], 'HTTP_OIDC_SUB': ['9aa80391-bb0d-46b8-a8e6-bab1b8ef3837'], 'HTTP_OIDC_OBJECTGUID': ['SkhR2SFntEqki5puft+j4Q=='], 'HTTP_OIDC_NAME': ['Silvio Knizek'], 'HTTP_OIDC_EMAIL': ['knizek@b1-systems.de'], 'HTTP_OIDC_EXP': ['1693473128'], 'HTTP_OIDC_IAT': ['1693472828'], 'HTTP_OIDC_JTI': ['d8080dea-4a33-4a03-983c-35fe823d9dbc'], 'HTTP_OIDC_ISS': ['https://auth.keycloak.tld/realms/customer'], 'HTTP_OIDC_AUD': ['openstack'], 'HTTP_OIDC_TYP': ['ID'], 'HTTP_OIDC_AZP': ['openstack'], 'HTTP_OIDC_NONCE': ['7KJEPPo72HfRBjpv9_wLSpFs2HsMShiUIzeNt92sT30'], 'HTTP_OIDC_ACR': ['1'], 'HTTP_OIDC_SID': ['8f17d709-a9d5-4ecd-817e-8bee34bb5a65'], 'SERVER_SIGNATURE': [''], 'SERVER_SOFTWARE': ['Apache'], 'SERVER_NAME': ['api-extern.internal.domain.tld'], 'SERVER_ADDR': ['10.40.64.223'], 'SERVER_PORT': ['5000'], 'REMOTE_ADDR': ['10.252.0.102'], 'DOCUMENT_ROOT': ['/var/www/html'], 'REQUEST_SCHEME': ['http'], 'CONTEXT_PREFIX': [''], 'CONTEXT_DOCUMENT_ROOT': ['/var/www/html'], 'SERVER_ADMIN': ['[no address given]'], 'SCRIPT_FILENAME': ['/var/lib/kolla/venv/bin/keystone-wsgi-public'], 'REMOTE_PORT': ['46866'], 'REMOTE_USER': ['9aa80391-bb0d-46b8-a8e6-bab1b8ef3837@auth.keycloak.tld/realms/customer'], 'AUTH_TYPE': ['openid-connect'], 'mod_wsgi.script_name': [''], 'mod_wsgi.path_info': ['/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso'], 'mod_wsgi.process_group': ['keystone-public'], 'mod_wsgi.application_group': [''], 'mod_wsgi.callable_object': ['application'], 'mod_wsgi.request_handler': ['wsgi-script'], 'mod_wsgi.handler_script': [''], 'mod_wsgi.script_reloading': ['1'], 'mod_wsgi.listener_host': ['10.40.64.223'], 'mod_wsgi.listener_port': ['5000'], 'mod_wsgi.enable_sendfile': ['0'], 'mod_wsgi.ignore_activity': ['0'], 'mod_wsgi.request_start': ['1693472828540396'], 'mod_wsgi.request_id': ['7MVhXjzNoNI'], 'mod_wsgi.queue_start': ['1693472828542157'], 'mod_wsgi.daemon_connects': ['1'], 'mod_wsgi.daemon_restarts': ['0'], 'mod_wsgi.daemon_start': ['1693472828542239'], 'mod_wsgi.script_start': ['1693472828542368'], 'wsgi.url_scheme': ['https'], 'openstack.request_id': ['req-cad18c26-a893-483d-a8b3-b1cb19c50914']} process /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/federation/utils.py:537\x1b[00m
/var/log/kolla/keystone/keystone-apache-public-error.log:2023-08-31 09:07:08.558069 2023-08-31 09:07:08.557 25 DEBUG keystone.federation.utils [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] rules: [{'local': [{'user': {'name': '{0}', 'email': '{1}', 'domain': {'name': 'customer'}, 'type': 'ephemeral'}}], 'remote': [{'type': 'OIDC-preferred_username'}, {'type': 'OIDC-email'}]}] process /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/federation/utils.py:540\x1b[00m
/var/log/kolla/keystone/keystone-apache-public-error.log:2023-08-31 09:07:08.558292 2023-08-31 09:07:08.558 25 DEBUG keystone.federation.utils [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] updating a direct mapping: ['silvio.knizek@customer.domain.tld'] _verify_all_requirements /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/federation/utils.py:867\x1b[00m
/var/log/kolla/keystone/keystone-apache-public-error.log:2023-08-31 09:07:08.558503 2023-08-31 09:07:08.558 25 DEBUG keystone.federation.utils [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] updating a direct mapping: ['knizek@b1-systems.de'] _verify_all_requirements /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/federation/utils.py:867\x1b[00m
/var/log/kolla/keystone/keystone-apache-public-error.log:2023-08-31 09:07:08.559096 2023-08-31 09:07:08.558 25 DEBUG keystone.federation.utils [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] direct_maps: [['silvio.knizek@customer.domain.tld'], ['knizek@b1-systems.de']] _update_local_mapping /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/federation/utils.py:743\x1b[00m
/var/log/kolla/keystone/keystone-apache-public-error.log:2023-08-31 09:07:08.559324 2023-08-31 09:07:08.559 25 DEBUG keystone.federation.utils [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] local: {'user': {'name': '{0}', 'email': '{1}', 'domain': {'name': 'customer'}, 'type': 'ephemeral'}} _update_local_mapping /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/federation/utils.py:744\x1b[00m
/var/log/kolla/keystone/keystone-apache-public-error.log:2023-08-31 09:07:08.559539 2023-08-31 09:07:08.559 25 DEBUG keystone.federation.utils [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] direct_maps: [['silvio.knizek@customer.domain.tld'], ['knizek@b1-systems.de']] _update_local_mapping /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/federation/utils.py:743\x1b[00m
/var/log/kolla/keystone/keystone-apache-public-error.log:2023-08-31 09:07:08.559773 2023-08-31 09:07:08.559 25 DEBUG keystone.federation.utils [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] local: {'name': '{0}', 'email': '{1}', 'domain': {'name': 'customer'}, 'type': 'ephemeral'} _update_local_mapping /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/federation/utils.py:744\x1b[00m
/var/log/kolla/keystone/keystone-apache-public-error.log:2023-08-31 09:07:08.560001 2023-08-31 09:07:08.559 25 DEBUG keystone.federation.utils [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] direct_maps: [['silvio.knizek@customer.domain.tld'], ['knizek@b1-systems.de']] _update_local_mapping /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/federation/utils.py:743\x1b[00m
/var/log/kolla/keystone/keystone-apache-public-error.log:2023-08-31 09:07:08.560208 2023-08-31 09:07:08.560 25 DEBUG keystone.federation.utils [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] local: {'name': 'customer'} _update_local_mapping /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/federation/utils.py:744\x1b[00m
/var/log/kolla/keystone/keystone-apache-public-error.log:2023-08-31 09:07:08.560439 2023-08-31 09:07:08.560 25 DEBUG keystone.federation.utils [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] identity_values: [{'user': {'name': 'silvio.knizek@customer.domain.tld', 'email': 'knizek@b1-systems.de', 'domain': {'name': 'customer'}, 'type': 'ephemeral'}}] process /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/federation/utils.py:560\x1b[00m
/var/log/kolla/keystone/keystone-apache-public-error.log:2023-08-31 09:07:08.560662 2023-08-31 09:07:08.560 25 DEBUG keystone.federation.utils [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] mapped_properties: {'user': {'name': 'silvio.knizek@customer.domain.tld', 'email': 'knizek@b1-systems.de', 'domain': {'name': 'customer'}, 'type': 'ephemeral'}, 'group_ids': [], 'group_names': [], 'projects': []} process /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/federation/utils.py:562\x1b[00m
