Fix Single Logout on federated scenarios. (#1689)

For more info: * SovereignCloudStack/issues#347 * https://input.scs.community/2023-scs-horizon-webslo-solution3?view Signed-off-by: Juan Pedro Torres <[email protected]>
osism · Jul 13, 2023 · a9c1f34 · a9c1f34 · garloff · Aug 2, 2023
1 parent 784f652
commit a9c1f34
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 4 deletions.
diff --git a/environments/custom/configuration.yml b/environments/custom/configuration.yml
@@ -19,9 +19,9 @@ keycloak_key_provider_component_name: "rsa-for-keystone"
 
 keystone_client_id: "keystone"
 keystone_redirect_uris:
-  - "https://api.testbed.osism.xyz:5000/redirect_uri"
+  - "https://api.testbed.osism.xyz:5000/redirect_uri/"
   - "https://api.testbed.osism.xyz"
-  - "https://192.168.16.254:5000/redirect_uri"
+  - "https://192.168.16.254:5000/redirect_uri/"
   - "https://192.168.16.254"
 
 keycloak_private_key_file_path: "{{ configuration_directory }}/environments/custom/files/keycloak/private_key.pem"

diff --git a/environments/custom/playbook-keycloak-oidc-client-config.yml b/environments/custom/playbook-keycloak-oidc-client-config.yml
@@ -77,6 +77,10 @@
             --set publicClient=true
             --set secret="{{ keystone_container_federation_oidc_client_secret }}"
             --set 'attributes."pkce.code.challenge.method"="S256"'
+            --set 'attributes."post.logout.redirect.uris"="https://api.testbed.osism.xyz/auth/logout/"'
+            --set 'attributes."backchannel.logout.revoke.offline.tokens"="true"'
+            --set 'attributes."backchannel.logout.session.required"="true"'
+            --set 'attributes."backchannel.logout.url"="https://api.testbed.osism.xyz:5000/redirect_uri/?logout=backchannel"'
       when: keystone_client_id not in available_clients
       run_once: true
       no_log: true

diff --git a/environments/kolla/files/overlays/horizon/custom_local_settings b/environments/kolla/files/overlays/horizon/custom_local_settings
@@ -1,3 +1,5 @@
+LOGOUT_URL = 'https://keycloak.testbed.osism.xyz/auth/realms/osism/protocol/openid-connect/logout/?client_id=keystone&post_logout_redirect_uri=https://api.testbed.osism.xyz/auth/logout/'
+
 WEBSSO_ENABLED = True
 
 WEBSSO_KEYSTONE_URL = "https://api.testbed.osism.xyz:5000/v3"

diff --git a/environments/kolla/files/overlays/keystone/wsgi-keystone.conf b/environments/kolla/files/overlays/keystone/wsgi-keystone.conf
@@ -71,13 +71,13 @@ LogLevel info
     OIDCOAuthVerifyCertFiles {{ keystone_federation_openid_certificate_key_ids | join(" ") }}
 {% endif %}
     OIDCCryptoPassphrase {{ keystone_federation_openid_crypto_password }}
-    OIDCRedirectURI {{ keystone_public_url }}/redirect_uri
+    OIDCRedirectURI {{ keystone_public_url }}/redirect_uri/
 {% if enable_memcached | bool %}
     OIDCCacheType memcache
     OIDCMemCacheServers "{% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %} {% endif %}{% endfor %}"
 {% endif %}
 
-    <Location ~ "/redirect_uri">
+    <Location ~ "/redirect_uri/">
       Require valid-user
       AuthType openid-connect
     </Location>