)]}'
{"/COMMIT_MSG":[{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"6d42ba6944276cbb1d968a1a93d20e865b31598d","unresolved":true,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Set OIDCRedirectURI to an empty vanity URL"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Fix bug: 2002490"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"Change-Id: If5afb4ac3b5b29f81673af039eeb7736f04a7441"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"b275ff7b_ef24cffe","line":9,"range":{"start_line":9,"start_character":0,"end_line":9,"end_character":16},"updated":"2023-01-11 14:03:19.000000000","message":"Use `Closes-Bug: #2002490`\n\nhttps://wiki.openstack.org/wiki/GitCommitMessages","commit_id":"2eb946b691adfc2dbba7697a9e4c21881606eed0"},{"author":{"_account_id":35703,"name":"Daniel Fernández","display_name":"danielfr","email":"daferoES@gmail.com","username":"danielfr"},"change_message_id":"c96ce859146d5f3c4a7bb727a094f3ce0f66d060","unresolved":false,"context_lines":[{"line_number":6,"context_line":""},{"line_number":7,"context_line":"Set OIDCRedirectURI to an empty vanity URL"},{"line_number":8,"context_line":""},{"line_number":9,"context_line":"Fix bug: 2002490"},{"line_number":10,"context_line":""},{"line_number":11,"context_line":"Change-Id: If5afb4ac3b5b29f81673af039eeb7736f04a7441"}],"source_content_type":"text/x-gerrit-commit-message","patch_set":1,"id":"9c6b819b_7c8894b9","line":9,"range":{"start_line":9,"start_character":0,"end_line":9,"end_character":16},"in_reply_to":"b275ff7b_ef24cffe","updated":"2023-01-12 09:28:03.000000000","message":"Ack","commit_id":"2eb946b691adfc2dbba7697a9e4c21881606eed0"}],"/PATCHSET_LEVEL":[{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"2d613955edf6fbab37bec1968e93af2ec9985d56","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"5695d508_0e2e544f","updated":"2023-01-12 02:02:27.000000000","message":"Adding -1 to highlight my previous comments.","commit_id":"2eb946b691adfc2dbba7697a9e4c21881606eed0"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"6d42ba6944276cbb1d968a1a93d20e865b31598d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"23c2553d_ec42e958","updated":"2023-01-11 14:03:19.000000000","message":"Thanks for working on this ! Let me put my initial feedback before I leave for the day.","commit_id":"2eb946b691adfc2dbba7697a9e4c21881606eed0"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"257e6e4dd7033582789651f2a4ec696cd74b1c35","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":2,"id":"6cab0ad3_904bbe0a","updated":"2023-01-16 02:26:55.000000000","message":"Thanks. Looks good to me.","commit_id":"1a2335f8c9c76188c340ccbacd899ffe9220a610"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"f0a12186ade450ec7233edd38adc4d3b76fadce9","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":3,"id":"a8e48fad_3e0beb1f","updated":"2023-01-16 02:32:06.000000000","message":"Modified the commit message to explain more context, so that people can find out this commit from git log more easily :-)","commit_id":"209e94d5c4a9e0181442f06f20a7ef0d2f07c489"}],"templates/openidc.conf.erb":[{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"6d42ba6944276cbb1d968a1a93d20e865b31598d","unresolved":true,"context_lines":[{"line_number":47,"context_line":"  # The following directives are necessary to support websso from Horizon"},{"line_number":48,"context_line":"  # (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html)"},{"line_number":49,"context_line":"  OIDCRedirectURI \"\u003c%\u003d @keystone_url -%\u003e/v3/auth/OS-FEDERATION/identity_providers/\u003c%\u003d scope[\u0027keystone::federation::openidc::idp_name\u0027]-%\u003e/protocols/openid/websso\""},{"line_number":50,"context_line":"  OIDCRedirectURI \"\u003c%\u003d @keystone_url -%\u003e/v3/auth/OS-FEDERATION/websso/openid\""},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"  \u003cLocation \"/v3/auth/OS-FEDERATION/websso/openid\"\u003e"},{"line_number":53,"context_line":"      AuthType \"openid-connect\""}],"source_content_type":"application/x-erb","patch_set":1,"id":"a10146b9_2d4623d9","side":"PARENT","line":50,"range":{"start_line":50,"start_character":2,"end_line":50,"end_character":77},"updated":"2023-01-11 14:03:19.000000000","message":"this definitely looks problematic.","commit_id":"c66ba58ecd4a935fbfa23d8a3add1f509e6d6171"},{"author":{"_account_id":35703,"name":"Daniel Fernández","display_name":"danielfr","email":"daferoES@gmail.com","username":"danielfr"},"change_message_id":"2f2ea0d59c7233ff8279b1b8d2972346f5d1edb0","unresolved":false,"context_lines":[{"line_number":47,"context_line":"  # The following directives are necessary to support websso from Horizon"},{"line_number":48,"context_line":"  # (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html)"},{"line_number":49,"context_line":"  OIDCRedirectURI \"\u003c%\u003d @keystone_url -%\u003e/v3/auth/OS-FEDERATION/identity_providers/\u003c%\u003d scope[\u0027keystone::federation::openidc::idp_name\u0027]-%\u003e/protocols/openid/websso\""},{"line_number":50,"context_line":"  OIDCRedirectURI \"\u003c%\u003d @keystone_url -%\u003e/v3/auth/OS-FEDERATION/websso/openid\""},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"  \u003cLocation \"/v3/auth/OS-FEDERATION/websso/openid\"\u003e"},{"line_number":53,"context_line":"      AuthType \"openid-connect\""}],"source_content_type":"application/x-erb","patch_set":1,"id":"1f3e2831_12b5fe82","side":"PARENT","line":50,"range":{"start_line":50,"start_character":2,"end_line":50,"end_character":77},"in_reply_to":"4f7cd7a7_08834a55","updated":"2023-01-13 10:14:48.000000000","message":"Done","commit_id":"c66ba58ecd4a935fbfa23d8a3add1f509e6d6171"},{"author":{"_account_id":35703,"name":"Daniel Fernández","display_name":"danielfr","email":"daferoES@gmail.com","username":"danielfr"},"change_message_id":"c96ce859146d5f3c4a7bb727a094f3ce0f66d060","unresolved":true,"context_lines":[{"line_number":47,"context_line":"  # The following directives are necessary to support websso from Horizon"},{"line_number":48,"context_line":"  # (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html)"},{"line_number":49,"context_line":"  OIDCRedirectURI \"\u003c%\u003d @keystone_url -%\u003e/v3/auth/OS-FEDERATION/identity_providers/\u003c%\u003d scope[\u0027keystone::federation::openidc::idp_name\u0027]-%\u003e/protocols/openid/websso\""},{"line_number":50,"context_line":"  OIDCRedirectURI \"\u003c%\u003d @keystone_url -%\u003e/v3/auth/OS-FEDERATION/websso/openid\""},{"line_number":51,"context_line":""},{"line_number":52,"context_line":"  \u003cLocation \"/v3/auth/OS-FEDERATION/websso/openid\"\u003e"},{"line_number":53,"context_line":"      AuthType \"openid-connect\""}],"source_content_type":"application/x-erb","patch_set":1,"id":"4f7cd7a7_08834a55","side":"PARENT","line":50,"range":{"start_line":50,"start_character":2,"end_line":50,"end_character":77},"in_reply_to":"a10146b9_2d4623d9","updated":"2023-01-12 09:28:03.000000000","message":"Yeah, defining more than one OIDCRedirectURI seems definitely problematic.","commit_id":"c66ba58ecd4a935fbfa23d8a3add1f509e6d6171"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"6d42ba6944276cbb1d968a1a93d20e865b31598d","unresolved":true,"context_lines":[{"line_number":44,"context_line":"  OIDCPassClaimsAs \"\u003c%\u003d scope[\u0027::keystone::federation::openidc::openidc_pass_claim_as\u0027] %\u003e\""},{"line_number":45,"context_line":"\u003c%- end -%\u003e"},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"  OIDCRedirectURI \"\u003c%\u003d @keystone_url -%\u003e/v3/auth/OS-FEDERATION/identity_providers/\u003c%\u003d scope[\u0027keystone::federation::openidc::idp_name\u0027]-%\u003e/protocols/openid/websso/redirect_url\""},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"  # The following directives are necessary to support websso from Horizon"},{"line_number":50,"context_line":"  # (Per https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#id5)"}],"source_content_type":"application/x-erb","patch_set":1,"id":"4b23ecb8_892df861","line":47,"range":{"start_line":47,"start_character":162,"end_line":47,"end_character":174},"updated":"2023-01-11 14:03:19.000000000","message":"My understanding is that this should point the location protected with openid-connect auth, and the previous value looks correct to me.