3. Configure OnDemand to authenticate with Keycloak¶
OnDemand’s Apache needs to use mod_auth_openidc to be able to act as an OpenID Connect client to Keycloak. We will install mod_auth_openidc and modify OnDemand’s Apache configs to enable authentication via Keycloak.
3.1. Install mod_auth_openidc¶
Install httpd24-mod_auth_openidc from ondemand-web repo
sudo yum install httpd24-mod_auth_openidc
3.2. Re-generate main config using ood-portal-generator¶
Edit the YAML configuration file for the ood-portal-generator located under
/etc/ood/config/ood_portal.yml
as such:# /etc/ood/config/ood_portal.yml --- # List of Apache authentication directives # NB: Be sure the appropriate Apache module is installed for this # Default: (see below, uses basic auth with an htpasswd file) auth: - 'AuthType openid-connect' - 'Require valid-user' # Redirect user to the following URI when accessing logout URI # Example: # logout_redirect: '/oidc?logout=https%3A%2F%2Fwww.example.com' # Default: '/pun/sys/dashboard/logout' (the Dashboard app provides a simple # HTML page explaining logout to the user) logout_redirect: '/oidc?logout=https%3A%2F%2Fondemand-dev.hpc.osc.edu' # Sub-uri used by mod_auth_openidc for authentication # Example: # oidc_uri: '/oidc' # Default: null (disable OpenID Connect support) oidc_uri: '/oidc'
Notice that we are
- changing the Authentication directives for openid-connect
- specifying /oidc to be the sub-uri used by mod_auth_openidc
- specifying that /logout should redirect to this /oidc sub-uri to handle logout
and specifying after logout, the user should be redirected back to OnDemand
(which in this tutorial’s case is
https%3A%2F%2Fondemand-dev.hpc.osc.edu
, the query param escaped format ofhttps://ondemand-dev.hpc.osc.edu
)
Then build and install the new Apache configuration file with:
sudo /opt/ood/ood-portal-generator/sbin/update_ood_portal
The effect of this change in the Apache config (in case you want to apply the changes manually) are:
Change the authentication directives for all of the Locations that require authentication i.e.:
<Location "/nginx"> - AuthType Basic - AuthName "Private" - AuthUserFile "/opt/rh/httpd24/root/etc/httpd/.htpasswd" - RequestHeader unset Authorization + AuthType openid-connect Require valid-user LuaHookFixups nginx.lua nginx_handler </Location>
Update the
Redirect "logout"
directive- Redirect "/logout" "/pun/sys/dashboard/logout" + Redirect "/logout" "/oidc?logout=https%3A%2F%2Fondemand-dev.hpc.osc.edu"
Add the
<Location "/oidc">
directive# OpenID Connect redirect URI: # # https://ondemand-dev.hpc.osc.edu:443/oidc # #=> handled by mod_auth_openidc # <Location "/oidc"> AuthType openid-connect Require valid-user </Location>
3.3. Add Keycloak config to OnDemand Apache for mod_auth_openidc¶
Add the file /opt/rh/httpd24/root/etc/httpd/conf.d/auth_openidc.conf with the contents:
OIDCProviderMetadataURL https://ondemand-idpdev.hpc.osc.edu/auth/realms/ondemand/.well-known/openid-configuration OIDCClientID "ondemand-dev.hpc.osc.edu" OIDCClientSecret "1111111-1111-1111-1111-111111111111" OIDCRedirectURI https://ondemand-dev.hpc.osc.edu/oidc OIDCCryptoPassphrase "4444444444444444444444444444444444444444" # Keep sessions alive for 8 hours OIDCSessionInactivityTimeout 28800 OIDCSessionMaxDuration 28800 # Set REMOTE_USER OIDCRemoteUserClaim preferred_username # Don't pass claims to backend servers OIDCPassClaimsAs environment # Strip out session cookies before passing to backend OIDCStripCookies mod_auth_openidc_session mod_auth_openidc_session_chunks mod_auth_openidc_session_0 mod_auth_openidc_session_1
- OIDCClientID: replace with the client id specified when installing the client in Keycloak admin interface
- OIDCClientSecret: replace
1111111-1111-1111-1111-1111111111111
with client secret specified from the Credentials tab of the client in Keycloak admin interface - OIDCCryptoPassphrase: replace
4444444444444444444444444444444444444444
with random generated password. I usedopenssl rand -hex 40
. - Verify the OIDCProviderMetadataURL uses the correct realm and the port Apache exposes to the world for Keycloak by accessing the URL.
Change permission on file to be readable by apache and no one else:
sudo chgrp apache /opt/rh/httpd24/root/etc/httpd/conf.d/auth_openidc.conf sudo chmod 640 /opt/rh/httpd24/root/etc/httpd/conf.d/auth_openidc.conf
Then restart OnDemand’s Apache. OnDemand should now be authenticating using KeyCloak.
Stop both servives:
sudo systemctl restart httpd24-httpd
Note
We prevent OIDC_CLAIM headers from being passed through to the PUN by specifying in this file to pass claims as environment, instead of as HTTP headers, since Apache won’t pass any environment off to the PUN when proxying requests, but would pass HTTP headers.