OpenStack-Keycloak SSO oidc 映射

tag-icon tag-icon openstack single-sign-on openid keycloak oidc
OpenStack-Keycloak SSO oidc 映射

我正在尝试通过 Keycloak 和 OpenID 为 OpenStack 设置 SSO。如果我使用 OpenStack 文档中的示例映射,它可以正常工作。但是,我想要一个不同的设置,需要您的帮助。

在 Keycloak 中,我定义了一个用户,并为项目 (os_project) 和角色 (os_role) 设置了属性。我正在尝试设置一个映射配置,该配置将用户分配给 Keycloak 中指定的 OpenStack 项目,并使用 Keycloak 中指定的角色。

我已经使用以下命令设置了身份提供者、映射和联合协议:

openstack identity provider create --remote-id https://keycloak-obfuscated-domain:9443/realms/Cloud --domain default kcipaIDP
openstack mapping create --rules /home/stack/keycloak/mapping.json oidcmap
openstack federation protocol create openid --mapping oidcmap--identity-provider kcipaIDP

Keycloak 集成看起来不错。在 Keystone 调试日志中,我可以从令牌中看到正确的信息:(别担心,这是一个测试环境,所以在我发布这篇文章时,任何“秘密”都是无用的)

Environment variables: {
'OIDC-exp': '1712225895',
'OIDC-iat': '1712218695',
'OIDC-auth_time': '1712218695',
'OIDC-jti': 'b48d187e-b8d4-43cb-906f-773d98972731',
'OIDC-iss': 'https://keycloak-obfuscated-domain/realms/Cloud',
'OIDC-aud': 'cloud1',
'OIDC-sub': '77961181-ecf3-4b65-a709-672cea4d019d',
'OIDC-typ': 'ID',
'OIDC-azp': 'cloud1',
'OIDC-nonce': 'aEs6Jek6xx4hW9OpwWqbzU_Js72EhYeEXRbP7r0y7i4',
'OIDC-session_state': 'b77d2b3f-5e9e-435a-94fb-9fc06f1af82d',
'OIDC-acr': '1',
'OIDC-s_hash': 'l3PXnOEbRGpS4mXEKEvrOQ',
'OIDC-sid': 'b77d2b3f-5e9e-435a-94fb-9fc06f1af82d',
'OIDC-os_projects': 'alexproj',
'OIDC-email_verified': '1',
'OIDC-os_roles': 'admin',
'OIDC-name': 'Alex P',
'OIDC-preferred_username': 'alex',
'OIDC-given_name': 'Alex',
'OIDC-family_name': 'P',
'OIDC-email': 'obfuscated@email',
'GATEWAY_INTERFACE': 'CGI/1.1',
'SERVER_PROTOCOL': 'HTTP/1.1',
'REQUEST_METHOD': 'GET',
'QUERY_STRING': 'origin=http://obfuscated-domain/dashboard/auth/websso/',
'REQUEST_URI': '/v3/auth/OS-FEDERATION/identity_providers/kcipaIDP/protocols/openid/websso?origin=http://obfuscated-domain/dashboard/auth/websso/',
'SCRIPT_NAME': '',
'PATH_INFO': '/v3/auth/OS-FEDERATION/identity_providers/kcipaIDP/protocols/openid/websso',
'PATH_TRANSLATED': '/var/www/cgi-bin/keystone/keystone/v3/auth/OS-FEDERATION/identity_providers/kcipaIDP/protocols/openid/websso',
'HTTP_HOST': 'obfuscated-domain:5000',
'HTTP_USER_AGENT': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:124.0) Gecko/20100101 Firefox/124.0',
'HTTP_ACCEPT': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'HTTP_ACCEPT_LANGUAGE': 'en-US,en;q=0.5',
'HTTP_ACCEPT_ENCODING': 'gzip, deflate',
'HTTP_REFERER': 'http://obfuscated-domain:5000/v3/auth/OS-FEDERATION/websso/openid',
'HTTP_DNT': '1',
'HTTP_SEC_GPC': '1',
'HTTP_COOKIE': 'SERVERID=cloud1.obfuscated-domain; csrftoken=1x0wuHMcMOGWQgCYyTmddRxk1tGMwdi02HIfodiO2ftZ8nBalW2458CaLuwoI3hT; sessionid=j695cbnglqpm2sjcs2eyhziq7jh8j052; mod_auth_openidc_session=ee4c7c72-6425-4d56-883d-8327776bc776',
'HTTP_UPGRADE_INSECURE_REQUESTS': '1',
'HTTP_X_FORWARDED_PROTO': 'http',
'HTTP_X_FORWARDED_PORT': '5000',
'HTTP_X_FORWARDED_FOR': '1.2.3.4',
'HTTP_OIDC_EXP': '1712225895',
'HTTP_OIDC_IAT': '1712218695',
'HTTP_OIDC_JTI': 'b48d187e-b8d4-43cb-906f-773d98972731',
'HTTP_OIDC_ISS': 'https://keycloak-obfuscated-domain/realms/Cloud',
'HTTP_OIDC_AUD': 'cloud1',
'HTTP_OIDC_SUB': '77961181-ecf3-4b65-a709-672cea4d019d',
'HTTP_OIDC_TYP': 'ID',
'HTTP_OIDC_AZP': 'cloud1',
'HTTP_OIDC_NONCE': 'aEs6Jek6xx4hW9OpwWqbzU_Js72EhYeEXRbP7r0y7i4',
'HTTP_OIDC_ACR': '1',
'HTTP_OIDC_SID': 'b77d2b3f-5e9e-435a-94fb-9fc06f1af82d',
'HTTP_OIDC_NAME': 'Alex P',
'HTTP_OIDC_EMAIL': 'obfuscated@email',
'SERVER_SIGNATURE': '',
'SERVER_SOFTWARE': 'Apache',
'SERVER_NAME': 'obfuscated-domain',
'SERVER_ADDR': 'obfuscated-domain',
'SERVER_PORT': '5000',
'REMOTE_ADDR': '1.2.3.4',
'DOCUMENT_ROOT': '/var/www/cgi-bin/keystone',
'REQUEST_SCHEME': 'http',
'CONTEXT_PREFIX': '',
'CONTEXT_DOCUMENT_ROOT': '/var/www/cgi-bin/keystone',