\n\nThe keystone guide suggests using separate uris for keystone auth and websso but currently we use the single /sso uri for both.\n\nIf the current value does not work then the appropriate step would be to use /auth and add the location entity to put openid-connect auth over that uri, as is described in the guide.","commit_id":"2eb946b691adfc2dbba7697a9e4c21881606eed0"},{"author":{"_account_id":35703,"name":"Daniel Fernández","display_name":"danielfr","email":"daferoES@gmail.com","username":"danielfr"},"change_message_id":"2f2ea0d59c7233ff8279b1b8d2972346f5d1edb0","unresolved":false,"context_lines":[{"line_number":44,"context_line":"  OIDCPassClaimsAs \"\u003c%\u003d scope[\u0027::keystone::federation::openidc::openidc_pass_claim_as\u0027] %\u003e\""},{"line_number":45,"context_line":"\u003c%- end -%\u003e"},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"  OIDCRedirectURI \"\u003c%\u003d @keystone_url -%\u003e/v3/auth/OS-FEDERATION/identity_providers/\u003c%\u003d scope[\u0027keystone::federation::openidc::idp_name\u0027]-%\u003e/protocols/openid/websso/redirect_url\""},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"  # The following directives are necessary to support websso from Horizon"},{"line_number":50,"context_line":"  # (Per https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#id5)"}],"source_content_type":"application/x-erb","patch_set":1,"id":"96b069ac_f0b31dda","line":47,"range":{"start_line":47,"start_character":162,"end_line":47,"end_character":174},"in_reply_to":"33c151db_a11606bc","updated":"2023-01-13 10:14:48.000000000","message":"Done","commit_id":"2eb946b691adfc2dbba7697a9e4c21881606eed0"},{"author":{"_account_id":35703,"name":"Daniel Fernández","display_name":"danielfr","email":"daferoES@gmail.com","username":"danielfr"},"change_message_id":"c96ce859146d5f3c4a7bb727a094f3ce0f66d060","unresolved":true,"context_lines":[{"line_number":44,"context_line":"  OIDCPassClaimsAs \"\u003c%\u003d scope[\u0027::keystone::federation::openidc::openidc_pass_claim_as\u0027] %\u003e\""},{"line_number":45,"context_line":"\u003c%- end -%\u003e"},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"  OIDCRedirectURI \"\u003c%\u003d @keystone_url -%\u003e/v3/auth/OS-FEDERATION/identity_providers/\u003c%\u003d scope[\u0027keystone::federation::openidc::idp_name\u0027]-%\u003e/protocols/openid/websso/redirect_url\""},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"  # The following directives are necessary to support websso from Horizon"},{"line_number":50,"context_line":"  # (Per https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#id5)"}],"source_content_type":"application/x-erb","patch_set":1,"id":"33c151db_a11606bc","line":47,"range":{"start_line":47,"start_character":162,"end_line":47,"end_character":174},"in_reply_to":"4b23ecb8_892df861","updated":"2023-01-12 09:28:03.000000000","message":"Hi Takashi, thanks for taking the time to review my changes.