On Fri, 2020-06-19 at 08:34 +0000, Anton Louw wrote:
>     
> 
>     
> Hi Artur,
> 
>  
> 
> Thank you for the quick response. 
> 
>  
> 
> I have actually tried creating another user, but I still get the same error. I
> have attached the output of curl -vvv as well as the logs the engine and
> keycloak logs.

This `curl -vvv ...`  is actually is incorrect because it is missing -H before
'Accept' header.   However, previous attempts that led to this error seemed to
be fine. Could you just re-send output of the correct curl? 
There are few things we can test to try to narrow down the root cause:
1) Test connection using python script  (from the blog post ) using sdk. I
suspect it will not work either.
2) I saw some errors  in the log on revoking token. Please go to keycloak admin
panel, and under users kill all its active sessions. Then, please without
logging in to engine admin UI, use that curl to obtain token.
3) Does it work without OVN integration enabled?
Artur

>  
> Thank you
>  
>     
> 
>   
>   
>   
>     Anton Louw
>      
>   
>     Cloud Engineer: Storage and Virtualization at Vox
> 
>   
>   
>     
>   
>   
>     T:  087 805 0000 | D: 087 805 1572
> M: N/A
> 
>     E: anton.l...@voxtelecom.co.za
> A: Rutherford Estate, 1 Scott Street, Waverley, Johannesburg
> 
>     www.vox.co.za
>   
>     
>     
> 
>     
>     
>       
>       
>       
>       
>       
>     
>     
>     
>   
> 
> 
> 
> 
> 
> 
> 
> 
> 
> From: Artur Socha <aso...@redhat.com>
> 
> 
> Sent: 19 June 2020 10:23
> 
> To: Anton Louw <anton.l...@voxtelecom.co.za>; users@ovirt.org
> 
> Subject: Re: [ovirt-users] KeyCloak Integration
> 
> 
>  
> 
> O
> 
> 
> n Fri, 2020-06-19 at 07:35 +0000, Anton Louw via Users wrote:
> 
> >  
> > Hi Everybody,
> 
>  
> 
> 
> Hi Anton,
> 
> >  
> > So I have implemented KeyCloak into our oVirt environment, which works, up
> > until a point. So WebUI access works, but when calling the API, using:
> > 
> > curl -k -H "Accept: application/json" '
> > https://virt.example.co.za/ovirt-engine/sso/oauth/token?grant_type=password&username=admin@openidchttp&password=mypass&scope=ovirt-app-api'
> >  
> > I get the below error:
> >  
> > {"error_description":"Cannot authenticate user Invalid scopes: 
> > ovirt-app-api 
> > ovirt-ext=revoke:revoke-all ovirt-ext=token-info:authz-search ovirt-
> > ext=token-info:public-authz-search ovirt-ext=token-info:validate ovirt-
> > ext=token:password-access.","error":"access_denied"}
> >  
> > If my configs are removed, and I use “admin@internal” for my username, then
> > it works.
> >  
> > I followed the below article step by step, and I double checked that all the
> > scopes are added into KeyCloak (ovirt-app-api and ovirt-app-admin)
> > 
> >  
> > https://blogs.ovirt.org/2019/01/federate-ovirt-engine-authentication-to-openid-connect-infrastructure/
> >  
> > Anybody have any ideas?
> 
>  
> 
> 
> It is my blind shot but could create & check another user?
> 
> 
>  
> 
> 
> One more thing to check please use curl -vvv to check if there are any
> redirects along the way.
> 
> 
> 
> I will check keycloak settings on my setup - perhaps there is something non-
> obvious that could have been missed.
> 
> 
>  
> 
> 
> Any chance to get a bit more logs from engine.log and even from keycloak?
> Perhaps there is something there that could help.
> 
> 
>  
> 
> 
> Artur
> 
> 
>  
> 
> >  
> > Thank you
> >  
> > 
> > 
> > 
> > 
> > Anton Louw
> > 
> > 
> > 
> > 
> > Cloud Engineer: Storage and Virtualization
> >  at Vox
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > T:
> >  087 805 0000 |
> > D: 087 805 1572
> > 
> > M: N/A
> > 
> > E:
> > anton.l...@voxtelecom.co.za
> > 
> > A: Rutherford Estate,
> >  1 Scott Street, Waverley, Johannesburg
> > 
> > www.vox.co.za
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> >  
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > 
> > Disclaimer
> > The contents of this email are confidential to the sender and the intended
> > recipient. Unless the contents are clearly and entirely of a personal
> > nature, they are subject to copyright
> >  in favour of the holding company of the Vox group of companies. Any
> > recipient who receives this email in error should immediately report the
> > error to the sender and permanently delete this email from all storage
> > devices.
> > 
> > 
> > 
> > This email has been scanned for viruses and malware, and may have been
> > automatically archived by
> > Mimecast Ltd, an innovator in Software as a Service (SaaS) for business.
> > Providing a
> > safer and more useful place for your human generated data. Specializing in;
> > Security, archiving and compliance. To find out more
> > 
> > Click Here.
> >  
> > _______________________________________________
> > Users mailing list -- 
> > 
> > users@ovirt.org
> >  
> >  
> > To unsubscribe send an email to 
> > 
> > users-le...@ovirt.org
> >  
> >  
> > Privacy Statement: 
> > 
> > https://www.ovirt.org/privacy-policy.html
> >  
> >  
> > oVirt Code of Conduct: 
> > 
> > https://www.ovirt.org/community/about/community-guidelines/
> >  
> >  
> > List Archives: 
> > 
> > https://lists.ovirt.org/archives/list/users@ovirt.org/message/CC54IPZLYJYE2B3NP4LT4TN4CJX4C7BU/
> >  
> >  
> 
> 
> 
> 
> 
> 
> 
>     
> 
> 

Attachment: signature.asc
Description: This is a digitally signed message part

_______________________________________________
Users mailing list -- users@ovirt.org
To unsubscribe send an email to users-le...@ovirt.org
Privacy Statement: https://www.ovirt.org/privacy-policy.html
oVirt Code of Conduct: 
https://www.ovirt.org/community/about/community-guidelines/
List Archives: 
https://lists.ovirt.org/archives/list/users@ovirt.org/message/OUJ22ZJIZR5ZKHQX4UAL42NW235SVSLO/

Reply via email to