From a9c1f348388faa099c7702383828a3bda2f1a8df Mon Sep 17 00:00:00 2001 From: Juan Pedro Torres Date: Thu, 13 Jul 2023 08:58:29 +0200 Subject: [PATCH] Fix Single Logout on federated scenarios. (#1689) For more info: * https://github.com/SovereignCloudStack/issues/issues/347 * https://input.scs.community/2023-scs-horizon-webslo-solution3?view Signed-off-by: Juan Pedro Torres --- environments/custom/configuration.yml | 4 ++-- environments/custom/playbook-keycloak-oidc-client-config.yml | 4 ++++ .../kolla/files/overlays/horizon/custom_local_settings | 2 ++ environments/kolla/files/overlays/keystone/wsgi-keystone.conf | 4 ++-- 4 files changed, 10 insertions(+), 4 deletions(-) diff --git a/environments/custom/configuration.yml b/environments/custom/configuration.yml index 33b25c9e..ea9ab365 100644 --- a/environments/custom/configuration.yml +++ b/environments/custom/configuration.yml @@ -19,9 +19,9 @@ keycloak_key_provider_component_name: "rsa-for-keystone" keystone_client_id: "keystone" keystone_redirect_uris: - - "https://api.testbed.osism.xyz:5000/redirect_uri" + - "https://api.testbed.osism.xyz:5000/redirect_uri/" - "https://api.testbed.osism.xyz" - - "https://192.168.16.254:5000/redirect_uri" + - "https://192.168.16.254:5000/redirect_uri/" - "https://192.168.16.254" keycloak_private_key_file_path: "{{ configuration_directory }}/environments/custom/files/keycloak/private_key.pem" diff --git a/environments/custom/playbook-keycloak-oidc-client-config.yml b/environments/custom/playbook-keycloak-oidc-client-config.yml index 68e20a80..3f7f727b 100644 --- a/environments/custom/playbook-keycloak-oidc-client-config.yml +++ b/environments/custom/playbook-keycloak-oidc-client-config.yml @@ -77,6 +77,10 @@ --set publicClient=true --set secret="{{ keystone_container_federation_oidc_client_secret }}" --set 'attributes."pkce.code.challenge.method"="S256"' + --set 'attributes."post.logout.redirect.uris"="https://api.testbed.osism.xyz/auth/logout/"' + --set 'attributes."backchannel.logout.revoke.offline.tokens"="true"' + --set 'attributes."backchannel.logout.session.required"="true"' + --set 'attributes."backchannel.logout.url"="https://api.testbed.osism.xyz:5000/redirect_uri/?logout=backchannel"' when: keystone_client_id not in available_clients run_once: true no_log: true diff --git a/environments/kolla/files/overlays/horizon/custom_local_settings b/environments/kolla/files/overlays/horizon/custom_local_settings index 3574a476..48efa138 100644 --- a/environments/kolla/files/overlays/horizon/custom_local_settings +++ b/environments/kolla/files/overlays/horizon/custom_local_settings @@ -1,3 +1,5 @@ +LOGOUT_URL = 'https://keycloak.testbed.osism.xyz/auth/realms/osism/protocol/openid-connect/logout/?client_id=keystone&post_logout_redirect_uri=https://api.testbed.osism.xyz/auth/logout/' + WEBSSO_ENABLED = True WEBSSO_KEYSTONE_URL = "https://api.testbed.osism.xyz:5000/v3" diff --git a/environments/kolla/files/overlays/keystone/wsgi-keystone.conf b/environments/kolla/files/overlays/keystone/wsgi-keystone.conf index 826afbbf..285c7dcc 100644 --- a/environments/kolla/files/overlays/keystone/wsgi-keystone.conf +++ b/environments/kolla/files/overlays/keystone/wsgi-keystone.conf @@ -71,13 +71,13 @@ LogLevel info OIDCOAuthVerifyCertFiles {{ keystone_federation_openid_certificate_key_ids | join(" ") }} {% endif %} OIDCCryptoPassphrase {{ keystone_federation_openid_crypto_password }} - OIDCRedirectURI {{ keystone_public_url }}/redirect_uri + OIDCRedirectURI {{ keystone_public_url }}/redirect_uri/ {% if enable_memcached | bool %} OIDCCacheType memcache OIDCMemCacheServers "{% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %} {% endif %}{% endfor %}" {% endif %} - + Require valid-user AuthType openid-connect