Public bug reported: I have configured OIDC with keystone. I have followed the steps mentioned in the official documentation. But when i try to log into horizon, i get a 401 error: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}
The OIDC configuration is as shown below: # Configure OIDC OIDCClaimPrefix "OIDC-" OIDCResponseType "id_token" OIDCScope "openid email profile" OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration OIDCClientID <Google Client ID> OIDCClientSecret <Google Client Secret> OIDCCryptoPassphrase openstack OIDCRedirectURI http://<SP fqdn>/identity/v3/OS-FEDERATION/identity_providers/myidp/protocols/mapped/auth OIDCRedirectURI http://<SP fqdn>/identity/v3/auth/OS-FEDERATION/websso OIDCRedirectURI http://<SP fqdn>/identity/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/mapped/websso # For keystone <LocationMatch /identity/v3/OS-FEDERATION/identity_providers/.*?/protocols/mapped/auth> AuthType openid-connect Require valid-user LogLevel debug </LocationMatch> # For horizon <Location ~ "/identity/v3/auth/OS-FEDERATION/websso/mapped"> AuthType openid-connect Require valid-user </Location> <Location ~ "/identity/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/mapped/websso"> AuthType openid-connect Require valid-user </Location> source accr/admin/admin export OS_IDENTITY_API_VERSION=3 openstack domain create federated_domain openstack group create federated_users openstack role add --group federated_users --domain federated_domain admin openstack identity provider create --remote-id https://accounts.google.com myidp export remote_type=REMOTE_USER export remote_type=HTTP_OIDC_EMAIL cat > rules.json <<EOF [ { "local": [ { "user": { "name": "{0}" }, "group": { "domain": { "name": "Default" }, "name": "federated_users" } } ], "remote": [ { "type": "${remote_type}" } ] } ] EOF openstack mapping create --rules rules.json myidp_mapping openstack federation protocol create mapped --mapping myidp_mapping --identity-provider myidp ** Affects: keystone Importance: Undecided Status: New ** Tags: error horizon keystone ** Tags removed: errro ** Tags added: error -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1694591 Title: Horizon gives 401 authorization error after oidc configuration Status in OpenStack Identity (keystone): New Bug description: I have configured OIDC with keystone. I have followed the steps mentioned in the official documentation. But when i try to log into horizon, i get a 401 error: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}} The OIDC configuration is as shown below: # Configure OIDC OIDCClaimPrefix "OIDC-" OIDCResponseType "id_token" OIDCScope "openid email profile" OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration OIDCClientID <Google Client ID> OIDCClientSecret <Google Client Secret> OIDCCryptoPassphrase openstack OIDCRedirectURI http://<SP fqdn>/identity/v3/OS-FEDERATION/identity_providers/myidp/protocols/mapped/auth OIDCRedirectURI http://<SP fqdn>/identity/v3/auth/OS-FEDERATION/websso OIDCRedirectURI http://<SP fqdn>/identity/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/mapped/websso # For keystone <LocationMatch /identity/v3/OS-FEDERATION/identity_providers/.*?/protocols/mapped/auth> AuthType openid-connect Require valid-user LogLevel debug </LocationMatch> # For horizon <Location ~ "/identity/v3/auth/OS-FEDERATION/websso/mapped"> AuthType openid-connect Require valid-user </Location> <Location ~ "/identity/v3/auth/OS-FEDERATION/identity_providers/myidp/protocols/mapped/websso"> AuthType openid-connect Require valid-user </Location> source accr/admin/admin export OS_IDENTITY_API_VERSION=3 openstack domain create federated_domain openstack group create federated_users openstack role add --group federated_users --domain federated_domain admin openstack identity provider create --remote-id https://accounts.google.com myidp export remote_type=REMOTE_USER export remote_type=HTTP_OIDC_EMAIL cat > rules.json <<EOF [ { "local": [ { "user": { "name": "{0}" }, "group": { "domain": { "name": "Default" }, "name": "federated_users" } } ], "remote": [ { "type": "${remote_type}" } ] } ] EOF openstack mapping create --rules rules.json myidp_mapping openstack federation protocol create mapped --mapping myidp_mapping --identity-provider myidp To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1694591/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp