1. 首頁
  2. 問答
  3. OpenStack Keystone:OpenID Connect提供程序返回錯誤

OpenStack Keystone:OpenID Connect提供程序返回錯誤

2016-08-16 78 views
0

我正在嘗試使用OpenAM OpenID連接提供程序爲聯合配置Keystone。當我訪問地平線儀表盤驗證用戶雖然OpenID的連接,我收到以下錯誤:OpenStack Keystone:OpenID Connect提供程序返回錯誤

的ID連接提供商返回錯誤

在Apache日誌,以下錯誤我看到:

2016-08-16 11:56:39.768428 oidc_util_http_call: curl_easy_perform() failed on: (null) (No URL set!) 
2016-08-16 11:56:39.768461 oidc_proto_get_key_from_jwk_uri: could not resolve JSON Web Keys 
2016-08-16 11:56:39.768478 oidc_proto_idtoken_verify_signature: could not find a key in the JSON Web Keys 
2016-08-16 11:56:39.768481 oidc_proto_parse_idtoken: id_token signature could not be validated, aborting 
2016-08-16 11:56:39.768485 oidc_handle_authorization_response: could not parse or verify the id_token contents, return HTTP_UNAUTHORIZED

我不知道我在做什麼錯誤。當我使用accounts.google.com OpenID連接提供程序進行配置時,我做了同樣的事情。在那種情況下,它運行良好。 請幫我指出我在做什麼錯誤。

這裏遵循Apache的主機配置:

<VirtualHost *:5000> 
    ... 
    OIDCClaimPrefix "OIDC-" 
    OIDCResponseType "id_token" 
    OIDCScope "openid email profile" 
    OIDCProviderIssuer https://openam.example.com:8443/openam 
    OIDCProviderAuthorizationEndpoint https://openam.example.com:8443/openam/oauth2/authorize 
    OIDCProviderTokenEndpoint https://openam.example.com:8443/openam/oauth2/access_token 
    OIDCProviderTokenEndpointAuth client_secret_post 
    OIDCProviderUserInfoEndpoint https://openam.example.com:8443/openam/oauth2/userinfo 


    OIDCClientID MyClientID 
    OIDCClientSecret password 
    OIDCCryptoPassphrase password 
    OIDCRedirectURI "http://localhost:5000/v3/OS-FEDERATION/identity_providers/openam_idp/protocols/oidc/auth/redirect" 

    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth> 
     AuthType openid-connect 
     Require valid-user 
     LogLevel debug 
    </LocationMatch> 


    OIDCRedirectURI "http://keystonegoogle.com:5000/v3/auth/OS-FEDERATION/websso/redirect" 
    OIDCRedirectURI "http://keystonegoogle.com:5000/v3/auth/OS-FEDERATION/websso/oidc/redirect" 
    <Location ~ "/v3/auth/OS-FEDERATION/websso/oidc"> 
     AuthType openid-connect 
     Require valid-user 
    </Location> 

</VirtualHost>

我創建了OpenStack的映射如下:

[ 
    { 
    "local": [ 
     { 
     "group": { 
      "id": "a79b39d875ad4c80a120213c09e6778a" 
      } 
     } 
     ], 
    "remote": [ 
     { 
      "type": "HTTP_OIDC_ISS", 
      "any_one_of": [ 
      "https://openam.example.com:8443/openam" 
      ] 
      } 
     ] 
    } 
]

來源

2016-08-16 Spsingh

+0

你有沒有配置反向代理的OpenAM揭露知名根環境下的端點? –

回答

0

你應該能夠取代所有的:與

OIDCProviderIssuer https://openam.example.com:8443/openam 
OIDCProviderAuthorizationEndpoint https://openam.example.com:8443/openam/oauth2/authorize 
OIDCProviderTokenEndpoint https://openam.example.com:8443/openam/oauth2/access_token 
OIDCProviderTokenEndpointAuth client_secret_post 
OIDCProviderUserInfoEndpoint https://openam.example.com:8443/openam/oauth2/userinfo 


OIDCProviderMetadataURL https://openam.example.com:8443/openam/.well-known/openid-configuration

如果你使用一個相當新的版本OpenAM的(> = 12),它會自動將所有的以前的設置,加上缺少OIDCProviderJwksUrihttps://openam.example.com:8443/openam/oauth2/connect/jwk_uri

來源

2016-08-24 19:44:48

相關問題

 相關問題