/var/log/kolla/keystone/keystone-apache-public-error.log:2023-08-31 09:07:08.609261 2023-08-31 09:07:08.608 25 DEBUG keystone.auth.core [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] MFA Rules not processed for user `4831e5289533f16fcdcd2d3134ca9bd407958a098fe06e07e384f878476c644b`. Rule list: `[]` (Enabled: `True`). check_auth_methods_against_rules /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/auth/core.py:438\x1b[00m
/var/log/kolla/keystone/keystone.log:2023-08-31 09:07:08.543 25 DEBUG keystone.server.flask.request_processing.req_logging [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] REQUEST_METHOD: `GET` log_request_info /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/server/flask/request_processing/req_logging.py:27
/var/log/kolla/keystone/keystone.log:2023-08-31 09:07:08.543 25 DEBUG keystone.server.flask.request_processing.req_logging [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] SCRIPT_NAME: `` log_request_info /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/server/flask/request_processing/req_logging.py:28
/var/log/kolla/keystone/keystone.log:2023-08-31 09:07:08.543 25 DEBUG keystone.server.flask.request_processing.req_logging [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] PATH_INFO: `/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso` log_request_info /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/server/flask/request_processing/req_logging.py:29
/var/log/kolla/keystone/keystone.log:2023-08-31 09:07:08.544 25 DEBUG keystone.api._shared.authentication [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] No 'external' plugin is registered. authenticate /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/api/_shared/authentication.py:141
/var/log/kolla/keystone/keystone.log:2023-08-31 09:07:08.544 25 DEBUG keystone.federation.utils [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] Environment variables: {'OIDC-sub': '9aa80391-bb0d-46b8-a8e6-bab1b8ef3837', 'OIDC-email_verified': '1', 'OIDC-objectGUID': 'SkhR2SFntEqki5puft+j4Q==', 'OIDC-name': 'Silvio Knizek', 'OIDC-preferred_username': 'silvio.knizek@customer.domain.tld', 'OIDC-given_name': 'Silvio', 'OIDC-family_name': 'Knizek', 'OIDC-email': 'knizek@b1-systems.de', 'OIDC-exp': '1693473128', 'OIDC-iat': '1693472828', 'OIDC-auth_time': '1693472827', 'OIDC-jti': 'd8080dea-4a33-4a03-983c-35fe823d9dbc', 'OIDC-iss': 'https://auth.keycloak.tld/realms/customer', 'OIDC-aud': 'openstack', 'OIDC-typ': 'ID', 'OIDC-azp': 'openstack', 'OIDC-nonce': '7KJEPPo72HfRBjpv9_wLSpFs2HsMShiUIzeNt92sT30', 'OIDC-session_state': '8f17d709-a9d5-4ecd-817e-8bee34bb5a65', 'OIDC-at_hash': '_Syga9bgdQvDzDKGkj_dhg', 'OIDC-acr': '1', 'OIDC-sid': '8f17d709-a9d5-4ecd-817e-8bee34bb5a65', 'OIDC_access_token': 'eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJpeDNic1JrRDRKV3JfN3dqLXJ0bF9ESlp0MU4xUTZRdExHal95UzhibVg0In0.eyJleHAiOjE2OTM0NzMxMjgsImlhdCI6MTY5MzQ3MjgyOCwiYXV0aF90aW1lIjoxNjkzNDcyODI3LCJqdGkiOiJlNjU1ZTZlNi1jNDUyLTQwZDktYjE1Ny1kNmI4OTQwM2FlNTciLCJpc3MiOiJodHRwczovL2F1dGgudmlwLWxhYi5pbmZyYS5pbC50aGxyei5kZS9yZWFsbXMvdGxyeiIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI5YWE4MDM5MS1iYjBkLTQ2YjgtYThlNi1iYWIxYjhlZjM4MzciLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJvcGVuc3RhY2siLCJub25jZSI6IjdLSkVQUG83MkhmUkJqcHY5X3dMU3BGczJIc01TaGlVSXplTnQ5MnNUMzAiLCJzZXNzaW9uX3N0YXRlIjoiOGYxN2Q3MDktYTlkNS00ZWNkLTgxN2UtOGJlZTM0YmI1YTY1IiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwczovL2FwaS1leHRlcm4uY2wudGhsdi5kZTo1MDAwIiwiaHR0cHM6Ly9ob3Jpem9uLmNsLnRobHYuZGUiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImRlZmF1bHQtcm9sZXMtdGxyeiIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwic2lkIjoiOGYxN2Q3MDktYTlkNS00ZWNkLTgxN2UtOGJlZTM0YmI1YTY1IiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJTaWx2aW8gS25pemVrIiwicHJlZmVycmVkX3VzZXJuYW1lIjoic2lsdmlvLmtuaXpla0B0bHJ6LnRodWVyaW5nZW4uZGUiLCJnaXZlbl9uYW1lIjoiU2lsdmlvIiwiZmFtaWx5X25hbWUiOiJLbml6ZWsiLCJlbWFpbCI6ImtuaXpla0BiMS1zeXN0ZW1zLmRlIn0.XeYywQX3Nd0d19uPUadHXxqP8nlCO_aWFseuzHgMafCR0rAakkzMJxYjwYQoqB3OTJ0_8USWpUTl5M_BWbxgqCsQZYiREpORostlEoIiAceyoarhfgytIW_oHyJtUJmYq6i2kYzPXeCWc8BO2-hjxrVij4OPBxpcA0_mVIIqWCoojmlcwmk-7FdacTVa_rEEaVkyuF7YWyd-e03OJqtVKdVm2CD6mweWxA_UI8zSsL5UHVafXEtSromH0NKyT7uOaOq8-ACUsGVa3wAJ4azGG3BIDnMm4X-esRSMEt9u-leY6rFYOYtg8lsE5kCtS1ZwSriSeV3ZTRaDPk9kHKaR8g', 'OIDC_access_token_expires': '1693473128', 'GATEWAY_INTERFACE': 'CGI/1.1', 'SERVER_PROTOCOL': 'HTTP/1.1', 'REQUEST_METHOD': 'GET', 'QUERY_STRING': 'origin=https://horizon.internal.domain.tld/auth/websso/', 'REQUEST_URI': '/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso?origin=https://horizon.internal.domain.tld/auth/websso/', 'SCRIPT_NAME': '', 'PATH_INFO': '/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso', 'PATH_TRANSLATED': '/var/lib/kolla/venv/bin/keystone-wsgi-public/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso', 'HTTP_HOST': 'api-extern.internal.domain.tld:5000', 'HTTP_USER_AGENT': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0', 'HTTP_ACCEPT': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/jxl,image/webp,*/*;q=0.8', 'HTTP_ACCEPT_LANGUAGE': 'de,en;q=0.5', 'HTTP_ACCEPT_ENCODING': 'gzip, deflate, br', 'HTTP_DNT': '1', 'HTTP_COOKIE': 'mod_auth_openidc_session=d0486333-338f-4584-8f39-8d1614fe9690', 'HTTP_UPGRADE_INSECURE_REQUESTS': '1', 'HTTP_SEC_FETCH_DEST': 'document', 'HTTP_SEC_FETCH_MODE': 'navigate', 'HTTP_SEC_FETCH_SITE': 'none', 'HTTP_SEC_FETCH_USER': '?1', 'HTTP_SEC_GPC': '1', 'HTTP_X_FORWARDED_PROTO': 'https', 'HTTP_X_FORWARDED_FOR': '10.252.0.102', 'HTTP_OIDC_SUB': '9aa80391-bb0d-46b8-a8e6-bab1b8ef3837', 'HTTP_OIDC_OBJECTGUID': 'SkhR2SFntEqki5puft+j4Q==', 'HTTP_OIDC_NAME': 'Silvio Knizek', 'HTTP_OIDC_EMAIL': 'knizek@b1-systems.de', 'HTTP_OIDC_EXP': '1693473128', 'HTTP_OIDC_IAT': '1693472828', 'HTTP_OIDC_JTI': 'd8080dea-4a33-4a03-983c-35fe823d9dbc', 'HTTP_OIDC_ISS': 'https://auth.keycloak.tld/realms/customer', 'HTTP_OIDC_AUD': 'openstack', 'HTTP_OIDC_TYP': 'ID', 'HTTP_OIDC_AZP': 'openstack', 'HTTP_OIDC_NONCE': '7KJEPPo72HfRBjpv9_wLSpFs2HsMShiUIzeNt92sT30', 'HTTP_OIDC_ACR': '1', 'HTTP_OIDC_SID': '8f17d709-a9d5-4ecd-817e-8bee34bb5a65', 'SERVER_SIGNATURE': '', 'SERVER_SOFTWARE': 'Apache', 'SERVER_NAME': 'api-extern.internal.domain.tld', 'SERVER_ADDR': '10.40.64.223', 'SERVER_PORT': '5000', 'REMOTE_ADDR': '10.252.0.102', 'DOCUMENT_ROOT': '/var/www/html', 'REQUEST_SCHEME': 'http', 'CONTEXT_PREFIX': '', 'CONTEXT_DOCUMENT_ROOT': '/var/www/html', 'SERVER_ADMIN': '[no address given]', 'SCRIPT_FILENAME': '/var/lib/kolla/venv/bin/keystone-wsgi-public', 'REMOTE_PORT': '46866', 'REMOTE_USER': '9aa80391-bb0d-46b8-a8e6-bab1b8ef3837@auth.keycloak.tld/realms/customer', 'AUTH_TYPE': 'openid-connect', 'mod_wsgi.script_name': '', 