OpenStack Keystone：OpenID Connect 提供程序返回错误答案

【问题标题】：OpenStack Keystone: the OpenID Connect Provider returned an errorOpenStack Keystone：OpenID Connect 提供程序返回错误
【发布时间】：2016-12-22 11:06:54
【问题描述】：

我正在尝试使用 OpenAM OpenID 连接提供程序为联邦配置 Keystone。当我通过 OpenID 连接访问 Horizon 仪表板对用户进行身份验证时，我收到以下错误：

OpenID Connect 提供程序返回错误

在 apache 日志中，我看到以下错误：

2016-08-16 11:56:39.768428 oidc_util_http_call: curl_easy_perform() failed on: (null) (No URL set!)
2016-08-16 11:56:39.768461 oidc_proto_get_key_from_jwk_uri: could not resolve JSON Web Keys
2016-08-16 11:56:39.768478 oidc_proto_idtoken_verify_signature: could not find a key in the JSON Web Keys
2016-08-16 11:56:39.768481 oidc_proto_parse_idtoken: id_token signature could not be validated, aborting
2016-08-16 11:56:39.768485 oidc_handle_authorization_response: could not parse or verify the id_token contents, return HTTP_UNAUTHORIZED

我不知道我在做什么错误。当我使用 accounts.google.com OpenID 连接提供商进行配置时，我做了同样的事情。在那种情况下，它工作得很好。请帮助我并指出我在做什么错误。

以下是 apache 主机配置：

<VirtualHost *:5000>
    ...
    OIDCClaimPrefix "OIDC-"
    OIDCResponseType "id_token"
    OIDCScope "openid email profile"
    OIDCProviderIssuer https://openam.example.com:8443/openam
    OIDCProviderAuthorizationEndpoint https://openam.example.com:8443/openam/oauth2/authorize
    OIDCProviderTokenEndpoint https://openam.example.com:8443/openam/oauth2/access_token
    OIDCProviderTokenEndpointAuth client_secret_post
    OIDCProviderUserInfoEndpoint https://openam.example.com:8443/openam/oauth2/userinfo


    OIDCClientID MyClientID
    OIDCClientSecret password
    OIDCCryptoPassphrase password
    OIDCRedirectURI "http://localhost:5000/v3/OS-FEDERATION/identity_providers/openam_idp/protocols/oidc/auth/redirect"

    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth>
      AuthType openid-connect
      Require valid-user
      LogLevel debug
    </LocationMatch>


    OIDCRedirectURI "http://keystonegoogle.com:5000/v3/auth/OS-FEDERATION/websso/redirect"
    OIDCRedirectURI "http://keystonegoogle.com:5000/v3/auth/OS-FEDERATION/websso/oidc/redirect"
    <Location ~ "/v3/auth/OS-FEDERATION/websso/oidc">
      AuthType openid-connect
      Require valid-user
    </Location>

</VirtualHost>

我创建的openstack映射如下：

[
  {
    "local": [
      {
        "group": {
          "id": "a79b39d875ad4c80a120213c09e6778a"
          }
        }
      ],
    "remote": [
        {
          "type": "HTTP_OIDC_ISS",
          "any_one_of": [
            "https://openam.example.com:8443/openam"
            ]
          }
        ]
  }
]

【问题讨论】：

您是否为 OpenAM 配置了反向代理以公开根上下文下的知名端点？

标签： openstack openid-connect openam federated-identity keystone

【解决方案1】：

你应该可以替换所有的：

OIDCProviderIssuer https://openam.example.com:8443/openam
OIDCProviderAuthorizationEndpoint https://openam.example.com:8443/openam/oauth2/authorize
OIDCProviderTokenEndpoint https://openam.example.com:8443/openam/oauth2/access_token
OIDCProviderTokenEndpointAuth client_secret_post
OIDCProviderUserInfoEndpoint https://openam.example.com:8443/openam/oauth2/userinfo

与：

OIDCProviderMetadataURL https://openam.example.com:8443/openam/.well-known/openid-configuration

如果您使用的是相当新的 OpenAM 版本 (>=12)，它应该会自动将所有以前的设置以及缺少的 OIDCProviderJwksUri 设置为 https://openam.example.com:8443/openam/oauth2/connect/jwk_uri

【讨论】：