Foreman OIDC Grant types supported?

Problem: I am running Foreman 3.14 with Katello and I want to configure third-party OIDC OAuth provider (PingFederate). So far I was able to configure it up to a point and it fails to create the external user in Foreman after a successful external login. I couldn’t find clues in the ssl logs…
There is one quirk about the OAuth grant types is confusing me. Currently we have the allowed grant type “Authentication Code” enabled on the PingFed side and I’ve put “OIDCResponseType code” in the foreman-oidc.conf file in /etc/httpd/conf.d/ which doesn’t work and it falls back to the local Foreman login page. Does Foreman require the grant type to be “Implicit grant” for it to work?

Expected outcome: OIDC working as expected.

Foreman and Proxy versions: Foreman 3.14 with Katello (standalone, no proxies)

Hello,

I am also using PingFederate and having an almost similar issue, as implicit grant is now allowed by our company, due cyber deeming it insecure.

Error seen in browser
OpenID Connect Provider Error: unauthorized_client
implicit+grant+not+allowed+for+this+client

Can we get confirmation if this grant is needed?
If it is, how can we get the developers to allow Authorization Code?
Is there a feature request for Foreman to support SAML?

Any information would be very helpful.

Thank you,
Andy

Hi there,

I actually just got an exception approved to enable the Implicit grant method but I’m still waiting to have it enabled. Once I am able to test it out, I’ll post the results here.
I’m glad that I’m not alone in this :smiley:

Regards,
Jasenko

1 Like

After the Implicit Grant was enabled on Ping Federate side, I was able to login to Foreman via the SSO. Make sure that you have the local admin account credentials ready, and use them on the local login URL (/users/login) to set the appropriate role for the new user that gets created on first login.
My security organization also told us that they will enable MFA on this SSO configuration with Implicit Grant as a condition for approving it.
Bottom line - Foreman’s current SSO implementation works only with Implicit Grant method enabled on SSO provider side.

Have a nice day and let me know if I can help.
Jasenko

Thanks for confirming @JasenkoC.
In my case, implicit grant will never be enabled, so looking for the Foreman dev team on next steps.

Regards,
Andy

1 Like