app_id must match with the 'aud' field in the token introspection result (In the example the value of 'aud' is 'customer-portal') Thanks, Pritha On Tue, May 12, 2020 at 8:16 PM Wyllys Ingersoll < wyllys.ingersoll@xxxxxxxxxxxxxx> wrote: > > Running Nautilus 14.2.9 and trying to follow the STS example given here: > https://docs.ceph.com/docs/master/radosgw/STS/ to setup a policy > for AssumeRoleWithWebIdentity using KeyCloak (8.0.1) as the OIDC provider. > I am able to see in the rgw debug logs that the token being passed from the > client is passing the introspection check, but it always ends up failing > the final authorization to access the requested bucket resource and is > rejected with a 403 status "AccessDenied". > > I configured my policy as described in the 2nd example on the STS page > above. I suspect the problem is with the "StringEquals" condition statement > in the AssumeRolePolicy document (I could be wrong though). > > The example shows using the keycloak URI followed by ":app_id" matching > with the name of the keycloak client application ("customer-portal" in the > example). My keycloak setup does not have any such field in the > introspection result and I can't seem to figure out how to make this all > work. > > I cranked up the logging to 20/20 and still did not see any hints as to > what part of the policy is causing the access to be denied. > > Any suggestions? > > -Wyllys Ingersoll > > _______________________________________________ > Dev mailing list -- dev@xxxxxxx > To unsubscribe send an email to dev-leave@xxxxxxx > _______________________________________________ ceph-users mailing list -- ceph-users@xxxxxxx To unsubscribe send an email to ceph-users-leave@xxxxxxx
 |