jeffdeville · February 24, 2015 17:30 · GPrathap · Aug 16, 2016
diff --git a/keystone.conf b/keystone.conf
 <VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=vagrant display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /var/www/keystone/main
    WSGIApplicationGroup %{GLOBAL}
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/apache2/keystone.log
    CustomLog /var/log/apache2/keystone_access.log combined
    OIDCSSLValidateServer Off
    OIDCClaimPrefix "UCP-"
    OIDCResponseType "id_token"
    OIDCScope "openid profile email address phone cloud"
    OIDCProviderIssuer "https://sso.sungardas.lab"
    OIDCProviderAuthorizationEndpoint "https://sso.sungardas.lab/service/oauth2/authorize?realm=SungardAS"
    OIDCProviderTokenEndpoint "https://sso.sungardas.lab/service/oauth2/access_token?realm=SungardAS"
    OIDCProviderTokenEndpointAuth "client_secret_post"
    OIDCProviderUserInfoEndpoint "https://sso.sungardas.lab/service/oauth2/userinfo?realm=SungardAS"
    OIDCProviderJwksUri "https://sso.sungardas.lab/service/jwks.json"
    OIDCClientID cloud
    OIDCClientSecret Sungard09
    OIDCCryptoPassphrase Sungard09
    OIDCRedirectURI http://192.168.10.5:5000/v3/OS-FEDERATION/identity_providers/osstools/protocols/oidc/auth/redirect

    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth>
      AuthType openid-connect
      Require valid-user
      LogLevel debug
    </LocationMatch>


 </VirtualHost>
diff --git a/keystone_output.log b/keystone_output.log
 2015-02-24 17:17:03.132362 oidc_proto_validate_authorization_response: enter, response_type=id_token, requested_response_mode=(null), code=(null), id_token=eyAidHlwIjogIkpXVCIsICJhbGciOiAiUlMyNTYiLCAiY3R5IjogIkpXVCIsICJraWQiOiAiMTQxMDAwYTgtNmVhZC00NTBhLWE0MmItYjA3ZGIzOGQ5ZDJkIiB9.eyAidG9rZW5OYW1lIjogImlkX3Rva2VuIiwgImF6cCI6ICJjbG91ZCIsICJzdWIiOiAiZGF2aWQuZ3JpenphbnRpQHN1bmdhcmRhcy5jb20iLCAiaXNzIjogImh0dHBzOi8vc3NvLnN1bmdhcmRhcy5sYWIvc2VydmljZSIsICJpYXQiOiAxNDI0Nzk4MjIyLCAiYXV0aF90aW1lIjogMTQyNDc5ODIyMiwgImV4cCI6IDE0MjQ3OTg4MjIwMDAsICJ0b2tlblR5cGUiOiAiSldUVG9rZW4iLCAibm9uY2UiOiAiMXN6T2hfR1VaQ0RrZG5ZQTNpZURGMThhNEFBR2dlQzM1YXhXTmtvcmRPMCIsICJyZWFsbSI6ICJTdW5nYXJkQVMiLCAiYXVkIjogWyAiY2xvdWQiIF0sICJvcHMiOiAiMjYyYmVhYzAtNjAxNS00ZGJkLTkwY2EtMzRmOWViMThiZDhhIiB9.iJ_1YtGBFJpouWn09Ssimni-115YeSq4Y1rVAfYsnDRk756Bcfr0hD0Q38n6mQiJmnCXB3zi1Ki7qR_8x5FWIDi7FaPl4ppQugWDNLgHfDwsohsUkIrSTA8llsGQ4btn-JSXFo-76BUs5iSszEUxNE-wUq4W6bU09iuQffWiueQ, access_token=(null), token_type=(null), used_response_mode=fragment
 2015-02-24 17:17:03.132373 oidc_proto_parse_idtoken: enter
 2015-02-24 17:17:03.132467 oidc_proto_parse_idtoken: successfully parsed (and possibly decrypted) JWT with header: "{ "typ": "JWT", "alg": "RS256", "cty": "JWT", "kid": "141000a8-6ead-450a-a42b-b07db38d9d2d" }"
 2015-02-24 17:17:03.132481 oidc_metadata_jwks_get: enter, issuer=https://sso.sungardas.lab, refresh=0
 2015-02-24 17:17:03.132485 oidc_cache_shm_get: enter, section="jwks", key="https://sso.sungardas.lab.jwks"
 2015-02-24 17:17:03.132523 oidc_proto_get_key_from_jwks: search for kid "141000a8-6ead-450a-a42b-b07db38d9d2d" or thumbprint x5t "(null)"