'mod_wsgi.path_info': '/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso', 'mod_wsgi.process_group': 'keystone-public', 'mod_wsgi.application_group': '', 'mod_wsgi.callable_object': 'application', 'mod_wsgi.request_handler': 'wsgi-script', 'mod_wsgi.handler_script': '', 'mod_wsgi.script_reloading': '1', 'mod_wsgi.listener_host': '10.40.64.223', 'mod_wsgi.listener_port': '5000', 'mod_wsgi.enable_sendfile': '0', 'mod_wsgi.ignore_activity': '0', 'mod_wsgi.request_start': '1693472828540396', 'mod_wsgi.request_id': '7MVhXjzNoNI', 'mod_wsgi.queue_start': '1693472828542157', 'mod_wsgi.daemon_connects': '1', 'mod_wsgi.daemon_restarts': '0', 'mod_wsgi.daemon_start': '1693472828542239', 'mod_wsgi.script_start': '1693472828542368', 'wsgi.version': (1, 0), 'wsgi.multithread': False, 'wsgi.multiprocess': True, 'wsgi.run_once': False, 'wsgi.url_scheme': 'https', 'wsgi.errors': <_io.TextIOWrapper name='<wsgi.errors>' encoding='utf-8'>, 'wsgi.input': <oslo_middleware.sizelimit.LimitingReader object at 0x7f2ec4969840>, 'wsgi.input_terminated': True, 'wsgi.file_wrapper': <class 'mod_wsgi.FileWrapper'>, 'apache.version': (2, 4, 52), 'mod_wsgi.version': (4, 9, 0), 'mod_wsgi.total_requests': 7122, 'mod_wsgi.thread_id': 1, 'mod_wsgi.thread_requests': 7122, 'werkzeug.proxy_fix.orig': {'REMOTE_ADDR': '10.40.64.222', 'wsgi.url_scheme': 'http', 'HTTP_HOST': 'api-extern.internal.domain.tld:5000', 'SERVER_NAME': 'api-extern.internal.domain.tld', 'SERVER_PORT': '5000', 'SCRIPT_NAME': ''}, 'webob.adhoc_attrs': {'response': <_AuthTokenResponse at 0x7f2ec4cab730 200 OK>}, 'webob.is_body_seekable': False, 'openstack.request_id': 'req-cad18c26-a893-483d-a8b3-b1cb19c50914', 'keystone.token_auth': <keystonemiddleware.auth_token._user_plugin.UserAuthPlugin object at 0x7f2ec4a9af80>, 'keystone.oslo_request_context': <keystone.common.context.RequestContext object at 0x7f2ec4a995a0>, 'werkzeug.request': <Request 'https://api-extern.internal.domain.tld:5000/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso?origin=https:%2F%2Fhorizon.internal.domain.tld%2Fauth%2Fwebsso%2F' [GET]>} get_assertion_params_from_env /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/federation/utils.py:439
/var/log/kolla/keystone/keystone.log:2023-08-31 09:07:08.556 25 DEBUG keystone.federation.utils [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] assertion data: {'OIDC-sub': '9aa80391-bb0d-46b8-a8e6-bab1b8ef3837', 'OIDC-email_verified': '1', 'OIDC-objectGUID': 'SkhR2SFntEqki5puft+j4Q==', 'OIDC-name': 'Silvio Knizek', 'OIDC-preferred_username': 'silvio.knizek@customer.domain.tld', 'OIDC-given_name': 'Silvio', 'OIDC-family_name': 'Knizek', 'OIDC-email': 'knizek@b1-systems.de', 'OIDC-exp': '1693473128', 'OIDC-iat': '1693472828', 'OIDC-auth_time': '1693472827', 'OIDC-jti': 'd8080dea-4a33-4a03-983c-35fe823d9dbc', 'OIDC-iss': 'https://auth.keycloak.tld/realms/customer', 'OIDC-aud': 'openstack', 'OIDC-typ': 'ID', 'OIDC-azp': 'openstack', 'OIDC-nonce': '7KJEPPo72HfRBjpv9_wLSpFs2HsMShiUIzeNt92sT30', 'OIDC-session_state': '8f17d709-a9d5-4ecd-817e-8bee34bb5a65', 'OIDC-at_hash': '_Syga9bgdQvDzDKGkj_dhg', 'OIDC-acr': '1', 'OIDC-sid': '8f17d709-a9d5-4ecd-817e-8bee34bb5a65', 'OIDC_access_token': 'eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJpeDNic1JrRDRKV3JfN3dqLXJ0bF9ESlp0MU4xUTZRdExHal95UzhibVg0In0.eyJleHAiOjE2OTM0NzMxMjgsImlhdCI6MTY5MzQ3MjgyOCwiYXV0aF90aW1lIjoxNjkzNDcyODI3LCJqdGkiOiJlNjU1ZTZlNi1jNDUyLTQwZDktYjE1Ny1kNmI4OTQwM2FlNTciLCJpc3MiOiJodHRwczovL2F1dGgudmlwLWxhYi5pbmZyYS5pbC50aGxyei5kZS9yZWFsbXMvdGxyeiIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI5YWE4MDM5MS1iYjBkLTQ2YjgtYThlNi1iYWIxYjhlZjM4MzciLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJvcGVuc3RhY2siLCJub25jZSI6IjdLSkVQUG83MkhmUkJqcHY5X3dMU3BGczJIc01TaGlVSXplTnQ5MnNUMzAiLCJzZXNzaW9uX3N0YXRlIjoiOGYxN2Q3MDktYTlkNS00ZWNkLTgxN2UtOGJlZTM0YmI1YTY1IiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwczovL2FwaS1leHRlcm4uY2wudGhsdi5kZTo1MDAwIiwiaHR0cHM6Ly9ob3Jpem9uLmNsLnRobHYuZGUiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImRlZmF1bHQtcm9sZXMtdGxyeiIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwic2lkIjoiOGYxN2Q3MDktYTlkNS00ZWNkLTgxN2UtOGJlZTM0YmI1YTY1IiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJTaWx2aW8gS25pemVrIiwicHJlZmVycmVkX3VzZXJuYW1lIjoic2lsdmlvLmtuaXpla0B0bHJ6LnRodWVyaW5nZW4uZGUiLCJnaXZlbl9uYW1lIjoiU2lsdmlvIiwiZmFtaWx5X25hbWUiOiJLbml6ZWsiLCJlbWFpbCI6ImtuaXpla0BiMS1zeXN0ZW1zLmRlIn0.XeYywQX3Nd0d19uPUadHXxqP8nlCO_aWFseuzHgMafCR0rAakkzMJxYjwYQoqB3OTJ0_8USWpUTl5M_BWbxgqCsQZYiREpORostlEoIiAceyoarhfgytIW_oHyJtUJmYq6i2kYzPXeCWc8BO2-hjxrVij4OPBxpcA0_mVIIqWCoojmlcwmk-7FdacTVa_rEEaVkyuF7YWyd-e03OJqtVKdVm2CD6mweWxA_UI8zSsL5UHVafXEtSromH0NKyT7uOaOq8-ACUsGVa3wAJ4azGG3BIDnMm4X-esRSMEt9u-leY6rFYOYtg8lsE5kCtS1ZwSriSeV3ZTRaDPk9kHKaR8g', 'OIDC_access_token_expires': '1693473128', 'GATEWAY_INTERFACE': 'CGI/1.1', 'SERVER_PROTOCOL': 'HTTP/1.1', 'REQUEST_METHOD': 'GET', 'QUERY_STRING': 'origin=https://horizon.internal.domain.tld/auth/websso/', 'REQUEST_URI': '/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso?origin=https://horizon.internal.domain.tld/auth/websso/', 'SCRIPT_NAME': '', 'PATH_INFO': '/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso', 'PATH_TRANSLATED': '/var/lib/kolla/venv/bin/keystone-wsgi-public/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso', 'HTTP_HOST': 'api-extern.internal.domain.tld:5000', 'HTTP_USER_AGENT': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0', 'HTTP_ACCEPT': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/jxl,image/webp,*/*;q=0.8', 'HTTP_ACCEPT_LANGUAGE': 'de,en;q=0.5', 'HTTP_ACCEPT_ENCODING': 'gzip, deflate, br', 'HTTP_DNT': '1', 'HTTP_COOKIE': 'mod_auth_openidc_session=d0486333-338f-4584-8f39-8d1614fe9690', 'HTTP_UPGRADE_INSECURE_REQUESTS': '1', 'HTTP_SEC_FETCH_DEST': 'document', 'HTTP_SEC_FETCH_MODE': 'navigate', 'HTTP_SEC_FETCH_SITE': 'none', 'HTTP_SEC_FETCH_USER': '?1', 'HTTP_SEC_GPC': '1', 'HTTP_X_FORWARDED_PROTO': 'https', 'HTTP_X_FORWARDED_FOR': '10.252.0.102', 'HTTP_OIDC_SUB': '9aa80391-bb0d-46b8-a8e6-bab1b8ef3837', 'HTTP_OIDC_OBJECTGUID': 'SkhR2SFntEqki5puft+j4Q==', 'HTTP_OIDC_NAME': 'Silvio Knizek', 'HTTP_OIDC_EMAIL': 'knizek@b1-systems.de', 'HTTP_OIDC_EXP': '1693473128', 'HTTP_OIDC_IAT': '1693472828', 'HTTP_OIDC_JTI': 'd8080dea-4a33-4a03-983c-35fe823d9dbc', 'HTTP_OIDC_ISS': 'https://auth.keycloak.tld/realms/customer', 'HTTP_OIDC_AUD': 'openstack', 'HTTP_OIDC_TYP': 'ID', 'HTTP_OIDC_AZP': 'openstack', 'HTTP_OIDC_NONCE': '7KJEPPo72HfRBjpv9_wLSpFs2HsMShiUIzeNt92sT30', 'HTTP_OIDC_ACR': '1', 'HTTP_OIDC_SID': '8f17d709-a9d5-4ecd-817e-8bee34bb5a65', 'SERVER_SIGNATURE': '', 'SERVER_SOFTWARE': 'Apache', 'SERVER_NAME': 'api-extern.internal.domain.tld', 'SERVER_ADDR': '10.40.64.223', 'SERVER_PORT': '5000', 