'SERVER_ADMIN': '[no address given]',
'SCRIPT_FILENAME': '/var/www/cgi-bin/keystone/keystone',
'REMOTE_PORT': '44436',
'REMOTE_USER': '77961181-ecf3-4b65-a709-672cea4d019d@keycloak-obfuscated-domain/realms/Cloud',
'AUTH_TYPE': 'openid-connect',
'mod_wsgi.script_name': '',
'mod_wsgi.path_info': '/v3/auth/OS-FEDERATION/identity_providers/kcipaIDP/protocols/openid/websso',
'mod_wsgi.process_group': 'keystone',
'mod_wsgi.application_group': '',
'mod_wsgi.callable_object': 'application',
'mod_wsgi.request_handler': 'wsgi-script',
'mod_wsgi.handler_script': '',
'mod_wsgi.script_reloading': '1',
'mod_wsgi.listener_host': 'obfuscated-domain',
'mod_wsgi.listener_port': '5000',
'mod_wsgi.enable_sendfile': '0',
'mod_wsgi.ignore_activity': '0',
'mod_wsgi.request_start': '1712218695779183',
'mod_wsgi.request_id': 'b8Mj+/ACCSw',
'mod_wsgi.queue_start': '1712218695780145',
'mod_wsgi.daemon_connects': '1',
'mod_wsgi.daemon_restarts': '0',
'mod_wsgi.daemon_start': '1712218695780215',
'mod_wsgi.script_start': '1712218695780257',
'wsgi.version': (1, 0),
'wsgi.multithread': False,
'wsgi.multiprocess': True,
'wsgi.run_once': False,
'wsgi.url_scheme': 'http',
'wsgi.errors': < _io.TextIOWrapper name = '<wsgi.errors>'
encoding = 'utf-8' > ,
'wsgi.input': < oslo_middleware.sizelimit.LimitingReader object at 0x7ff87529cd30 > ,
'wsgi.input_terminated': True,
'wsgi.file_wrapper': < class 'mod_wsgi.FileWrapper' > ,
'apache.version': (2, 4, 53),
'mod_wsgi.version': (4, 7, 1),
'mod_wsgi.total_requests': 28,
'mod_wsgi.thread_id': 1,
'mod_wsgi.thread_requests': 28,
'werkzeug.proxy_fix.orig': {
    'REMOTE_ADDR': 'obfuscated-domain',
    'wsgi.url_scheme': 'http',
    'HTTP_HOST': 'obfuscated-domain:5000',
    'SERVER_NAME': 'obfuscated-domain',
    'SERVER_PORT': '5000',
    'SCRIPT_NAME': ''
},
'webob.adhoc_attrs': {
    'response': < _AuthTokenResponse at 0x7ff8752739a0 200 OK >
},
'webob.is_body_seekable': False,
'openstack.request_id': 'req-5b071cbe-c362-4cbd-932d-b17ca32f0b92',
'keystone.token_auth': < keystonemiddleware.auth_token._user_plugin.UserAuthPlugin object at 0x7ff875273f40 > ,
'keystone.oslo_request_context': < keystone.common.context.RequestContext object at 0x7ff875273070 > ,
'werkzeug.request': < Request 'http://obfuscated-domain:5000/v3/auth/OS-FEDERATION/identity_providers/kcipaIDP/protocols/openid/websso?origin=http:%2F%2Fobfuscated-domain%2Fdashboard%2Fauth%2Fwebsso%2F' [GET] >

}

这是我创建的 oidc 映射文件:

    [
        {
            "local": [
                {
                    "user": {
                        "name": "{0}",
                        "email": "{1}",
                        "domain": {
                               "id": "default"
                        }
                        
                    }
                },
                {
                    "projects": [
                        {
                            "name": "{2}",
                            "roles": [
                                {
                                    "name": "{3}"
                                }
                            ]
                        }
                    ]
                }
            ],
            "remote": [
                {
                    "type": "OIDC-preferred_username"
                },
                {
                    "type": "OIDC-email"
                },
                {
                    "type": "OIDC-os_projects"
                },
                {
                    "type": "OIDC-os_roles"
                }
            ]
        }
]

有些事情似乎没有按预期进行,但是 Keystone 日志仅显示:

您无权执行请求的操作。:keystone.exception.Forbidden:您无权执行请求的操作。

我甚至尝试手动将映射文件中的角色设置为“管理员”或“成员”,但没有成功。

我猜测我的映射文件在某种程度上是错误的,但我还无法找出问题所在。

有人可以帮我一下吗?

谢谢,亚历克斯

相关内容