Invalidate local Keystone session on logout

When logging out of Horizon, the user's Horizon session would be
cleared, and they would then be taken to the Chameleon IdP so that
session could also be cleared. However, their session was still
persisted thanks to caching in the mod_auth_openidc Apache module
Keystone uses for its OpenID integration[1].

To fix, expand the logout chain to also hit the mod_auth_openidc logout
endpoint[2].

[1]: https://github.com/zmartzone/mod_auth_openidc/wiki/Caching
[2]: https://github.com/zmartzone/mod_auth_openidc/wiki/OpenID-Connect-Session-Management#logout

[federated auth] enable logout via keystone+keycloak

Author: Jason Anderson

site-config/globals.yml

@@ -84,10 +84,21 @@ keystone_identity_mappings:
 
 keystone_oidc_client_id: "keystone-ciab-dev"
 keystone_oidc_client_secret: "public"
-keystone_oidc_provider_metadata_url: "{{ keystone_identity_providers[0].identifier }}/.well-known/openid-configuration"
-
+identity_provider_url: "{{ keystone_identity_providers[0].identifier }}"
+keystone_oidc_provider_metadata_url: "{{ identity_provider_url }}/.well-known/openid-configuration"
+keystone_federation_oidc_jwks_uri: "{{ identity_provider_url }}/protocol/openid-connect/certs"
+
+# required for horizon logout, must have mod_auth_openidc version >= 4.3.3
+# 1. horizon redirects to keystone with parameter logout=keystone_oidc_logout_payload
+# 2. mod_auth_openidc in keystone clears its local cache, then redirects to the "post-logout" api endpoint in keycloak
+# 3. (our custom) post-logout api endpoint in keycloak ends the active session, then displays a page with links to sign-out of globus and TAS
+keystone_oidc_logout_payload: '{{ (identity_provider_url ~ "/post-logout?client_id=" ~ keystone_oidc_client_id) | urlencode }}'
+keystone_federation_oidc_allowed_redirects:
+  - "^{{ keystone_public_url }}/"
+  - "^{{ identity_provider_url }}/"
+  
 # keystone must support mapping multiple projects or keycloak federation will fail
-keystone_image_full: ghcr.io/chameleoncloud/kolla/ubuntu-source-keystone:77cca74
-keystone_fernet_image_full: ghcr.io/chameleoncloud/kolla/ubuntu-source-keystone-fernet:77cca74
-keystone_ssh_image_full: ghcr.io/chameleoncloud/kolla/ubuntu-source-keystone-ssh:77cca74
-horizon_image_full: ghcr.io/chameleoncloud/kolla/ubuntu-source-horizon:77cca74
+keystone_image_full: ghcr.io/chameleoncloud/kolla/ubuntu-source-keystone:e400612
+keystone_fernet_image_full: ghcr.io/chameleoncloud/kolla/ubuntu-source-keystone-fernet:e400612
+keystone_ssh_image_full: ghcr.io/chameleoncloud/kolla/ubuntu-source-keystone-ssh:e400612
+horizon_image_full: ghcr.io/chameleoncloud/kolla/ubuntu-source-horizon:e400612

site-config/node_custom_config/horizon/custom_local_settings

@@ -120,6 +120,13 @@ WEBSSO_DEFAULT_REDIRECT = True
 WEBSSO_KEYSTONE_URL = "{{ keystone_public_url }}/v3"
 WEBSSO_DEFAULT_REDIRECT_REGION = '{{ keystone_public_url }}/v3'
 WEBSSO_DEFAULT_REDIRECT_PROTOCOL = 'openid'
+# Use mod_auth_openidc's built-in front channel logout support (part of the
+# OpenID spec.) If we make a request to the `OIDCRedirectURI` with a ?logout
+# parameter set to a valid redirect URI, the user's session will be cleared both
+# within the mod_auth_openidc session cache, but also on the authenticating
+# provider itself. We redirect to the custom post-logout page.
+WEBSSO_DEFAULT_REDIRECT_LOGOUT = '{{ keystone_public_url }}/redirect_uri?logout={{ keystone_oidc_logout_payload }}'
+
 {% endif %}
 
 # The OPENSTACK_HEAT_STACK has the only setting available - enable_user_pass,