Juju Charm - Keystone OpenID Connect
Go to file
James Page b4b7b27815
Sync/rebuild for Dalmatian/Epoxy updates
Refresh and rebuild charm for awareness of Dalmatian and Epoxy
Cloud Archive releases.

Change-Id: I8e9c0e007d6592c4f8e3453b0110b6ff3e1611ae
2024-11-18 16:31:13 +00:00
examples Add example script to issue a token 2022-09-08 23:30:57 -04:00
src add ability to manage OIDCResponseType 2024-10-23 15:37:39 +02:00
templates add ability to manage OIDCResponseType 2024-10-23 15:37:39 +02:00
tests Add charmcraft 3 support 2024-09-05 14:45:09 -04:00
unit_tests add ability to manage OIDCResponseType 2024-10-23 15:37:39 +02:00
.gitignore Fix typo in apache template 2022-08-19 15:52:18 -04:00
.gitreview Enable zuul and git-review 2022-09-15 17:32:43 -03:00
.jujuignore Fix typo in apache template 2022-08-19 15:52:18 -04:00
.stestr.conf Add stestr to the testing dependencies 2022-07-21 19:10:27 -04:00
.zuul.yaml Add charmcraft 3 support 2024-09-05 14:45:09 -04:00
charmcraft.yaml Add charmcraft 3 support 2024-09-05 14:45:09 -04:00
config.yaml add ability to manage OIDCResponseType 2024-10-23 15:37:39 +02:00
LICENSE Initial import 2022-07-20 17:39:41 -04:00
metadata.yaml Add charmcraft 3 support 2024-09-05 14:45:09 -04:00
osci.yaml Add charmcraft 3 support 2024-09-05 14:45:09 -04:00
README.md Add charmcraft 3 support 2024-09-05 14:45:09 -04:00
rebuild Sync/rebuild for Dalmatian/Epoxy updates 2024-11-18 16:31:13 +00:00
rename.sh Initial import 2022-07-20 17:39:41 -04:00
requirements.txt Set target_deploy_status for OVN related charms 2022-08-19 15:53:13 -04:00
test-requirements.txt Add support for websso-fid-service-provider relation. 2022-09-26 21:33:00 -03:00
tox.ini Updates for py312 compatibility 2024-08-21 17:25:48 +00:00

Overview

This subordinate charm provides a way to integrate an Open ID Connect based identity provider with Keystone using mod_auth_openidc. Apache operates as an OpenID Connect Relaying Party towards an OpenID Connect Provider.

Usage

Configuration

To display all configuration option information run juju config keystone-openidc. If the application is not deployed then see the charm's Configure tab in the Charmhub. Finally, the Juju documentation provides general guidance on configuring applications.

Deployment

These deployment instructions assume the following applications are present: keystone and openstack-dashboard

To deploy keystone-openidc:

juju deploy keystone-openidc

Join keystone-openidc to keystone:

juju add-relation keystone:keystone-fid-service-provider keystone-openidc:keystone-fid-service-provider

Join keystone-openidc to openstack-dashboard to provide SSO access through Horizon:

juju add-relation openstack-dashboard:websso-fid-service-provider keystone-openidc:websso-fid-service-provider

Enable Horizon as a trusted dashboard for Web Single Single-On for Keystone:

juju add-relation openstack-dashboard:websso-trusted-dashboard keystone:websso-trusted-dashboard

You must add this relation for Horizon and Keystone. If you do not, Keystone will return a 401 error that the login domain for Horizon is not a trusted domain.

Now provide an OpenID Connect client credentials and the URL for autodiscovery of the backend's configuration:

juju config keystone-openidc \
    oidc-client-id="<CLIENT_ID>" \
    oidc-client-secret="<CLIENT_SECRET>" \
    oidc-provider-metadata-url="https://example.com/.well-known/openid-configuration"

Here is a bundle representation of the deployment:

applications:
  keystone-openidc:
    charm: ch:keystone-openid
    num_units: 0
    options:
      oidc-client-id: "<CLIENT_ID>"
      oidc-client-secret: "<CLIENT_SECRET>"
      oidc-provider-metadata-url: "https://example.com/.well-known/openid-configuration"
relations:
- - keystone:keystone-fid-service-provider
  - keystone-openidc:keystone-fid-service-provider
- - openstack-dashboard:websso-fid-service-provider
  - keystone-openidc:websso-fid-service-provider

OpenStack CLI Authentication

The OpenStack client supports authentication against an OpenID Connect identity provider using Bearer Access Token authentication flow only. This requires the keystone-openidc charm to have its configuration option auth-type set to 'auth-openidc' (the default).

Here is an example of the environment variables that need to be set for the OpenStack client to authenticate successfully:

export OS_AUTH_TYPE=v3oidcpassword
export OS_DISCOVERY_ENDPOINT="https://example.com/.well-known/openid-configuration"

export OS_OPENID_SCOPE="openid email profile"
export OS_CLIENT_ID="<CLIENT_SECRET>"
export OS_CLIENT_SECRET="<CLIENT_SECRET>"
export OS_IDENTITY_PROVIDER=openid
export OS_PROTOCOL=openid

# At the end include openstack specific config, like OS_USERNAME, OS_PASSWORD, etc.
# ...

Bugs

Please report bugs on Launchpad.

For general charm questions refer to the OpenStack Charm Guide.