'REMOTE_ADDR': '10.252.0.102', 'DOCUMENT_ROOT': '/var/www/html', 'REQUEST_SCHEME': 'http', 'CONTEXT_PREFIX': '', 'CONTEXT_DOCUMENT_ROOT': '/var/www/html', 'SERVER_ADMIN': '[no address given]', 'SCRIPT_FILENAME': '/var/lib/kolla/venv/bin/keystone-wsgi-public', 'REMOTE_PORT': '46866', 'REMOTE_USER': '9aa80391-bb0d-46b8-a8e6-bab1b8ef3837@auth.keycloak.tld/realms/customer', 'AUTH_TYPE': 'openid-connect', 'mod_wsgi.script_name': '', 'mod_wsgi.path_info': '/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso', 'mod_wsgi.process_group': 'keystone-public', 'mod_wsgi.application_group': '', 'mod_wsgi.callable_object': 'application', 'mod_wsgi.request_handler': 'wsgi-script', 'mod_wsgi.handler_script': '', 'mod_wsgi.script_reloading': '1', 'mod_wsgi.listener_host': '10.40.64.223', 'mod_wsgi.listener_port': '5000', 'mod_wsgi.enable_sendfile': '0', 'mod_wsgi.ignore_activity': '0', 'mod_wsgi.request_start': '1693472828540396', 'mod_wsgi.request_id': '7MVhXjzNoNI', 'mod_wsgi.queue_start': '1693472828542157', 'mod_wsgi.daemon_connects': '1', 'mod_wsgi.daemon_restarts': '0', 'mod_wsgi.daemon_start': '1693472828542239', 'mod_wsgi.script_start': '1693472828542368', 'wsgi.version': (1, 0), 'wsgi.multithread': False, 'wsgi.multiprocess': True, 'wsgi.run_once': False, 'wsgi.url_scheme': 'https', 'wsgi.errors': <_io.TextIOWrapper name='<wsgi.errors>' encoding='utf-8'>, 'wsgi.input': <oslo_middleware.sizelimit.LimitingReader object at 0x7f2ec4969840>, 'wsgi.input_terminated': True, 'wsgi.file_wrapper': <class 'mod_wsgi.FileWrapper'>, 'apache.version': (2, 4, 52), 'mod_wsgi.version': (4, 9, 0), 'mod_wsgi.total_requests': 7122, 'mod_wsgi.thread_id': 1, 'mod_wsgi.thread_requests': 7122, 'werkzeug.proxy_fix.orig': {'REMOTE_ADDR': '10.40.64.222', 'wsgi.url_scheme': 'http', 'HTTP_HOST': 'api-extern.internal.domain.tld:5000', 'SERVER_NAME': 'api-extern.internal.domain.tld', 'SERVER_PORT': '5000', 'SCRIPT_NAME': ''}, 'webob.adhoc_attrs': {'response': <_AuthTokenResponse at 0x7f2ec4cab730 200 OK>}, 'webob.is_body_seekable': False, 'openstack.request_id': 'req-cad18c26-a893-483d-a8b3-b1cb19c50914', 'keystone.token_auth': <keystonemiddleware.auth_token._user_plugin.UserAuthPlugin object at 0x7f2ec4a9af80>, 'keystone.oslo_request_context': <keystone.common.context.RequestContext object at 0x7f2ec4a995a0>, 'werkzeug.request': <Request 'https://api-extern.internal.domain.tld:5000/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso?origin=https:%2F%2Fhorizon.internal.domain.tld%2Fauth%2Fwebsso%2F' [GET]>} process /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/federation/utils.py:534
/var/log/kolla/keystone/keystone.log:2023-08-31 09:07:08.557 25 DEBUG keystone.federation.utils [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] assertion: {'OIDC-sub': ['9aa80391-bb0d-46b8-a8e6-bab1b8ef3837'], 'OIDC-email_verified': ['1'], 'OIDC-objectGUID': ['SkhR2SFntEqki5puft+j4Q=='], 'OIDC-name': ['Silvio Knizek'], 'OIDC-preferred_username': ['silvio.knizek@customer.domain.tld'], 'OIDC-given_name': ['Silvio'], 'OIDC-family_name': ['Knizek'], 'OIDC-email': ['knizek@b1-systems.de'], 'OIDC-exp': ['1693473128'], 'OIDC-iat': ['1693472828'], 'OIDC-auth_time': ['1693472827'], 'OIDC-jti': ['d8080dea-4a33-4a03-983c-35fe823d9dbc'], 'OIDC-iss': ['https://auth.keycloak.tld/realms/customer'], 'OIDC-aud': ['openstack'], 'OIDC-typ': ['ID'], 'OIDC-azp': ['openstack'], 'OIDC-nonce': ['7KJEPPo72HfRBjpv9_wLSpFs2HsMShiUIzeNt92sT30'], 'OIDC-session_state': ['8f17d709-a9d5-4ecd-817e-8bee34bb5a65'], 'OIDC-at_hash': ['_Syga9bgdQvDzDKGkj_dhg'], 'OIDC-acr': ['1'], 'OIDC-sid': ['8f17d709-a9d5-4ecd-817e-8bee34bb5a65'], 'OIDC_access_token': ['eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJpeDNic1JrRDRKV3JfN3dqLXJ0bF9ESlp0MU4xUTZRdExHal95UzhibVg0In0.eyJleHAiOjE2OTM0NzMxMjgsImlhdCI6MTY5MzQ3MjgyOCwiYXV0aF90aW1lIjoxNjkzNDcyODI3LCJqdGkiOiJlNjU1ZTZlNi1jNDUyLTQwZDktYjE1Ny1kNmI4OTQwM2FlNTciLCJpc3MiOiJodHRwczovL2F1dGgudmlwLWxhYi5pbmZyYS5pbC50aGxyei5kZS9yZWFsbXMvdGxyeiIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI5YWE4MDM5MS1iYjBkLTQ2YjgtYThlNi1iYWIxYjhlZjM4MzciLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJvcGVuc3RhY2siLCJub25jZSI6IjdLSkVQUG83MkhmUkJqcHY5X3dMU3BGczJIc01TaGlVSXplTnQ5MnNUMzAiLCJzZXNzaW9uX3N0YXRlIjoiOGYxN2Q3MDktYTlkNS00ZWNkLTgxN2UtOGJlZTM0YmI1YTY1IiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwczovL2FwaS1leHRlcm4uY2wudGhsdi5kZTo1MDAwIiwiaHR0cHM6Ly9ob3Jpem9uLmNsLnRobHYuZGUiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImRlZmF1bHQtcm9sZXMtdGxyeiIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwic2lkIjoiOGYxN2Q3MDktYTlkNS00ZWNkLTgxN2UtOGJlZTM0YmI1YTY1IiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJTaWx2aW8gS25pemVrIiwicHJlZmVycmVkX3VzZXJuYW1lIjoic2lsdmlvLmtuaXpla0B0bHJ6LnRodWVyaW5nZW4uZGUiLCJnaXZlbl9uYW1lIjoiU2lsdmlvIiwiZmFtaWx5X25hbWUiOiJLbml6ZWsiLCJlbWFpbCI6ImtuaXpla0BiMS1zeXN0ZW1zLmRlIn0.XeYywQX3Nd0d19uPUadHXxqP8nlCO_aWFseuzHgMafCR0rAakkzMJxYjwYQoqB3OTJ0_8USWpUTl5M_BWbxgqCsQZYiREpORostlEoIiAceyoarhfgytIW_oHyJtUJmYq6i2kYzPXeCWc8BO2-hjxrVij4OPBxpcA0_mVIIqWCoojmlcwmk-7FdacTVa_rEEaVkyuF7YWyd-e03OJqtVKdVm2CD6mweWxA_UI8zSsL5UHVafXEtSromH0NKyT7uOaOq8-ACUsGVa3wAJ4azGG3BIDnMm4X-esRSMEt9u-leY6rFYOYtg8lsE5kCtS1ZwSriSeV3ZTRaDPk9kHKaR8g'], 'OIDC_access_token_expires': ['1693473128'], 'GATEWAY_INTERFACE': ['CGI/1.1'], 'SERVER_PROTOCOL': ['HTTP/1.1'], 'REQUEST_METHOD': ['GET'], 'QUERY_STRING': ['origin=https://horizon.internal.domain.tld/auth/websso/'], 'REQUEST_URI': ['/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso?origin=https://horizon.internal.domain.tld/auth/websso/'], 'SCRIPT_NAME': [''], 'PATH_INFO': ['/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso'], 'PATH_TRANSLATED': ['/var/lib/kolla/venv/bin/keystone-wsgi-public/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso'], 'HTTP_HOST': ['api-extern.internal.domain.tld:5000'], 'HTTP_USER_AGENT': ['Mozilla/5.0 (X11', ' Linux x86_64', ' rv:109.0) Gecko/20100101 Firefox/117.0'], 'HTTP_ACCEPT': ['text/html,application/xhtml+xml,application/xml', 'q=0.9,image/avif,image/jxl,image/webp,*/*', 'q=0.8'], 'HTTP_ACCEPT_LANGUAGE': ['de,en', 'q=0.5'], 'HTTP_ACCEPT_ENCODING': ['gzip, deflate, br'], 'HTTP_DNT': ['1'], 'HTTP_COOKIE': ['mod_auth_openidc_session=d0486333-338f-4584-8f39-8d1614fe9690'], 'HTTP_UPGRADE_INSECURE_REQUESTS': ['1'], 'HTTP_SEC_FETCH_DEST': ['document'], 'HTTP_SEC_FETCH_MODE': ['navigate'], 'HTTP_SEC_FETCH_SITE': ['none'], 'HTTP_SEC_FETCH_USER': ['?1'], 'HTTP_SEC_GPC': ['1'], 'HTTP_X_FORWARDED_PROTO': ['https'], 'HTTP_X_FORWARDED_FOR': ['10.252.0.102'], 'HTTP_OIDC_SUB': ['9aa80391-bb0d-46b8-a8e6-bab1b8ef3837'], 'HTTP_OIDC_OBJECTGUID': ['SkhR2SFntEqki5puft+j4Q=='], 'HTTP_OIDC_NAME': ['Silvio Knizek'], 'HTTP_OIDC_EMAIL': ['knizek@b1-systems.de'], 