Enhance to work with OIDC Authentication

[chessbyte]

Related PRs/Issues:

• Support OpenID-Connect with the Self Service UI manageiq-appliance#287
• Adding an authentication section in product_info  manageiq-api#856
• Support OIDC Authentication #1651
• Add OIDC support for the Self-Service UI  manageiq-documentation#1460
• Support OIDC for SUI manageiq-pods#556 (Add OIDC support for the Self-Service UI manageiq-pods#559)

[abellotti]

I was initially thinking of protecting ui/service under OIDC (web redirects with Apache config changes ManageIQ/manageiq-appliance#287), even if we fetched the X-Remote-User and related headers, this is not going to help us. Since we're running as an SPA, the API calls are going through Apache (not on server side locally), so sending any of those headers will be ignored, essentially rendering any API calls from SUI unauthorized.

Unless we have the Apache/IDP fetch an access token for the SPA in the headers, not even sure if this is even an option generally, the next solution is to support resource owner password grant authentication in Apache for the API, see lower priority issue in ManageIQ/manageiq#19867, with this we'd be able to do basic auth with the API, which will just have the SUI work with OIDC with no change. Not web SSO like classic, but users will be able to enter their OIDC IDP credentials in the SUI login screen.

/cc @himdel

[chessbyte]

See this Talk Post for an approach a community member took on his own. His work was originally implemented for the Hammer version, but he recently updated to extend this feature to Ivanchuk.
/cc @guilrom

[guilrom]

Thanks @chessbyte for adding me to the discussion!

In our sandbox implementation, the authentication process is indeed handled at the Apache level (using apache2 mod_auth_openidc module with Keycloak as an IDP) exactly as for the admin UI (as described in the official documentation). So we do are using X-Remote-User and related headers in the SUI (in the authentication-api.factory.js).
But to make it work, we had to tweak the API, and add a few routes to perform authentication / authorization for this special OIDC case.
To get a better understanding, you can have a look into these 2 main commits, respectively in the SUI and the API:

• Plemi@249af25
• Plemi/manageiq-api@47af2f6

It might look quite tinkered, but it is working. Don't hesitate if you have any question.

[abellotti]

Ok, beating my head on this a bit more, it's actually a lot simpler than I thought for Jansa.

Once you protect a page with OIDC, i.e.:

<LocationMatch ^/ui/service.*$>
  AuthType  openid-connect
  Require   valid-user
</LocationMatch>

The redirect that occurs from the IDP (Keycloak in this case) to the protected page actually includes the access token for the authenticated user. We receive the OIDC access_token as
a header as follows:

  HTTPD_OIDC_ACCESS_TOKEN=eyJhbGc......

The SUI can simply use that access token (if there) to target the /api/auth with that access token as a Bearer authorization:

 -H "Authorization: Bearer eyJhbGc...."

To get the API token for that user, without having to show the login screen in the SUI giving us OIDC SSO and no changes needed in the API for this.

The SUI login would still need to trigger the /oidc_login/redirect_uri?logout=https:/..../ui/service
upon logout. Also, the IDP would need to be configured to allow /ui/service* as valid redirects URLs.

[abellotti]

We may still need to enhance the /api/product_info endpoint similar to @guilrom did in Plemi/manageiq-api@d2a25af#diff-0ef0779741ad3209b46314a66c353351 to expose the current authentication settings needed for the SUI to drive the login screen logic if no HTTPD_OIDC_ACCESS_TOKEN is found, i.e. present the Login to corporate system button or just redirect automatically if enable sso is checked.

[abellotti]

Related WIP PRs:
- [ ] ManageIQ/manageiq-appliance#287
- [ ] ManageIQ/manageiq-api#856

Moved to OP

[abellotti]

Need to add the following to the OP - I can't edit it.

• Support OIDC Authentication #1651

[abellotti]

And related documentation ...

• Add OIDC support for the Self-Service UI  manageiq-documentation#1460

[himdel]

sorry, closed too soon, I guess

ManageIQ/manageiq-pods#556