 2015-02-24 17:17:03.132534 oidc_proto_get_key_from_jwk_uri: could not find a key in the cached JSON Web Keys, doing a forced refresh
 2015-02-24 17:17:03.132537 oidc_metadata_jwks_get: enter, issuer=https://sso.sungardas.lab, refresh=1
 2015-02-24 17:17:03.132540 oidc_metadata_jwks_get: doing a forced refresh of the JWKs for issuer "https://sso.sungardas.lab"
 2015-02-24 17:17:03.132545 oidc_util_http_call: url=https://sso.sungardas.lab/service/jwks.json, data=(null), content_type=(null), basic_auth=(null), bearer_token=(null), ssl_validate_server=0
 2015-02-24 17:17:03.233968 ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option
 2015-02-24 17:17:03.526296 oidc_util_http_call: response={"keys":[{ "kty": "RSA", "kid": "2008-01-15", "use": "sig", "alg": "sig", "n": "AK0kHP1O-RgdgLSoWxkuaYoi5Jic6hLKeuKw8WzCfsQ68ntBDf6tVOTn_kZA7Gjf4oJAL1dXLlxIEy-kZWnxT3FF-0MQ4WQYbGBfaW8LTM4uAOLLvYZ8SIVEXmxhJsSlvaiTWCbNFaOfiII8bhFp4551YB07NfpquUGEwOxOmci_", "e": "AQAB", "factors": [  ] }]}\n
 2015-02-24 17:17:03.527296 oidc_cache_shm_set: enter, section="jwks", key="https://sso.sungardas.lab.jwks", value size=%lu
 2015-02-24 17:17:03.527603 oidc_proto_get_key_from_jwks: search for kid "141000a8-6ead-450a-a42b-b07db38d9d2d" or thumbprint x5t "(null)"
 2015-02-24 17:17:03.527856 oidc_proto_idtoken_verify_signature: could not find a key in the JSON Web Keys
 2015-02-24 17:17:03.528033 oidc_proto_idtoken_verify_signature: verification result of signature with algorithm "RS256": FALSE
 2015-02-24 17:17:03.528311 oidc_proto_parse_idtoken: id_token signature could not be validated, aborting
 2015-02-24 17:17:03.528659 oidc_handle_authorization_response: could not parse or verify the id_token contents
	<VirtualHost *:5000>
	WSGIDaemonProcess keystone-public processes=5 threads=1 user=vagrant display-name=%{GROUP}
	WSGIProcessGroup keystone-public
	WSGIScriptAlias / /var/www/keystone/main
	WSGIApplicationGroup %{GLOBAL}
	<IfVersion >= 2.4>
	ErrorLogFormat "%{cu}t %M"
	</IfVersion>
	ErrorLog /var/log/apache2/keystone.log
	CustomLog /var/log/apache2/keystone_access.log combined
	OIDCSSLValidateServer Off
	OIDCClaimPrefix "UCP-"
	OIDCResponseType "id_token"
	OIDCScope "openid profile email address phone cloud"
	OIDCProviderIssuer "https://sso.sungardas.lab"
	OIDCProviderAuthorizationEndpoint "https://sso.sungardas.lab/service/oauth2/authorize?realm=SungardAS"
	OIDCProviderTokenEndpoint "https://sso.sungardas.lab/service/oauth2/access_token?realm=SungardAS"
	OIDCProviderTokenEndpointAuth "client_secret_post"
	OIDCProviderUserInfoEndpoint "https://sso.sungardas.lab/service/oauth2/userinfo?realm=SungardAS"
	OIDCProviderJwksUri "https://sso.sungardas.lab/service/jwks.json"
	OIDCClientID cloud
	OIDCClientSecret Sungard09
	OIDCCryptoPassphrase Sungard09
	OIDCRedirectURI http://192.168.10.5:5000/v3/OS-FEDERATION/identity_providers/osstools/protocols/oidc/auth/redirect

	<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth>
	AuthType openid-connect
	Require valid-user
	LogLevel debug
	</LocationMatch>


	</VirtualHost>
