Bug 48898 – OpenID-Connect with external DNS

Bug 48898 - OpenID-Connect with external DNS


Summary:	OpenID-Connect with external DNS

Status:	CLOSED FIXED

Product:	UCS
Classification:	Unclassified
Component:	OpenID Connect
Version:	UCS 4.3
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Erik Damrose
QA Contact:	Arvid Requate

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2019-03-07 15:13 CET by Michel Smidt
Modified:	2019-06-21 13:56 CEST (History)
CC List:	3 users (show)

See Also:	48609
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	2: A Pain – users won’t like this once they notice it
User Pain:	0.057
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Michel Smidt 2019-03-07 15:13:10 CET

Currently it seems not possible to run OpenID-Connect under an external DNS name.
Even if the endpoints described in the blog article (https://www.univention.de/blog-de/2018/12/openid-connect-provider) are accessible via the external DNS name, the user will get a redirect to an url with an internal DNS name:
https://{internalFQDN}/signin/v1/identifier?flow=oidc&response_type=code&client_id=noiacwrziub&redirect_uri=https%3A%2F%2Flogin.schulmanager-online.de%2Foidc%2F358%2Fcallback&scope=openid%20email%20profile%20openid&state=wkGZ58OKSwNIJKdGWWHgPpg8

Unfortunately this cannot be resolved by the users.

Comment 1 Dirk Ahrnke 2019-03-15 11:45:25 CET

As far as I understand the concept of OpenID this limitation will notably reduce the usefulness of this app.

Beside proof-of-concept style showcases (like the mentioned blog post) real-world scenarios may want to connect external OpenID-clients to the OpenID connect provider.
This will currently only be possible if the machine running the OpenID app is *configured* with an externally resolvable hostname.

At this time, the app will use the default from the "env"-file which is very hard to change afterwards:
...
ARGS=--iss=https://@%@hostname@%@.@%@domainname@%@ ...
...

Comment 2 Valentin Heidelberger

2019-03-20 16:52:05 CET

In my (project) experience externally reachable SAML IdPs are a pretty common scenario. From my projects that look forward to implementing OpenID in some way all are using external DNS with SAML at the moment.

Comment 3 Erik Damrose

2019-06-03 17:56:43 CEST

The --iss parameter can now be controlled by an app setting. Tests can be done with app version 1.0 from the test app center

Comment 4 Arvid Requate

2019-06-19 20:32:40 CEST

Ok, works.

Comment 5 Erik Damrose

2019-06-21 13:56:35 CEST

Fixed in app version 1.0-konnect-0.23.3 (openid-connect-provider_20190521163358)