0
我正在尝试使用OpenAM OpenID连接提供程序为联合配置Keystone。当我访问地平线仪表盘验证用户虽然OpenID的连接,我收到以下错误:OpenStack Keystone:OpenID Connect提供程序返回错误
的ID连接提供商返回错误
在Apache日志,以下错误我看到:
2016-08-16 11:56:39.768428 oidc_util_http_call: curl_easy_perform() failed on: (null) (No URL set!)
2016-08-16 11:56:39.768461 oidc_proto_get_key_from_jwk_uri: could not resolve JSON Web Keys
2016-08-16 11:56:39.768478 oidc_proto_idtoken_verify_signature: could not find a key in the JSON Web Keys
2016-08-16 11:56:39.768481 oidc_proto_parse_idtoken: id_token signature could not be validated, aborting
2016-08-16 11:56:39.768485 oidc_handle_authorization_response: could not parse or verify the id_token contents, return HTTP_UNAUTHORIZED
我不知道我在做什么错误。当我使用accounts.google.com OpenID连接提供程序进行配置时,我做了同样的事情。在那种情况下,它运行良好。 请帮我指出我在做什么错误。
这里遵循Apache的主机配置:
<VirtualHost *:5000>
...
OIDCClaimPrefix "OIDC-"
OIDCResponseType "id_token"
OIDCScope "openid email profile"
OIDCProviderIssuer https://openam.example.com:8443/openam
OIDCProviderAuthorizationEndpoint https://openam.example.com:8443/openam/oauth2/authorize
OIDCProviderTokenEndpoint https://openam.example.com:8443/openam/oauth2/access_token
OIDCProviderTokenEndpointAuth client_secret_post
OIDCProviderUserInfoEndpoint https://openam.example.com:8443/openam/oauth2/userinfo
OIDCClientID MyClientID
OIDCClientSecret password
OIDCCryptoPassphrase password
OIDCRedirectURI "http://localhost:5000/v3/OS-FEDERATION/identity_providers/openam_idp/protocols/oidc/auth/redirect"
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth>
AuthType openid-connect
Require valid-user
LogLevel debug
</LocationMatch>
OIDCRedirectURI "http://keystonegoogle.com:5000/v3/auth/OS-FEDERATION/websso/redirect"
OIDCRedirectURI "http://keystonegoogle.com:5000/v3/auth/OS-FEDERATION/websso/oidc/redirect"
<Location ~ "/v3/auth/OS-FEDERATION/websso/oidc">
AuthType openid-connect
Require valid-user
</Location>
</VirtualHost>
我创建了OpenStack的映射如下:
[
{
"local": [
{
"group": {
"id": "a79b39d875ad4c80a120213c09e6778a"
}
}
],
"remote": [
{
"type": "HTTP_OIDC_ISS",
"any_one_of": [
"https://openam.example.com:8443/openam"
]
}
]
}
]
你有没有配置反向代理的OpenAM揭露知名根环境下的端点? –