\n\nSo the idea is that I add a new location directive like:\n\n  \u003cLocation /v3/OS-FEDERATION/identity_providers/keycloak/protocols/openid/auth\u003e\n      Require valid-user\n      AuthType openid-connect\n  \u003c/Location\u003e\n\nAnd its corresponding OIDCRedirectURI:\n\n  OIDCRedirectURI \u003c%\u003d @keystone_url -%\u003e/v3/auth/OS-FEDERATION/identity_providers/\u003c%\u003d scope[\u0027keystone::federation::openidc::idp_name\u0027]-%\u003e/protocols/openid/auth\"\n\nright?","commit_id":"2eb946b691adfc2dbba7697a9e4c21881606eed0"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"257e6e4dd7033582789651f2a4ec696cd74b1c35","unresolved":false,"context_lines":[{"line_number":44,"context_line":"  OIDCPassClaimsAs \"\u003c%\u003d scope[\u0027::keystone::federation::openidc::openidc_pass_claim_as\u0027] %\u003e\""},{"line_number":45,"context_line":"\u003c%- end -%\u003e"},{"line_number":46,"context_line":""},{"line_number":47,"context_line":"  OIDCRedirectURI \"\u003c%\u003d @keystone_url -%\u003e/v3/auth/OS-FEDERATION/identity_providers/\u003c%\u003d scope[\u0027keystone::federation::openidc::idp_name\u0027]-%\u003e/protocols/openid/websso/redirect_url\""},{"line_number":48,"context_line":""},{"line_number":49,"context_line":"  # The following directives are necessary to support websso from Horizon"},{"line_number":50,"context_line":"  # (Per https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#id5)"}],"source_content_type":"application/x-erb","patch_set":1,"id":"7cef1ce3_18721daf","line":47,"range":{"start_line":47,"start_character":162,"end_line":47,"end_character":174},"in_reply_to":"96b069ac_f0b31dda","updated":"2023-01-16 02:26:55.000000000","message":"That is correct. Looking at the keystone code it seems the websso path is used by the specific logic to support SSO so we better use the separate URIs.","commit_id":"2eb946b691adfc2dbba7697a9e4c21881606eed0"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"b881560f518a52e7900bac1e37bd798459a93873","unresolved":true,"context_lines":[{"line_number":72,"context_line":"  OIDCOAuthVerifyJwksUri \"\u003c%\u003d scope[\u0027keystone::federation::openidc::openidc_verify_jwks_uri\u0027]-%\u003e\""},{"line_number":73,"context_line":"  \u003c%- end -%\u003e"},{"line_number":74,"context_line":""},{"line_number":75,"context_line":"  \u003cLocation \"/v3/OS-FEDERATION/identity_providers/\u003c%\u003d scope[\u0027keystone::federation::openidc::idp_name\u0027]-%\u003e/protocols/openid/auth\"\u003e"},{"line_number":76,"context_line":"      AuthType oauth20"},{"line_number":77,"context_line":"      Require valid-user"},{"line_number":78,"context_line":"  \u003c/Location\u003e"}],"source_content_type":"application/x-erb","patch_set":3,"id":"8a41963e_e9c3a871","line":75,"range":{"start_line":75,"start_character":106,"end_line":75,"end_character":127},"updated":"2023-01-16 02:34:53.000000000","message":"I should have noticed this earlier but it seems the additional record conflicts with this. Let me look into this to understand what is the expected configuration. Probably we should NOT set the OIDCRedirectURI by default ?","commit_id":"209e94d5c4a9e0181442f06f20a7ef0d2f07c489"},{"author":{"_account_id":9816,"name":"Takashi Kajinami","email":"kajinamit@oss.nttdata.com","username":"kajinamit"},"change_message_id":"5d699e96d7852e6081c0b2cb00fcfd24191c1041","unresolved":false,"context_lines":[{"line_number":72,"context_line":"  OIDCOAuthVerifyJwksUri \"\u003c%\u003d scope[\u0027keystone::federation::openidc::openidc_verify_jwks_uri\u0027]-%\u003e\""},{"line_number":73,"context_line":"  \u003c%- end -%\u003e"},{"line_number":74,"context_line":""},{"line_number":75,"context_line":"  \u003cLocation \"/v3/OS-FEDERATION/identity_providers/\u003c%\u003d scope[\u0027keystone::federation::openidc::idp_name\u0027]-%\u003e/protocols/openid/auth\"\u003e"},{"line_number":76,"context_line":"      AuthType oauth20"},{"line_number":77,"context_line":"      Require valid-user"},{"line_number":78,"context_line":"  \u003c/Location\u003e"}],"source_content_type":"application/x-erb","patch_set":3,"id":"24d1eb51_3d455e62","line":75,"range":{"start_line":75,"start_character":106,"end_line":75,"end_character":127},"in_reply_to":"8a41963e_e9c3a871","updated":"2023-01-20 08:17:03.000000000","message":"Done","commit_id":"209e94d5c4a9e0181442f06f20a7ef0d2f07c489"}]}