Keycloak and ondemand host short-name

Hi. I’m testing keycloak out, and I got OpenOndemand authenticating against it.

Something to note, in new versions of Keycloak (I’m using 18.0.0), in the auth_openidc.conf file, the OIDCProivderMetadataURL drops the ‘auth’ part of the URL, so mine is just:
https://keycloak.mysite.org/realms/OnDemand/.well-known/openid-configuration

The question I have though, this config as stated only works when I have the FQDN used in my browser. I modified the Keycloak client Redirect URIs to include the short name of the host as well, but that wasn’t enough.

I then modified the auth_openidc.conf file and changed OIDCRedirectURI to just /oidc, and I was able to log into OOD with just the short hostname, but wasn’t able to log out properly (it complained about the short name not equalling the fqdn), which is being set in the ood_portal logout_redirect option.

Has anyone set this up? I’m concerned that having OIDCRedirectURI set to just /oidc is a bit of a security problem, but not sure why.

Alternatively, it might be nicer to have apache just rewrite the short name to the long name and not deal with this at all, but I don’t want to muck up the OOD apache config to do this.

@tdockendorf any ideas?

I don’t think there’s any cause for concern here. There has to be a redirect uri - so /oidc is just is good as /just-about-anything-else. Hitting that page (whatever you call it) with no parameters gives an error. And with incorrect parameters (i.e., not a valid OIDC session) would do the same.

Ok, that’s good then. I don’t think keycloak is thrilled with it though. If you log out of the short hostname it complains that it the request didn’t come from the fqdn.I tried setting the logout_redirect to just /oidc and got a different error (I’ll have to reconfigure to post that error, but I think it’s just obvious that it didn’t know where the originating request was from).

What are your thoughts about a configuration to force all short host names to fqdn?

Why do you need to use the short hostname? Using the short name for websites almost never works especially with OIDC and SSL certs are involved. Is there a reason you can’t use FQDN or some other fully qualified DNS name. I think if you really want to use short hostname you’re going to have to update /etc/hosts on OnDemand and Keycloak sides to force lookups to know the IP of short name. Even that might not work with security checks for SSL since that’s going to be dependent on your browser.

I don’t think we can support updating the OnDemand ReWrite rules to change short name to long name because how would the ReWrite rules know the domain? Also using short names isn’t really a valid production use.

mainly convenience for end users.

The only way that could possibly work is if every user uses a browser from shared host with /etc/hosts updated or proper /etc/resolv.conf search paths to allow short names to work. The only other way is if every user updated their local /etc/hosts (or whatever Windows uses) to tell their system the IP of the short name.

well, every user that accesses the system is ‘onsite’ (either VPN’ed or on the local network). We don’t have it for external users, but I see your point here.