'HTTP_OIDC_EXP': ['1693473128'], 'HTTP_OIDC_IAT': ['1693472828'], 'HTTP_OIDC_JTI': ['d8080dea-4a33-4a03-983c-35fe823d9dbc'], 'HTTP_OIDC_ISS': ['https://auth.keycloak.tld/realms/customer'], 'HTTP_OIDC_AUD': ['openstack'], 'HTTP_OIDC_TYP': ['ID'], 'HTTP_OIDC_AZP': ['openstack'], 'HTTP_OIDC_NONCE': ['7KJEPPo72HfRBjpv9_wLSpFs2HsMShiUIzeNt92sT30'], 'HTTP_OIDC_ACR': ['1'], 'HTTP_OIDC_SID': ['8f17d709-a9d5-4ecd-817e-8bee34bb5a65'], 'SERVER_SIGNATURE': [''], 'SERVER_SOFTWARE': ['Apache'], 'SERVER_NAME': ['api-extern.internal.domain.tld'], 'SERVER_ADDR': ['10.40.64.223'], 'SERVER_PORT': ['5000'], 'REMOTE_ADDR': ['10.252.0.102'], 'DOCUMENT_ROOT': ['/var/www/html'], 'REQUEST_SCHEME': ['http'], 'CONTEXT_PREFIX': [''], 'CONTEXT_DOCUMENT_ROOT': ['/var/www/html'], 'SERVER_ADMIN': ['[no address given]'], 'SCRIPT_FILENAME': ['/var/lib/kolla/venv/bin/keystone-wsgi-public'], 'REMOTE_PORT': ['46866'], 'REMOTE_USER': ['9aa80391-bb0d-46b8-a8e6-bab1b8ef3837@auth.keycloak.tld/realms/customer'], 'AUTH_TYPE': ['openid-connect'], 'mod_wsgi.script_name': [''], 'mod_wsgi.path_info': ['/v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso'], 'mod_wsgi.process_group': ['keystone-public'], 'mod_wsgi.application_group': [''], 'mod_wsgi.callable_object': ['application'], 'mod_wsgi.request_handler': ['wsgi-script'], 'mod_wsgi.handler_script': [''], 'mod_wsgi.script_reloading': ['1'], 'mod_wsgi.listener_host': ['10.40.64.223'], 'mod_wsgi.listener_port': ['5000'], 'mod_wsgi.enable_sendfile': ['0'], 'mod_wsgi.ignore_activity': ['0'], 'mod_wsgi.request_start': ['1693472828540396'], 'mod_wsgi.request_id': ['7MVhXjzNoNI'], 'mod_wsgi.queue_start': ['1693472828542157'], 'mod_wsgi.daemon_connects': ['1'], 'mod_wsgi.daemon_restarts': ['0'], 'mod_wsgi.daemon_start': ['1693472828542239'], 'mod_wsgi.script_start': ['1693472828542368'], 'wsgi.url_scheme': ['https'], 'openstack.request_id': ['req-cad18c26-a893-483d-a8b3-b1cb19c50914']} process /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/federation/utils.py:537
/var/log/kolla/keystone/keystone.log:2023-08-31 09:07:08.557 25 DEBUG keystone.federation.utils [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] rules: [{'local': [{'user': {'name': '{0}', 'email': '{1}', 'domain': {'name': 'customer'}, 'type': 'ephemeral'}}], 'remote': [{'type': 'OIDC-preferred_username'}, {'type': 'OIDC-email'}]}] process /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/federation/utils.py:540
/var/log/kolla/keystone/keystone.log:2023-08-31 09:07:08.558 25 DEBUG keystone.federation.utils [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] updating a direct mapping: ['silvio.knizek@customer.domain.tld'] _verify_all_requirements /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/federation/utils.py:867
/var/log/kolla/keystone/keystone.log:2023-08-31 09:07:08.558 25 DEBUG keystone.federation.utils [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] updating a direct mapping: ['knizek@b1-systems.de'] _verify_all_requirements /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/federation/utils.py:867
/var/log/kolla/keystone/keystone.log:2023-08-31 09:07:08.558 25 DEBUG keystone.federation.utils [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] direct_maps: [['silvio.knizek@customer.domain.tld'], ['knizek@b1-systems.de']] _update_local_mapping /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/federation/utils.py:743
/var/log/kolla/keystone/keystone.log:2023-08-31 09:07:08.559 25 DEBUG keystone.federation.utils [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] local: {'user': {'name': '{0}', 'email': '{1}', 'domain': {'name': 'customer'}, 'type': 'ephemeral'}} _update_local_mapping /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/federation/utils.py:744
/var/log/kolla/keystone/keystone.log:2023-08-31 09:07:08.559 25 DEBUG keystone.federation.utils [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] direct_maps: [['silvio.knizek@customer.domain.tld'], ['knizek@b1-systems.de']] _update_local_mapping /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/federation/utils.py:743
/var/log/kolla/keystone/keystone.log:2023-08-31 09:07:08.559 25 DEBUG keystone.federation.utils [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] local: {'name': '{0}', 'email': '{1}', 'domain': {'name': 'customer'}, 'type': 'ephemeral'} _update_local_mapping /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/federation/utils.py:744
/var/log/kolla/keystone/keystone.log:2023-08-31 09:07:08.559 25 DEBUG keystone.federation.utils [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] direct_maps: [['silvio.knizek@customer.domain.tld'], ['knizek@b1-systems.de']] _update_local_mapping /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/federation/utils.py:743
/var/log/kolla/keystone/keystone.log:2023-08-31 09:07:08.560 25 DEBUG keystone.federation.utils [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] local: {'name': 'customer'} _update_local_mapping /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/federation/utils.py:744
/var/log/kolla/keystone/keystone.log:2023-08-31 09:07:08.560 25 DEBUG keystone.federation.utils [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] identity_values: [{'user': {'name': 'silvio.knizek@customer.domain.tld', 'email': 'knizek@b1-systems.de', 'domain': {'name': 'customer'}, 'type': 'ephemeral'}}] process /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/federation/utils.py:560
/var/log/kolla/keystone/keystone.log:2023-08-31 09:07:08.560 25 DEBUG keystone.federation.utils [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] mapped_properties: {'user': {'name': 'silvio.knizek@customer.domain.tld', 'email': 'knizek@b1-systems.de', 'domain': {'name': 'customer'}, 'type': 'ephemeral'}, 'group_ids': [], 'group_names': [], 'projects': []} process /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/federation/utils.py:562
/var/log/kolla/keystone/keystone.log:2023-08-31 09:07:08.608 25 DEBUG keystone.auth.core [None req-cad18c26-a893-483d-a8b3-b1cb19c50914 - - - - - -] MFA Rules not processed for user `4831e5289533f16fcdcd2d3134ca9bd407958a098fe06e07e384f878476c644b`. Rule list: `[]` (Enabled: `True`). check_auth_methods_against_rules /var/lib/kolla/venv/lib/python3.10/site-packages/keystone/auth/core.py:438/etc/kolla/keystone/wsgi-keystone.conf
Listen 10.40.64.223:5000
Listen 10.40.64.223:35357
ServerSignature Off
ServerTokens Prod
TraceEnable off
TimeOut 60
KeepAliveTimeout 60
ErrorLog "/var/log/kolla/keystone/apache-error.log"
<IfModule log_config_module>
CustomLog "/var/log/kolla/keystone/apache-access.log" common
</IfModule>
<Directory "/var/lib/kolla/venv/bin">
<FilesMatch "^keystone-wsgi-(public|admin)$">
AllowOverride None
