7e375d1fb8
In the certains situation customers using tools like Authentik or Zitadel may encounter issue with using id_token as in that case it may also return access_token despite not set deliberately The `code` flow is now the preffered approach for OIDC hence the ability for setting that options gives more flexibility. Implements: oidc-response-type option Closes-Bug: #2084184 Change-Id: I251dffbdf97998998066d5efd2d8d9386ecd19e5 |
||
|---|---|---|
| examples | ||
| src | ||
| templates | ||
| tests | ||
| unit_tests | ||
| .gitignore | ||
| .gitreview | ||
| .jujuignore | ||
| .stestr.conf | ||
| .zuul.yaml | ||
| charmcraft.yaml | ||
| config.yaml | ||
| LICENSE | ||
| metadata.yaml | ||
| osci.yaml | ||
| README.md | ||
| rename.sh | ||
| requirements.txt | ||
| test-requirements.txt | ||
| tox.ini | ||
Overview
This subordinate charm provides a way to integrate an Open ID Connect based identity provider with Keystone using mod_auth_openidc. Apache operates as an OpenID Connect Relaying Party towards an OpenID Connect Provider.
Usage
Configuration
To display all configuration option information run juju config keystone-openidc. If the application is not deployed then see the charm's
Configure tab in the
Charmhub. Finally, the Juju documentation provides
general guidance on configuring applications.
Deployment
These deployment instructions assume the following applications are present: keystone and openstack-dashboard
To deploy keystone-openidc:
juju deploy keystone-openidc
Join keystone-openidc to keystone:
juju add-relation keystone:keystone-fid-service-provider keystone-openidc:keystone-fid-service-provider
Join keystone-openidc to openstack-dashboard to provide SSO access through Horizon:
juju add-relation openstack-dashboard:websso-fid-service-provider keystone-openidc:websso-fid-service-provider
Enable Horizon as a trusted dashboard for Web Single Single-On for Keystone:
juju add-relation openstack-dashboard:websso-trusted-dashboard keystone:websso-trusted-dashboard
You must add this relation for Horizon and Keystone. If you do not, Keystone will return a 401 error that the login domain for Horizon is not a trusted domain.
Now provide an OpenID Connect client credentials and the URL for autodiscovery of the backend's configuration:
juju config keystone-openidc \
oidc-client-id="<CLIENT_ID>" \
oidc-client-secret="<CLIENT_SECRET>" \
oidc-provider-metadata-url="https://example.com/.well-known/openid-configuration"
Here is a bundle representation of the deployment:
applications:
keystone-openidc:
charm: ch:keystone-openid
num_units: 0
options:
oidc-client-id: "<CLIENT_ID>"
oidc-client-secret: "<CLIENT_SECRET>"
oidc-provider-metadata-url: "https://example.com/.well-known/openid-configuration"
relations:
- - keystone:keystone-fid-service-provider
- keystone-openidc:keystone-fid-service-provider
- - openstack-dashboard:websso-fid-service-provider
- keystone-openidc:websso-fid-service-provider
OpenStack CLI Authentication
The OpenStack client supports authentication
against an OpenID Connect identity provider using Bearer Access Token
authentication flow only. This requires the
keystone-openidc charm to have its configuration option auth-type set to
'auth-openidc' (the default).
Here is an example of the environment variables that need to be set for the OpenStack client to authenticate successfully:
export OS_AUTH_TYPE=v3oidcpassword
export OS_DISCOVERY_ENDPOINT="https://example.com/.well-known/openid-configuration"
export OS_OPENID_SCOPE="openid email profile"
export OS_CLIENT_ID="<CLIENT_SECRET>"
export OS_CLIENT_SECRET="<CLIENT_SECRET>"
export OS_IDENTITY_PROVIDER=openid
export OS_PROTOCOL=openid
# At the end include openstack specific config, like OS_USERNAME, OS_PASSWORD, etc.
# ...
Bugs
Please report bugs on Launchpad.
For general charm questions refer to the OpenStack Charm Guide.