| *** mhen_ is now known as mhen | 01:46 | |
| gtema | Dave Wilde (d34dh0r53): ping | 15:16 |
|---|---|---|
| d34dh0r53 | gtema: pong | 15:17 |
| d34dh0r53 | sorry | 15:17 |
| d34dh0r53 | got stuck on a phone call | 15:17 |
| gtema | ok, no worry | 15:17 |
| gtema | I am myself pretty "done" | 15:18 |
| gtema | I think we can skip the meeting today | 15:18 |
| d34dh0r53 | yeah, ptg is next week so we can talk about it all | 15:18 |
| gtema | but I wanted to clarify one thing regarding next week planning: is it possible to reschedule the horizon meeting to wednesday? | 15:18 |
| d34dh0r53 | I can try | 15:19 |
| d34dh0r53 | I don't see an issue with it | 15:19 |
| gtema | the point is that I want us first ourselves to talk about federation before giving promises to them | 15:19 |
| gtema | whom have you arranged this slot with? | 15:19 |
| d34dh0r53 | yeah, Wednesday is fine, same time okay with you? | 15:23 |
| gtema | yes, its fine | 15:23 |
| gtema | I am updating the etherpad to reflect this. Thanks a lot man | 15:24 |
| d34dh0r53 | Tatiana | 15:25 |
| gtema | 👍️ | 15:25 |
| Mc- | Hi! I'm currently trying to setup keystone federation for external gitlab-based oidc auth, but while the redirect paths appear to work, and the debug logs show I do get all my attributes (OIDC-name OIDC-email OIDC-groups ...) when I try to login (with horizon) I get a 401 code with "The request you have made requires authentication." - apache logs contain a "ERROR | 15:32 |
| Mc- | keystone.api.auth [None req-... - - - - - -] Missing entity ID from environment" at that precise time which might be related (as if the auth headers were not passed on to keystone) ... any way to check how I can find the cause of this ? | 15:32 |
| gtema | mc- not really. Due to the fact how complex and error prone this all is we consider reimplementing the federation support as such. In you case you would perhaps get some luck if you enable debugging in keystone and also check mod_auth_oidc logs | 15:34 |
| Mc- | I think I already have debug=true in keystone.conf and LogLevel debug in apache conf (that's how I could see the "ok" populating of oidc claims) | 15:36 |
| gtema | the message is related to setting the remote_id property | 15:37 |
| gtema | https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#configure-the-remote-id-attribute | 15:37 |
| Mc- | I do have [openid] remote_id_attribute = HTTP_OIDC_ISS in the conf | 15:37 |
| gtema | but the message states it cannot resolve it - maybe in the mapping | 15:39 |
| Mc- | I do seed in the debug oidc logs a line with "oidc_util_hdr_table_set: OIDC-iss: <url>" and oidc_util_set_app_info: setting environment variable "OIDC-iss: <url>" | 15:40 |
| Mc- | see* | 15:40 |
| gtema | look also in https://gtema.github.io/posts/keystone-keycloak/part1/#keystoneconf | 15:40 |
| gtema | maybe helpful to spot the misconfig | 15:40 |
| Mc- | no luck :/ thanks for the blogpost | 15:50 |
| Mc- | (OK, I found it, I did not think I actually had to put a trivial "WEBSSO_IDP_MAPPING = {"gitlab": ("gitlab", "openid")}" in local_settings.py - now I'm on another issue that mapping to several groups tries to find the id of the group "['group1', 'group2']" as if it was a single string for a single group name - separation based on semicolons and filtering with whitelist | 16:55 |
| Mc- | does work) | 16:55 |
| d34dh0r53 | Mc-: enabling insecure_debug can also be very helpful in troubleshooting federation issues (just don't forget to turn it off when you're done ;) | 18:41 |
Generated by irclog2html.py 4.0.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!