I am currently configuring OOD 4.0.0 for a test cluster, in preparation for a larger rollout. For authentication, I am using an existing Keycloak server with OIDC. I’ve noticed that the oidc-related fields (oidc_provider_metadata_url, oidc_client_id, etc) in ood_portal.yml don’t affect anything when I set/unset them. The script update_ood_portal also says no changes were made to the config files when I run it after adding/removing the oidc fields. Changing non-oidc fields does impact the configuration files.
To get around this problem, I have created an extra ood-oidc.conf in /etc/httpd/conf.d and set the fields for Apache myself, which solved my issues, but going off the documentation in ood_portal.yml — Open OnDemand 4.0.0 documentation this should not be necessary (and avoided). Running cat /etc/httpd/conf.d/ood-portal.conf | grep oidc -i has also never shown output. This seems like a problem to me, so I am starting this thread to ask about it.
Sincerely, Hazel
For reference, my current ood_portal.yml & ood-oidc.conf:
The only issue I can think of is dex being involved. If you have it installed on your system, I’d remove it. I see you have it set to false there, but I wonder if there’s still any issue.
I also wonder if you’re seeing messages about ‘not replacing’. If you’ve ever edited the ood-portal.conf you can get into a weird state where we’re not going to replace it because you’ve edited it by hand. You can use the -f parameter to force an update through update_ood_portal.
Lastly I’d just spot check journalctl for any issues with httpd as update_ood_portal gets run when you bounce httpd.
I have not seen ‘not replacing’ messages come by, in fact I ran update_ood_portal with -f by default because of the issues I was encountering. I have also occasionally deleted all ood-portal.conf to be sure no ‘old version’ was creeping out of somewhere.
Regarding the journalctl, below is the (relevant, private data removed) output of journalctl -xeu httpd'. This is with the included ood-oidc.conf file providing OpenID Connect data to httpd:
Sep 16 21:14:12 <server> systemd[1]: Starting The Apache HTTP Server...
░░ Subject: A start job for unit httpd.service has begun execution
░░ Defined-By: systemd
░░ Support: https://wiki.rockylinux.org/rocky/support
░░
░░ A start job for unit httpd.service has begun execution.
░░
░░ The job identifier is 26140.
Sep 16 21:14:12 <server> update_ood_portal[85837]: No change in Apache config.
Sep 16 21:14:12 <server> httpd[85860]: Server configured, listening on: port 443, port 80
Sep 16 21:14:12 <server> systemd[1]: Started The Apache HTTP Server.
░░ Subject: A start job for unit httpd.service has finished successfully
░░ Defined-By: systemd
░░ Support: https://wiki.rockylinux.org/rocky/support
░░
░░ A start job for unit httpd.service has finished successfully.
░░
░░ The job identifier is 26140.
OK - if you haven’t installed ondemand-dex then there may be no issue. Just FYI I think rpm -qa ondemand-dex will show if it’s installed (or at least there’s some rpm/dnf/rpmquery command to see if it’s installed, that’s just recalled off the top of my head).
Taking another look at what configs you’ve provided, I think you may be missing the oidc_uri configuration.
We have this expression which requires these 3 configurations of which you have only 2. I think it’s likely as simple as that, but that also could explain why it never sees any difference.