Options None
Require all granted
</FilesMatch>
</Directory>
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=keystone-public
WSGIProcessGroup keystone-public
WSGIScriptAlias / /var/lib/kolla/venv/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog "/var/log/kolla/keystone/keystone-apache-public-error.log"
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
CustomLog "/var/log/kolla/keystone/keystone-apache-public-access.log" logformat
OIDCXForwardedHeaders "X-Forwarded-Proto"
OIDCClaimPrefix "OIDC-"
OIDCClaimDelimiter ","
OIDCPKCEMethod S256
OIDCResponseType "code"
OIDCScope "openid email profile"
# OIDCMetadataDir /etc/apache2/metadata
OIDCProviderMetadataURL https://auth.keycloak.tld/realms/customer/.well-known/openid-configuration
OIDCSSLValidateServer Off
OIDCClientID openstack
OIDCClientSecret 2je4Q9QVVCFZZyruVVonU0AzLijCN15t
OIDCOAuthVerifyCertFiles ix3bsRkD4JWr_7wj-rtl_DJZt1N1Q6QtLGj_yS8bmX4#/etc/apache2/cert/ix3bsRkD4JWr_7wj-rtl_DJZt1N1Q6QtLGj_yS8bmX4.pem
OIDCCryptoPassphrase aeu2sECRLMbpK3v0CLNzJxal4ORefn7V9nh3xt6z
OIDCRedirectURI https://api-extern.internal.domain.tld:5000/v3/redirect_uri/
OIDCCacheType memcache
OIDCMemCacheServers "10.40.64.220:11211 10.40.64.223:11211 10.40.64.222:11211"
<Location ~ "/redirect_uri/">
Require valid-user
AuthType openid-connect
</Location>
<Location /v3/auth/OS-FEDERATION/websso/openid>
Require valid-user
AuthType openid-connect
</Location>
<LocationMatch /v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso>
OIDCDiscoverURL https://api-extern.internal.domain.tld:5000/v3/redirect_uri?iss=https%3A//auth.keycloak.tld/realms/customer
Require valid-user
AuthType openid-connect
</LocationMatch>
<LocationMatch /v3/OS-FEDERATION/identity_providers/keycloak/protocols/openid/auth>
Require valid-user
AuthType oauth2
OIDCUnAuthAction pass
OAuth2TokenVerify jwks_uri https://auth.keycloak.tld/realms/customer/protocol/openid-connect/certs jwks_uri.ssl_verify=false
OAuth2TargetPass prefix=OIDC-
</LocationMatch>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=keystone-admin
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /var/lib/kolla/venv/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog "/var/log/kolla/keystone/keystone-apache-admin-error.log"
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
CustomLog "/var/log/kolla/keystone/keystone-apache-admin-access.log" logformat
</VirtualHost>And the command output.
$ openstack identity provider list
+----------+---------+----------------------------------+-----------------------------------------+
| ID | Enabled | Domain ID | Description |
+----------+---------+----------------------------------+-----------------------------------------+
| keycloak | True | 04afc09cf8044b0b8a9b4b5d6c36d4fe | Anmeldung via AD Nutzer und AD Passwort |
+----------+---------+----------------------------------+-----------------------------------------+
$ openstack federation protocol list --identity-provider keycloak && openstack mapping show -f json "$(openstack federation protocol show -f json --identity-provider keycloak openid | jq -r .mapping)"
+--------+------------+
| id | mapping |
+--------+------------+
| openid | mappingId1 |
+--------+------------+
{
"id": "mappingId1",
"rules": [
{
"local": [
{
"user": {
"name": "{0}",
"email": "{1}",
"domain": {
"name": "customer"
},
"type": "ephemeral"
}
}
],
"remote": [
{
"type": "OIDC-preferred_username"
},
{
"type": "OIDC-email"
}
]
}
]
}If you have to redact then it's a business case of yours and that should probably be handled in your company, just to be careful regarding data protection.
It is a big SCS installation that is currently being worked on and where we as the SCS team can participate.
berendt
commented
1 year ago @killermoehre We prepared a Nextcloud share. If you want to upload further logs on a private share please ping me via mail or matrix.
reqa
commented
1 year ago The original error message reported OpenID Connect Provider error: Error in handling response type. indicates some issue in the communication between mod_auth_openidc and Keycloak (e.g. if you google for the message the first matches are from that projects github). As your wsgi-keystone.conf shows that PKCE method S256 is selected, I would first check that this is actually activated in Keycloak for the OIDC client openstack.
Im surprised though, that the provided excerpt from keystone-apache-public-error.log shows no indication of an error but looks like it properly parsed claims from the token, e.g. OIDC-preferred_username. That's all I can tell now from the info provided.
killermoehre
commented
1 year ago @reqa Due to a network layer rebuild at $customer we won't be able to provide any logs this week (maaany cables have to be reconnected). I will follow up with this issue next week, maybe even in some 1-on-1 screen share session, because I really don't know where I could produce more logging.
JuanPTM
commented
1 year ago After looking a couple of times over all the data provided it looks quite strange.
keystone-apache-public-error.log everything is readed from the claim an mapped.That left me with maybe the error is on the Keycloak client. Also, after double check I found something strange on the wsgi-keystone.conf.
First of all, you have copied our config file setup that is intented to use a OIDC client that is public and uses PKCE with S256.
....
OIDCPKCEMethod S256
OIDCResponseType "code"
....At the same time you are configuring your OIDC client as a private client using ClientIDSecret. So maybe this is creating and internal error on the keystone level.
...
OIDCClientID openstack
OIDCClientSecret ...
...I don't have more ideas right now by looking our current data. But that could be a good lead to follow.
killermoehre
commented
1 year ago So, I was able to access the lab environment (network rebuild took longer than expected).
Even after removing
OIDCPKCEMethod S256
OIDCResponseType "code"I'm not able to log in via Keycloak. Anything else you can suggest?
JuanPTM
commented
1 year ago The OIDCResponseType should match the correct configuration of your Keycloak OIDC client. More info
The default client should work with OIDCResponseType id_token, but it might vary depending of the client configuration.
I cannot say much more without checking the OIDC client configuration. But everything looks like is some problem in the Keycloak <->Keystone configuration.
More related info about the response type Issue 293
killermoehre
commented
1 year ago So, I added
OIDCInfoHook iat access_token userinfo remote_userto the wsgi-keystone.conf for some further debugging and I get actually my object back as expected when querying https://api-extern.internal.domain.tld:5000/v3/redirect_uri/?info=json.
