Ondemand with dedicated keycloak server

#1

Hey guys. I’m setting up a fresh install of Open OnDemand 1.5.5-1 here at the University of Utah on CentOS 7. I’m following the install documentation and have gotten to the point where I’m integrating my production standalone keycloak (4.8.3) server in as my auth source - It’s throwing errors in the keycloak log while I get the schema mappings to our Active Directory servers configured and then I finally get it correctly configured… and it breaks in a new way.

The URL redirects to
https://ondemand-test.chpc.utah.edu/pun/sys/dashboard
and the error in the browser window is:
“Error – invalid user name syntax: f:5f6debae-e6db-4111-bed0-ac9336c5afe5:u0064824@keycloak.chpc.utah.edu/auth/realms/ondemand
Run ‘nginx_stage --help’ to see a full list of available command line options.”

There’s no errors in the keycloak log about this. Here’s my auth_openidc.conf file:

OIDCProviderMetadataURL https://keycloak.chpc.utah.edu/auth/realms/ondemand/.well-known/openid-configuration
OIDCClientID “ondemand-test.chpc.utah.edu”
OIDCClientSecret “noSecretsForYou”
OIDCRedirectURI https://ondemand-test.chpc.utah.edu/oidc
OIDCCryptoPassphrase “secretphraseremoved”

Anything jump out at anyone? I can post over config items if necessary but it’s all pretty bog standard.

Steve Harper

#2

Ah. Easy I had missed the lower half of the example config and still had these lines commented:

OIDCRemoteUserClaim preferred_username
OIDCPassClaimsAs environment
OIDCStripCookies mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1

#3

The error you saw was generated by this single line of code: https://github.com/OSC/ondemand/blob/585404aa2d91a18b2b18e02fba2670c53532cc0a/nginx_stage/lib/nginx_stage/generator_helpers.rb#L16

The username f:5f6debae-e6db-4111-bed0-ac9336c5afe5:u0064824@keycloak.chpc.utah.edu/auth/realms/ondemand didn’t match the regex. Of course in this case a solution was to add the missing OIDC directive OIDCRemoteUserClaim so that mod_auth_openidc sets REMOTE_USER to whatever is in the remote user claim header. Another approach would have been to configure Apache to use a custom mapping script that converts f:5f6debae-e6db-4111-bed0-ac9336c5afe5:u0064824@keycloak.chpc.utah.edu/auth/realms/ondemand to your_user_name.

The question I have is, what would have been a better error message to help you debug the problem yourself?