Problem connecting OpenQA to Keycloak via OpenID

[AnDrEyKa-111]

I have OpenQA 4.6 and I want to set up OpenID Connect authorization on Keycloak 22.0.3. According to the documentation, only the following specification in /etc/openqa/openqa.ini is needed:

[auth]
method = OpenID
[openid]
provider = https://kc.my.domain/realms/master/.well-known/openid-configuration

For OIDC, also need to specify "Client ID" and "Client secret", but how to do this is not specified in the openQA documentation.

When I try to go to the login page https://openqa.my.domain/login, I always get the message "Forbidden". There is an error in the OpenQA log: "Claiming OpenID identity for URL 'https://openqa.my.domain' failed: no_identity_server: Could not determine ID provider from URL".

You can specify one of the OpenID Connect public providers to check this situation, for example:

provider = https://accounts.google.com/.well-known/openid-configuration

And get the same behavior that I observe myself.

What am I doing wrong and how do I set up OpenID connect correctly?

[Martchus]

We also ran into "Could not determine ID provider from URL" with our OpenID provider in the past and it was an IPv6 related issue.

Otherwise I'm also not sure as we normally use the default OpenID provider or OAuth2. If your provider also supports OAuth2 you could give that a try instead.

For further debugging, the OpenID-related code is in https://github.com/os-autoinst/openQA/blob/master/lib/OpenQA/WebAPI/Auth/OpenID.pm where you might be able to add additional debug printing.

[AnDrEyKa-111]

Yes, I read about the IPv6 case in documentation. I tried to disable it, but it didn't help.

I also tried to configure OAuth2, the situation is better with it: OpenQA starts communicating with the provider, logs in as a client, receives an authorization token and user data. But everything ends with the message "User data returned by OAuth2 provider is insufficient". Here is a message in the openQA log:

[debug] [pid:320324] OAuth2 user provider returned: {
  "email" => "myuser\@my.domain",
  "email_verified" => bless( do{\(my $o = 0)}, 'JSON::PP::Boolean' ),
  "family_name" => "User",
  "given_name" => "My",
  "name" => "My User",
  "preferred_username" => "myuser",
  "sub" => "d506700f-1345-4f33-a82f-adce80bcb36a"
}

openqa.ini:

[auth]
method = OAuth2

[oauth2]
provider = custom
unique_name = keycloak
key = openqa
secret = openqasecret
authorize_url = https://kc.my.domain/realms/master/protocol/openid-connect/auth?response_type=code
token_url = https://kc.my.domain/realms/master/protocol/openid-connect/token
user_url  = https://kc.my.domain/realms/master/protocol/openid-connect/userinfo
token_scope = openid
token_label = Bearer
nickname_from = username

So I can't connect with either OpenID Connect or OAuth2.

But could it be easier to solve the problem with OAuth2? As I understand it, the message "User data returned by OAuth2 provider is insufficient" indicates that OpenQA did not receive some necessary parameters from the auth provider? But which ones exactly?

[Martchus]

I say OAuth2 is probably easier to resolve.

The error message sounds indeed like some expected parameters are missing. I think the parameter username is missing in your case (considering the debug log message). It is expected because you specified nickname_from = username. Maybe it makes sense to configure nickname_from = preferred_username in your case. I also think the parameter id is missing.

[AnDrEyKa-111]

Thanks for the link, I looked at
https://github.com/os-autoinst/openQA/blob/master/lib/OpenQA/WebAPI/Auth/OAuth2.pm
and I figured out how OAuth2 works: openQA expects one explicit mandatory parameter "nickname_from" and one implicit "id" from the auth server. The match for "nickname_from" is set in .ini, and "id" should be named exactly as "id". Now it works, but it would be nice if all these steps were described in the documentation, it would greatly simplify the setup.

But as for OpenID, it's still unclear. Apparently, it does not work, because the "_openid_secret" parameter is not set, but I still did not understand where it should be set. And besides the "secret" auth provider usually also waits for the Client ID (as in OAuth2) - here it is not visible at all.

[Martchus]

So could you make it work with OAuth2? If there were code changes required, feel free to create a PR.

I now realize that you mean OpenID Connect and not OpenID. I think OpenID Connect is not supported by openQA (which uses https://metacpan.org/pod/Net::OpenID::Consumer which only supports OpenID 1 and 2 judging by its CPAN description). (Also see https://security.stackexchange.com/questions/44797/when-do-you-use-openid-vs-openid-connect for the difference between OpenID and OpenID Connect.)

[AnDrEyKa-111]

Yes, OAuth2 is working now! The next step is to figure out how to divide users into administrators, operators and regular users through it - is this possible?

I've just see, there is OpenID, and not OpenID Connect. Sorry, it's different things, Keycloak not working with OpenID. Then we'll just use OAuth2.

[Martchus]

Yes, OAuth2 is working now! The next step is to figure out how to divide users into administrators, operators and regular users through it - is this possible?

Only by manually assigning a role in the users menu after the initial login.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.