{
"iat": 1695729200,
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJpeDNic1JrRDRKV3JfN3dqLXJ0bF9ESlp0MU4xUTZRdExHal95UzhibVg0In0.eyJleHAiOjE2OTU3MjkzODIsImlhdCI6MTY5NTcyOTA4MiwiYXV0aF90aW1lIjoxNjk1NzI4OTUyLCJqdGkiOiIxN2FmNGMwOC02YjRmLTQ0OWQtYmI3OC03ZGEzMmRmYjU5MjQiLCJpc3MiOiJodHRwczovL2F1dGgudmlwLWxhYi5pbmZyYS5pbC50aGxyei5kZS9yZWFsbXMvdGxyeiIsImF1ZCI6ImFjY291bnQiLCJzdWIiOiI5YWE4MDM5MS1iYjBkLTQ2YjgtYThlNi1iYWIxYjhlZjM4MzciLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJvcGVuc3RhY2siLCJub25jZSI6ImZmSlpFSzd6SGtWN1IyS2FJZXBVQ0tRS0VyTTlRQ0pJYU4ydDlZZm9uaEUiLCJzZXNzaW9uX3N0YXRlIjoiNWJjZjE2YzYtMTVkYS00MjBjLTllYTUtN2E0NWQ3NzFlYWE1IiwiYWNyIjoiMCIsImFsbG93ZWQtb3JpZ2lucyI6WyJodHRwczovL2FwaS1leHRlcm4uY2wudGhsdi5kZTo1MDAwIiwiaHR0cHM6Ly9ob3Jpem9uLmNsLnRobHYuZGUiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImRlZmF1bHQtcm9sZXMtdGxyeiIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX19LCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIGVtYWlsIiwic2lkIjoiNWJjZjE2YzYtMTVkYS00MjBjLTllYTUtN2E0NWQ3NzFlYWE1IiwiZW1haWxfdmVyaWZpZWQiOnRydWUsIm5hbWUiOiJTaWx2aW8gS25pemVrIiwicHJlZmVycmVkX3VzZXJuYW1lIjoic2lsdmlvLmtuaXpla0B0bHJ6LnRodWVyaW5nZW4uZGUiLCJnaXZlbl9uYW1lIjoiU2lsdmlvIiwiZmFtaWx5X25hbWUiOiJLbml6ZWsiLCJlbWFpbCI6ImtuaXpla0BiMS1zeXN0ZW1zLmRlIn0.sxgVuw3-IhTobHghy_lt8SgQfG4AWPW6_wJYg-9rQwFca1QP_15XA_0kZixS8Z2MS2UYCo2MaJmXIVbVlBUBGAoFfMFs7KgdRAE8T5moWre1xZyC5nZSfwuVsw1xDwOx4QnejRbvPtQFU4LYLiGArrvGOsAAgdBRs3qH00CVxxjjXQ7L1rInLa089Dan7fUB0MJdk42psPEmm0HBjR_GLuxQd_rDUmiNS3La-JOFGp3KjVvSC603ySvXgGqvSUoAEv0JrZDwBW-9NZI9hr_8NyWQ57GOnqh5IjWh2PZbL6SceenDsqCGStTq-OJ8aI2GIJH7rVeOIzW49VZU_ao2hg",
"userinfo": {
"sub": "9aa80391-bb0d-46b8-a8e6-bab1b8ef3837",
"email_verified": true,
"objectGUID": "SkhR2SFntEqki5puft+j4Q==",
"name": "Silvio Knizek",
"preferred_username": "silvio.knizek@customer.domain.tld",
"given_name": "Silvio",
"family_name": "Knizek",
"email": "knizek@b1-systems.de"
},
"remote_user": "9aa80391-bb0d-46b8-a8e6-bab1b8ef3837@auth.keycloak.tld/realms/customer"
}But Horizon doesn't seem to understand this.
JuanPTM
commented
1 year ago What's the current error on Horizon? The oidc token seems correct, but Horizon is only able to handle Keystone tokens, not oidc.
I'm running out of ideas as the wsgi-keystone.conf looks correct, and the parsing also look correct on the previous messages. 🤔
After double checking your mapping rules you are not assigning any project to the user, this will cause the login to fail and get redirected to the login screen (https://api-extern.internal.domain.tld in your case) and show the error message
Login failed: You are not authorize on any project or domain
This is not the current problem, it will be the last one when we solve all the horizon - keystone - keycloak problems
killermoehre
commented
1 year ago I don't see any further error in the horizon-access.log. The web interface just brings a Login failed: An error occurred. Please try again later.
JuanPTM
commented
1 year ago Maybe you could upload the Keycloak client, so I can double check the configuration there
killermoehre
commented
1 year ago @JuanPTM here is the configuration as exported from keycloak.
{
"clientId": "openstack",
"name": "OpenStack LaborCloud",
"description": "",
"rootUrl": "https://horizon.internal.domain.tld/",
"adminUrl": "https://horizon.internal.domain.tld/",
"baseUrl": "https://horizon.internal.domain.tld/",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"secret": "2je4Q9QVVCFZZyruVVonU0AzLijCN15t",
"redirectUris": [
"https://api-extern.internal.domain.tld:5000/*",
"https://horizon.internal.domain.tld/*"
],
"webOrigins": [
"https://api-extern.internal.domain.tld:5000",
"https://horizon.internal.domain.tld"
],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": false,
"directAccessGrantsEnabled": false,
"serviceAccountsEnabled": true,
"authorizationServicesEnabled": true,
"publicClient": false,
"frontchannelLogout": true,
"protocol": "openid-connect",
"attributes": {
"client.secret.creation.time": "1692032706",
"oauth2.device.authorization.grant.enabled": "false",
"backchannel.logout.revoke.offline.tokens": "false",
"use.refresh.tokens": "true",
"oidc.ciba.grant.enabled": "false",
"backchannel.logout.session.required": "true",
"client_credentials.use_refresh_token": "false",
"tls.client.certificate.bound.access.tokens": "false",
"require.pushed.authorization.requests": "false",
"acr.loa.map": "{}",
"display.on.consent.screen": "false",
"token.response.type.bearer.lower-case": "false"
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"protocolMappers": [
{
"name": "username",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-attribute-mapper",
"consentRequired": false,
"config": {
"aggregate.attrs": "false",
"userinfo.token.claim": "true",
"multivalued": "false",
"user.attribute": "username",
"id.token.claim": "true",
"access.token.claim": "false",
"claim.name": "preferred_username",
"jsonType.label": "String"
}
},
{
"name": "objectGUID",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-attribute-mapper",
"consentRequired": false,
"config": {
"aggregate.attrs": "false",
"multivalued": "false",
"userinfo.token.claim": "true",
"user.attribute": "objectGUID",
"id.token.claim": "true",
"access.token.claim": "false",
"claim.name": "objectGUID",
"jsonType.label": "String"
}
},
{
"name": "Client Host",
"protocol": "openid-connect",
"protocolMapper": "oidc-usersessionmodel-note-mapper",
"consentRequired": false,
"config": {
"user.session.note": "clientHost",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "clientHost",
"jsonType.label": "String"
}
},
{
"name": "groups",
"protocol": "openid-connect",
"protocolMapper": "oidc-group-membership-mapper",
"consentRequired": false,
"config": {
"full.path": "false",
"userinfo.token.claim": "true",
"multivalued": "true",
"id.token.claim": "true",
"access.token.claim": "false",
"claim.name": "groups"
}
},
{
"name": "email",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-attribute-mapper",
"consentRequired": false,
"config": {
"aggregate.attrs": "false",
"userinfo.token.claim": "true",
"multivalued": "false",
"user.attribute": "email",
"id.token.claim": "true",
"access.token.claim": "false",
"claim.name": "email",
"jsonType.label": "String"
}
},
{
"name": "Client IP Address",
"protocol": "openid-connect",
"protocolMapper": "oidc-usersessionmodel-note-mapper",
"consentRequired": false,
"config": {
"user.session.note": "clientAddress",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "clientAddress",
"jsonType.label": "String"
}
},
{
"name": "Client ID",
"protocol": "openid-connect",
"protocolMapper": "oidc-usersessionmodel-note-mapper",
"consentRequired": false,
"config": {
"user.session.note": "client_id",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "client_id",
"jsonType.label": "String"
}
}
],
"defaultClientScopes": [
"web-origins",
"acr",
"profile",
"roles",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
],
"access": {
"view": true,
"configure": true,
"manage": true
}
}As I don't see any problem there I'm going to paste here our working Keycloak client, and wsgi configuration. You can try with those, they are working fine on our testbed deployment.
Keycloak client, this client has 2 mappers to send the attributes openstack-user-domain and openstack-user-project to the mapping rules. You shouldn't need those.