	2015-02-24 17:17:03.132362 oidc_proto_validate_authorization_response: enter, response_type=id_token, requested_response_mode=(null), code=(null), id_token=eyAidHlwIjogIkpXVCIsICJhbGciOiAiUlMyNTYiLCAiY3R5IjogIkpXVCIsICJraWQiOiAiMTQxMDAwYTgtNmVhZC00NTBhLWE0MmItYjA3ZGIzOGQ5ZDJkIiB9.eyAidG9rZW5OYW1lIjogImlkX3Rva2VuIiwgImF6cCI6ICJjbG91ZCIsICJzdWIiOiAiZGF2aWQuZ3JpenphbnRpQHN1bmdhcmRhcy5jb20iLCAiaXNzIjogImh0dHBzOi8vc3NvLnN1bmdhcmRhcy5sYWIvc2VydmljZSIsICJpYXQiOiAxNDI0Nzk4MjIyLCAiYXV0aF90aW1lIjogMTQyNDc5ODIyMiwgImV4cCI6IDE0MjQ3OTg4MjIwMDAsICJ0b2tlblR5cGUiOiAiSldUVG9rZW4iLCAibm9uY2UiOiAiMXN6T2hfR1VaQ0RrZG5ZQTNpZURGMThhNEFBR2dlQzM1YXhXTmtvcmRPMCIsICJyZWFsbSI6ICJTdW5nYXJkQVMiLCAiYXVkIjogWyAiY2xvdWQiIF0sICJvcHMiOiAiMjYyYmVhYzAtNjAxNS00ZGJkLTkwY2EtMzRmOWViMThiZDhhIiB9.iJ_1YtGBFJpouWn09Ssimni-115YeSq4Y1rVAfYsnDRk756Bcfr0hD0Q38n6mQiJmnCXB3zi1Ki7qR_8x5FWIDi7FaPl4ppQugWDNLgHfDwsohsUkIrSTA8llsGQ4btn-JSXFo-76BUs5iSszEUxNE-wUq4W6bU09iuQffWiueQ, access_token=(null), token_type=(null), used_response_mode=fragment
	2015-02-24 17:17:03.132373 oidc_proto_parse_idtoken: enter
	2015-02-24 17:17:03.132467 oidc_proto_parse_idtoken: successfully parsed (and possibly decrypted) JWT with header: "{ "typ": "JWT", "alg": "RS256", "cty": "JWT", "kid": "141000a8-6ead-450a-a42b-b07db38d9d2d" }"
	2015-02-24 17:17:03.132481 oidc_metadata_jwks_get: enter, issuer=https://sso.sungardas.lab, refresh=0
	2015-02-24 17:17:03.132485 oidc_cache_shm_get: enter, section="jwks", key="https://sso.sungardas.lab.jwks"
	2015-02-24 17:17:03.132523 oidc_proto_get_key_from_jwks: search for kid "141000a8-6ead-450a-a42b-b07db38d9d2d" or thumbprint x5t "(null)"
	2015-02-24 17:17:03.132534 oidc_proto_get_key_from_jwk_uri: could not find a key in the cached JSON Web Keys, doing a forced refresh
	2015-02-24 17:17:03.132537 oidc_metadata_jwks_get: enter, issuer=https://sso.sungardas.lab, refresh=1
	2015-02-24 17:17:03.132540 oidc_metadata_jwks_get: doing a forced refresh of the JWKs for issuer "https://sso.sungardas.lab"
	2015-02-24 17:17:03.132545 oidc_util_http_call: url=https://sso.sungardas.lab/service/jwks.json, data=(null), content_type=(null), basic_auth=(null), bearer_token=(null), ssl_validate_server=0
	2015-02-24 17:17:03.233968 ArgsAlreadyParsedError: arguments already parsed: cannot register CLI option
	2015-02-24 17:17:03.526296 oidc_util_http_call: response={"keys":[{ "kty": "RSA", "kid": "2008-01-15", "use": "sig", "alg": "sig", "n": "AK0kHP1O-RgdgLSoWxkuaYoi5Jic6hLKeuKw8WzCfsQ68ntBDf6tVOTn_kZA7Gjf4oJAL1dXLlxIEy-kZWnxT3FF-0MQ4WQYbGBfaW8LTM4uAOLLvYZ8SIVEXmxhJsSlvaiTWCbNFaOfiII8bhFp4551YB07NfpquUGEwOxOmci_", "e": "AQAB", "factors": [ ] }]}\n
	2015-02-24 17:17:03.527296 oidc_cache_shm_set: enter, section="jwks", key="https://sso.sungardas.lab.jwks", value size=%lu
	2015-02-24 17:17:03.527603 oidc_proto_get_key_from_jwks: search for kid "141000a8-6ead-450a-a42b-b07db38d9d2d" or thumbprint x5t "(null)"
	2015-02-24 17:17:03.527856 oidc_proto_idtoken_verify_signature: could not find a key in the JSON Web Keys
	2015-02-24 17:17:03.528033 oidc_proto_idtoken_verify_signature: verification result of signature with algorithm "RS256": FALSE
	2015-02-24 17:17:03.528311 oidc_proto_parse_idtoken: id_token signature could not be validated, aborting
	2015-02-24 17:17:03.528659 oidc_handle_authorization_response: could not parse or verify the id_token contents