#57266 – Не работает интеграция с OpenID

Bug 57266 - Не работает интеграция с OpenID

Summary: Не работает интеграция с OpenID

Status:	NEW

Alias:	None

Product:	Branch p10
Classification:	Unclassified
Component:	pve-access-control (show other bugs)
Version:	не указана
Hardware:	x86_64 Linux

Importance:	P5 normal
Assignee:	Alexey Shabalin
QA Contact:	qa-p10@altlinux.org

URL:
Keywords:

Depends on:
Blocks:

Reported:	2025-12-17 17:55 MSK by Evgeny Shesteperov
Modified:	2025-12-17 18:04 MSK (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Evgeny Shesteperov 2025-12-17 17:55:33 MSK

Версия

- pve-access-control-7.4.3-alt4

Шаги воспроизведения

Настроить OpenID. Для демонстрации я настроил Keycloak на том же узле,
что и PVE:

    # apt-get install -y postgresql-server jq keycloak && \
    /etc/init.d/postgresql initdb && \
    systemctl enable --now postgresql && sleep 5 && \
    psql -U postgres -c "CREATE USER keycloak WITH PASSWORD '12345678';" && \
    psql -U postgres -c "CREATE DATABASE keycloak OWNER keycloak;" && \
    psql -U postgres -c "GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak;" && \
    systemctl stop ahttpd

    # cp /etc/keycloak/keycloak.conf /etc/keycloak/keycloak.conf-orig && sed -i -e "s|#db=postgres|db=postgres|g" \
    -e "s|#db-username=keycloak|db-username=keycloak|g" \
    -e "s|#db-password=password|db-password=12345678|g" \
    -e "s|#db-url=jdbc:postgresql://localhost/keycloak|db-url=jdbc:postgresql://localhost/keycloak|g" \
    -e "s|#health-enabled=true|health-enabled=true|g" \
    -e "s|#metrics-enabled=true|metrics-enabled=true|g" \
    -e "s|#hostname=myhostname|hostname=$(hostname)|g" \
    /etc/keycloak/keycloak.conf && \
    diff -u --color /etc/keycloak/keycloak.conf-orig /etc/keycloak/keycloak.conf

    # cert-sh generate "keycloak" && l /var/lib/ssl/certs/keycloak.pem

    ## Дождаться "Installed features:..."
    kc.sh start 

    ## Ввести `admin`
    # kc.sh bootstrap-admin user --username admin

    # systemctl enable --now keycloak.service && sleep 5; systemctl status keycloak.service -l --no-pager

    # JAVA_HOME=$(readlink -f /usr/bin/java | sed "s:bin/java::")

    # cp /var/lib/ssl/certs/keycloak.pem /etc/pki/ca-trust/source/anchors/ && update-ca-trust
    # cp /etc/pve/pve-root-ca.pem /etc/pki/ca-trust/source/anchors/ && update-ca-trust

    # keytool -importcert -alias keycloak -file /var/lib/ssl/certs/keycloak.pem -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit -noprompt

    # /usr/lib/keycloak/bin/kcadm.sh config credentials --server https://$(hostname):8443 --realm master --user admin --password admin

    # /usr/lib/keycloak/bin/kcadm.sh create realms -s realm=pve-realm -s enabled=true

    # /usr/lib/keycloak/bin/kcadm.sh create clients -r pve-realm -s clientId=pve-web-app -s enabled=true -s publicClient=false -s protocol=openid-connect -s "redirectUris=[\"https://$(hostname):8006*\"]" -s "webOrigins=[\"*\"]" -s standardFlowEnabled=true -s directAccessGrantsEnabled=true

    # CLIENT_ID=$(/usr/lib/keycloak/bin/kcadm.sh get clients -r pve-realm --fields id,clientId | jq -r '.[] | select(.clientId=="pve-web-app") | .id')

    # SECRET=$(/usr/lib/keycloak/bin/kcadm.sh get clients/$CLIENT_ID/client-secret -r pve-realm | jq .value | xargs)

    # /usr/lib/keycloak/bin/kcadm.sh create users -r pve-realm -s username=testopenid -s firstName=Test -s lastName=OpenID -s email=testopenid@awesome.org -s enabled=true

    # USER_ID=$(/usr/lib/keycloak/bin/kcadm.sh get users -r pve-realm --fields id,username | jq -r '.[] | select(.username=="testopenid") | .id')

    # /usr/lib/keycloak/bin/kcadm.sh set-password -r pve-realm --userid $USER_ID --new-password testpass123

    # /usr/lib/keycloak/bin/kcadm.sh update realms/pve-realm -s sslRequired=NONE

    # curl -sk -X POST "https://$(hostname):8443/realms/pve-realm/protocol/openid-connect/token" -H 'Content-Type: application/x-www-form-urlencoded' -d 'client_id=pve-web-app' -d "client_secret=${SECRET}" -d 'username=testopenid' -d 'password=testpass123' -d 'grant_type=password' | jq

    # echo "Issuer: https://$(hostname):8443/realms/pve-realm" && \
    # echo "Client ID: pve-web-app" && \
    # echo "Client Secret Key: $SECRET"

    # pveum realm add keycloak--type openid --issuer-url  https://$(hostname):8443/realms/pve-realm --client-id pve-web-app --client-secret $SECRET

Выполнить вход через keycloak или запрос на PVE:

    # pvesh create /access/openid/auth-url -realm keycloak -redirect-url https://$(hostname):8006

Ожидаемый результат: успешный вход через Keycloak, получена строка
авторизации для Keycloak через pvesh

Фактический результат: 500 ошибка в веб-интерфейсе, pvesh:
Failed to parse server response

В P11 не воспроизводится.