{
"clientId": "keystone",
"surrogateAuthRequired": false,
"enabled": true,
"alwaysDisplayInConsole": false,
"clientAuthenticatorType": "client-secret",
"redirectUris": [
"https://api.testbed.osism.xyz",
"https://192.168.16.254",
"https://192.168.16.254:5000/redirect_uri",
"https://api.testbed.osism.xyz:5000/redirect_uri"
],
"webOrigins": [
"https://192.168.16.254:5000",
"https://api.testbed.osism.xyz:5000",
"https://api.testbed.osism.xyz",
"https://192.168.16.254"
],
"notBefore": 0,
"bearerOnly": false,
"consentRequired": false,
"standardFlowEnabled": true,
"implicitFlowEnabled": true,
"directAccessGrantsEnabled": true,
"serviceAccountsEnabled": false,
"publicClient": false,
"frontchannelLogout": false,
"protocol": "openid-connect",
"attributes": {
"post.logout.redirect.uris": "https://api.testbed.osism.xyz:5000/redirect_uri?logout=https://api.testbed.osism.xyz:5000/logout",
"pkce.code.challenge.method": "S256",
"backchannel.logout.session.required": "true",
"backchannel.logout.url": "https://api.testbed.osism.xyz:5000/redirect_uri?logout=backchannel",
"backchannel.logout.revoke.offline.tokens": "true",
"request.uris": "",
"consent.screen.text": "",
"oauth2.device.authorization.grant.enabled": false,
"oidc.ciba.grant.enabled": false,
"login_theme": "",
"display.on.consent.screen": false
},
"authenticationFlowBindingOverrides": {},
"fullScopeAllowed": true,
"nodeReRegistrationTimeout": -1,
"protocolMappers": [
{
"name": "openstack-user-domain",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-attribute-mapper",
"consentRequired": false,
"config": {
"aggregate.attrs": "false",
"userinfo.token.claim": "true",
"multivalued": "false",
"user.attribute": "openstack-default-domain",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "openstack-default-domain"
}
},
{
"name": "openstack-default-project",
"protocol": "openid-connect",
"protocolMapper": "oidc-usermodel-attribute-mapper",
"consentRequired": false,
"config": {
"user.attribute": "openstack-default-project",
"id.token.claim": "true",
"access.token.claim": "true",
"claim.name": "openstack-default-project",
"userinfo.token.claim": "true"
}
}
],
"defaultClientScopes": [
"web-origins",
"acr",
"profile",
"roles",
"email"
],
"optionalClientScopes": [
"address",
"phone",
"offline_access",
"microprofile-jwt"
],
"access": {
"view": true,
"configure": true,
"manage": true
},
"name": "",
"description": "",
"rootUrl": "",
"baseUrl": "",
"adminUrl": "",
"authorizationServicesEnabled": false
}WSGI-keystone, there is only the virtualhost 5000 relevant stuff
...
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=2 threads=1 user=keystone group=keystone display-name=keystone-public
WSGIProcessGroup keystone-public
WSGIScriptAlias / /var/lib/kolla/venv/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog "/var/log/kolla/keystone/keystone-apache-public-error.log"
LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b %D \"%{Referer}i\" \"%{User-Agent}i\"" logformat
CustomLog "/var/log/kolla/keystone/keystone-apache-public-access.log" logformat
OIDCInfoHook iat access_token userinfo remote_user
OIDCXForwardedHeaders "X-Forwarded-Proto"
OIDCClaimPrefix "OIDC-"
OIDCClaimDelimiter ","
# OIDCPKCEMethod S256
OIDCResponseType "id_token"
OIDCScope "openid email profile"
# OIDCMetadataDir /etc/apache2/metadata
OIDCProviderMetadataURL https://keycloak.testbed.osism.xyz/auth/realms/osism/.well-known/openid-configuration
OIDCClientID keystone
OIDCClientSecret 0056b89c-030f-486b-a6ad-f0fa398fa4ad
OIDCOAuthVerifyCertFiles kD9RIBcPiCOVO8wOM2VbZD5XnpgSkf-tWdSmhurxmJo#/etc/apache2/cert/kD9RIBcPiCOVO8wOM2VbZD5XnpgSkf-tWdSmhurxmJo.pem
OIDCCryptoPassphrase OhVoo0tied5yoogheiT1Xou5OhZahxaG
OIDCRedirectURI https://api.testbed.osism.xyz:5000/redirect_uri
OIDCCacheType memcache
OIDCMemCacheServers "192.168.16.10:11211 192.168.16.11:11211 192.168.16.12:11211"
<Location ~ "/redirect_uri">
Require valid-user
AuthType openid-connect
</Location>
<Location "/logout">
Redirect 302 / https://api.testbed.osism.xyz/auth/
</Location>
<Location /v3/auth/OS-FEDERATION/websso/openid>
Require valid-user
AuthType openid-connect
</Location>
<LocationMatch /v3/auth/OS-FEDERATION/identity_providers/keycloak/protocols/openid/websso>
OIDCDiscoverURL https://api.testbed.osism.xyz:5000/redirect_uri?iss=https%3A//keycloak.testbed.osism.xyz/auth/realms/osism
Require valid-user
AuthType openid-connect
</LocationMatch>
<LocationMatch /v3/OS-FEDERATION/identity_providers/keycloak/protocols/openid/auth>
Require valid-user
AuthType oauth2
OIDCUnAuthAction pass
OAuth2TokenVerify jwks_uri https://keycloak.testbed.osism.xyz/auth/realms/osism/protocol/openid-connect/certs jwks_uri.ssl_verify=false
OAuth2TargetPass prefix=OIDC-
</LocationMatch>
</VirtualHost>
...No difference, even with implicit flow and id_token.
JuanPTM
commented
1 year ago hmm, I'll share the keystone.conf file, but maybe the problem is on the horizon configuration. ( I guess there is a lot of unrelated stuff here)
For the testbed horizon we have link
[DEFAULT]
debug = True
transport_url = rabbit://openstack:BO6yGAAq9eqA7IKqeBdtAEO7aJuNu4zfbhtnRo8Y@192.168.16.10:5672,openstack:BO6yGAAq9eqA7IKqeBdtAEO7aJuNu4zfbhtnRo8Y@192.168.16.11:5672,open
stack:BO6yGAAq9eqA7IKqeBdtAEO7aJuNu4zfbhtnRo8Y@192.168.16.12:5672//
log_file = /var/log/kolla/keystone/keystone.log
use_stderr = True
[oslo_middleware]
enable_proxy_headers_parsing = True
[database]
connection = mysql+pymysql://keystone:aEahTFTRzxDgBpH8IIEVaEh2ipKmiqCMZehRLcKl@api-int.testbed.osism.xyz:3306/keystone
connection_recycle_time = 10
max_pool_size = 1
max_retries = -1
[token]
revoke_by_id = False
provider = fernet
expiration = 86400
allow_expired_window = 172800
[fernet_tokens]
max_active_keys = 3
[cache]
backend = oslo_cache.memcache_pool
enabled = True
memcache_servers = 192.168.16.10:11211,192.168.16.11:11211,192.168.16.12:11211
[oslo_messaging_notifications]
transport_url = rabbit://openstack:BO6yGAAq9eqA7IKqeBdtAEO7aJuNu4zfbhtnRo8Y@192.168.16.10:5672,openstack:BO6yGAAq9eqA7IKqeBdtAEO7aJuNu4zfbhtnRo8Y@192.168.16.11:5672,openstack:BO6yGAAq9eqA7IKqeBdtAEO7aJuNu4zfbhtnRo8Y@192.168.16.12:5672//
driver = messagingv2
topics = notifications,barbican_notifications
[oslo_messaging_rabbit]
heartbeat_in_pthread = True
[cors]
allowed_origin = https://api.testbed.osism.xyz:3000
[federation]
trusted_dashboard = https://api.testbed.osism.xyz/auth/websso/
trusted_dashboard = https://api.testbed.osism.xyz:443/auth/websso/
sso_callback_template = /etc/keystone/sso_callback_template.html
[openid]
remote_id_attribute = HTTP_OIDC_ISS
[auth]
methods = password,token,openid,mapped,application_credential
[mapped]
remote_id_attribute = HTTP_OIDC_ISSThe only point I see is, that we use two different URLs for the API.
JuanPTM
commented
1 year ago In our case we have the ip and the dns name of each service, but it's
JuanPTM
commented
1 year ago I'm not sure of what it's happening, maybe the full Keystone log from a login would help here, I'm not sure if there is a Nextcloud share where you put the file. But taht could help to find the issue
killermoehre
commented
1 year ago Ok, found it. Bug #723 actually gave me the insight. As we use self-signed certs, we have to tell horizon to use them a well.
environments/kolla/files/overlays/horizon/custom_local_settings
OPENSTACK_SSL_NO_VERIFY = TrueFinally, success! And no, there was no indication at all that this was the issue.
Hi,
we deploy right now for a customer an environment.
I was able to configure a Keycloak as Keystone-Backend. Users are created in Keystone based on the ActiveDirectory behind the Keycloak on the first login in Horizon. But after that I only get the error message
environments/kolla/configuration.ymlenvironments/kolla/files/overlays/keystone/keystone.confenvironments/kolla/files/overlays/keystone/wsgi-keystone.conf(I got this one form the OSISM testbed. I added, that the self-signed cert of the keycloak will be ignored.)I would love some help here. The mapping itself from Keycloak to Keystone works very well.