1. 首页
  2. 问答
  3. OpenStack Keystone:OpenID Connect提供程序返回错误

OpenStack Keystone:OpenID Connect提供程序返回错误

2016-08-16 80 views
0

我正在尝试使用OpenAM OpenID连接提供程序为联合配置Keystone。当我访问地平线仪表盘验证用户虽然OpenID的连接,我收到以下错误:OpenStack Keystone:OpenID Connect提供程序返回错误

的ID连接提供商返回错误

在Apache日志,以下错误我看到:

2016-08-16 11:56:39.768428 oidc_util_http_call: curl_easy_perform() failed on: (null) (No URL set!) 
2016-08-16 11:56:39.768461 oidc_proto_get_key_from_jwk_uri: could not resolve JSON Web Keys 
2016-08-16 11:56:39.768478 oidc_proto_idtoken_verify_signature: could not find a key in the JSON Web Keys 
2016-08-16 11:56:39.768481 oidc_proto_parse_idtoken: id_token signature could not be validated, aborting 
2016-08-16 11:56:39.768485 oidc_handle_authorization_response: could not parse or verify the id_token contents, return HTTP_UNAUTHORIZED

我不知道我在做什么错误。当我使用accounts.google.com OpenID连接提供程序进行配置时,我做了同样的事情。在那种情况下,它运行良好。 请帮我指出我在做什么错误。

这里遵循Apache的主机配置:

<VirtualHost *:5000> 
    ... 
    OIDCClaimPrefix "OIDC-" 
    OIDCResponseType "id_token" 
    OIDCScope "openid email profile" 
    OIDCProviderIssuer https://openam.example.com:8443/openam 
    OIDCProviderAuthorizationEndpoint https://openam.example.com:8443/openam/oauth2/authorize 
    OIDCProviderTokenEndpoint https://openam.example.com:8443/openam/oauth2/access_token 
    OIDCProviderTokenEndpointAuth client_secret_post 
    OIDCProviderUserInfoEndpoint https://openam.example.com:8443/openam/oauth2/userinfo 


    OIDCClientID MyClientID 
    OIDCClientSecret password 
    OIDCCryptoPassphrase password 
    OIDCRedirectURI "http://localhost:5000/v3/OS-FEDERATION/identity_providers/openam_idp/protocols/oidc/auth/redirect" 

    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth> 
     AuthType openid-connect 
     Require valid-user 
     LogLevel debug 
    </LocationMatch> 


    OIDCRedirectURI "http://keystonegoogle.com:5000/v3/auth/OS-FEDERATION/websso/redirect" 
    OIDCRedirectURI "http://keystonegoogle.com:5000/v3/auth/OS-FEDERATION/websso/oidc/redirect" 
    <Location ~ "/v3/auth/OS-FEDERATION/websso/oidc"> 
     AuthType openid-connect 
     Require valid-user 
    </Location> 

</VirtualHost>

我创建了OpenStack的映射如下:

[ 
    { 
    "local": [ 
     { 
     "group": { 
      "id": "a79b39d875ad4c80a120213c09e6778a" 
      } 
     } 
     ], 
    "remote": [ 
     { 
      "type": "HTTP_OIDC_ISS", 
      "any_one_of": [ 
      "https://openam.example.com:8443/openam" 
      ] 
      } 
     ] 
    } 
]

来源

2016-08-16 Spsingh

+0

你有没有配置反向代理的OpenAM揭露知名根环境下的端点? –

回答

0

你应该能够取代所有的:与

OIDCProviderIssuer https://openam.example.com:8443/openam 
OIDCProviderAuthorizationEndpoint https://openam.example.com:8443/openam/oauth2/authorize 
OIDCProviderTokenEndpoint https://openam.example.com:8443/openam/oauth2/access_token 
OIDCProviderTokenEndpointAuth client_secret_post 
OIDCProviderUserInfoEndpoint https://openam.example.com:8443/openam/oauth2/userinfo 


OIDCProviderMetadataURL https://openam.example.com:8443/openam/.well-known/openid-configuration

如果你使用一个相当新的版本OpenAM的(> = 12),它会自动将所有的以前的设置,加上缺少OIDCProviderJwksUrihttps://openam.example.com:8443/openam/oauth2/connect/jwk_uri

来源

2016-08-24 19:44:48

相关问题

 相关问题