0

I am trying to configure Keystone for Federation using OpenAM OpenID connect provider. When I access the Horizon dashboard authenticating a user though OpenID connect, I get the following error:

the OpenID Connect Provider returned an error

In apache log, following error I see:

2016-08-16 11:56:39.768428 oidc_util_http_call: curl_easy_perform() failed on: (null) (No URL set!)
2016-08-16 11:56:39.768461 oidc_proto_get_key_from_jwk_uri: could not resolve JSON Web Keys
2016-08-16 11:56:39.768478 oidc_proto_idtoken_verify_signature: could not find a key in the JSON Web Keys
2016-08-16 11:56:39.768481 oidc_proto_parse_idtoken: id_token signature could not be validated, aborting
2016-08-16 11:56:39.768485 oidc_handle_authorization_response: could not parse or verify the id_token contents, return HTTP_UNAUTHORIZED

I have no idea what mistake I am doing. I did same thing when I configured using accounts.google.com OpenID connect provider. In that case it worked fine. Please help me and point out what mistake I am doing.

Here follows the apache host configurations:

<VirtualHost *:5000>
    ...
    OIDCClaimPrefix "OIDC-"
    OIDCResponseType "id_token"
    OIDCScope "openid email profile"
    OIDCProviderIssuer https://openam.example.com:8443/openam
    OIDCProviderAuthorizationEndpoint https://openam.example.com:8443/openam/oauth2/authorize
    OIDCProviderTokenEndpoint https://openam.example.com:8443/openam/oauth2/access_token
    OIDCProviderTokenEndpointAuth client_secret_post
    OIDCProviderUserInfoEndpoint https://openam.example.com:8443/openam/oauth2/userinfo


    OIDCClientID MyClientID
    OIDCClientSecret password
    OIDCCryptoPassphrase password
    OIDCRedirectURI "http://localhost:5000/v3/OS-FEDERATION/identity_providers/openam_idp/protocols/oidc/auth/redirect"

    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth>
      AuthType openid-connect
      Require valid-user
      LogLevel debug
    </LocationMatch>


    OIDCRedirectURI "http://keystonegoogle.com:5000/v3/auth/OS-FEDERATION/websso/redirect"
    OIDCRedirectURI "http://keystonegoogle.com:5000/v3/auth/OS-FEDERATION/websso/oidc/redirect"
    <Location ~ "/v3/auth/OS-FEDERATION/websso/oidc">
      AuthType openid-connect
      Require valid-user
    </Location>

</VirtualHost>

I created openstack mapping as follows:

[
  {
    "local": [
      {
        "group": {
          "id": "a79b39d875ad4c80a120213c09e6778a"
          }
        }
      ],
    "remote": [
        {
          "type": "HTTP_OIDC_ISS",
          "any_one_of": [
            "https://openam.example.com:8443/openam"
            ]
          }
        ]
  }
]
Spsingh
  • 11
  • 2

1 Answers1

0

You should be able to replace all of:

OIDCProviderIssuer https://openam.example.com:8443/openam
OIDCProviderAuthorizationEndpoint https://openam.example.com:8443/openam/oauth2/authorize
OIDCProviderTokenEndpoint https://openam.example.com:8443/openam/oauth2/access_token
OIDCProviderTokenEndpointAuth client_secret_post
OIDCProviderUserInfoEndpoint https://openam.example.com:8443/openam/oauth2/userinfo

with:

OIDCProviderMetadataURL https://openam.example.com:8443/openam/.well-known/openid-configuration

which should automatically set all of the previous settings plus the missing OIDCProviderJwksUri to https://openam.example.com:8443/openam/oauth2/connect/jwk_uri if you use a fairly recent version of OpenAM (>=12)

Hans Z.
  • 50,496
  • 12
  • 102
  • 115