Ok so this is definitely looking better. I get an error, but at least now it is saying : “The user admin@openidchttp is not authorized to perform login” This is strange though, because admin in by default should be allowed access? Anton Louw Cloud Engineer: Storage and Virtualization ______________________________________ D: 087 805 1572 | M: N/A A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg anton.louw(a)voxtelecom.co.za www.vox.co.za From: Anton Louw Sent: 22 April 2020 12:38 To: Artur Socha <asocha(a)redhat.com>; users(a)ovirt.org Subject: RE: [ovirt-users] oVirt and KeyCloak intergration Perfect, I’ll test and let you know. Thanks From: Artur Socha <asocha@redhat.com<mailto:asocha@redhat.com>> Sent: 22 April 2020 12:32 To: Anton Louw <Anton.Louw@voxtelecom.co.za<mailto:Anton.Louw@voxtelecom.co.za>>; users@ovirt.org<mailto:users@ovirt.org> Subject: Re: [ovirt-users] oVirt and KeyCloak intergration + users@ovirt.org<mailto:users@ovirt.org> On Wed, 2020-04-22 at 09:57 +0000, Anton Louw wrote: Hi Artur, I would just like to make sure I am following correctly, comparing your entries against mine. Your setup: ... config.mapAuthRecord.regex.pattern = ^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$<file://(%3f%3cat%3e@)(%3f%3csuffix%3e.*%3f)@.*)(%3f%3crealm%3e@.*))$)$> ... My setup: … config.mapAuthRecord.regex.pattern = ^(?<user>.*?)((\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$<file://(%3f%3cat%3e@)(%3f%3csuffix%3e.*%3f)@.*)(%3f%3crealm%3e@.*))$)$> … Should I add the additional 2 “\\” in on my side? Yes, please try adding it. In my case I learned about this issue by debugging the code because the real exception generated by incorrect regexp syntax was hidden behind generic error message giving no clues about the true cause. Your setup: ... <LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/callback> <If "req('Authorization') !~ /^(Bearer|Basic)/i"> Require valid-user AuthType openid-connect ErrorDocument 401 "<html><meta http-equiv=\"refresh\"content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><ahref=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>" </If> </LocationMatch> … My setup: … <LocationMatch ^/ovirt-engine/sso/(interactive-login-negotiate|oauth/token-http-auth)|^/ovirt-engine/callback> <If "req('Authorization') !~ /^(Bearer|Basic)/i"> Require valid-user AuthType openid-connect ErrorDocument 401 "<html><meta http-equiv='refresh' content='0; url=/ovirt-engine/sso/login-unauthorized'/><body><a href='/ovirt-engine/sso/login-unauthorized'>Here</a></body></html>" </If> </LocationMatch> … I remember I had syntax errors, but mine was changed. Does this look fine to you? Yeah, your version looks good too. You have ' instead of " so that is ok. Thanks Anton Louw Cloud Engineer: Storage and Virtualization at Vox ________________________________ T: 087 805 0000 | D: 087 805 1572 M: N/A E: anton.louw@voxtelecom.co.za<mailto:anton.louw@voxtelecom.co.za> A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg www.vox.co.za<http://www.vox.co.za> [F]<https://www.facebook.com/voxtelecomZA> [T]<https://www.twitter.com/voxtelecom> [I]<https://www.instagram.com/voxtelecomza> [L]<https://www.linkedin.com/company/voxtelecom> [Y]<https://www.youtube.com/user/VoxTelecom> From: Anton Louw Sent: 22 April 2020 10:07 To: Artur Socha <asocha@redhat.com<mailto:asocha@redhat.com>> Subject: RE: [ovirt-users] oVirt and KeyCloak intergration Hi Artur, Great, I will try the below and let you know. I appreciate your efforts. Sure, you may report it, I was in such a rush that I only hit “reply” and not “Reply All” I do recall that I had to make some changes to the below as the it complained about syntax errors: ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>" </If> </LocationMatch> I will let you know the outcome when I change the below as you suggested. Cheers From: Artur Socha <asocha@redhat.com<mailto:asocha@redhat.com>> Sent: 22 April 2020 09:51 To: Anton Louw <Anton.Louw@voxtelecom.co.za<mailto:Anton.Louw@voxtelecom.co.za>> Subject: Re: [ovirt-users] oVirt and KeyCloak intergration I checked your logs and I did not notice anything suspicious. However, now I recall I made some changes compared to blog post example: 1) /etc/ovirt-engine/extensions.d/openid-http-mapping.properties I added escaping in regexp for '\' ... config.mapAuthRecord.regex.pattern = ^(?<user>.*?)((\\\\(?<at>@)(?<suffix>.*?)@.*)|(?<realm>@.*))$<file://(%3f%3cat%3e@)(%3f%3csuffix%3e.*%3f)@.*)(%3f%3crealm%3e@.*))$)$> ... 2) /etc/httpd/ovirt-openidc.conf Escaping for '"' in error document snippet ... <LocationMatch ^/ovirt-engine/sso/(interactive-login- negotiate|oauth/token-http-auth)|^/ovirt-engine/callback> <If "req('Authorization') !~ /^(Bearer|Basic)/i"> Require valid-user AuthType openid-connect ErrorDocument 401 "<html><meta http-equiv=\"refresh\" content=\"0; url=/ovirt-engine/sso/login-unauthorized\"/><body><a href=\"/ovirt-engine/sso/login-unauthorized\">Here</a></body></html>" </If> </LocationMatch> ... These two issues were most probably caused by the blog site rendering. You might want to check engine.log (or server.log not really sure which one was that) for aaa extension initialization logs. They should appear at the beginning just after restarting engine. Unfortunately, at the moment I do not have running keycloak setup (I used to have a local VM) but I will try to find some time to set it up again once I'm done with another work item that actually consumes almost entire disk space for my 2 machines) Please let me know if anything changes after applying these config changes. It this works for you then I will request the blog post to be updated. Do you mind if I keep(re-post) this discussion back to users@ovirt in case other might have similar issues with keycloak integration? A. On Wed, 2020-04-22 at 06:35 +0000, Anton Louw wrote: