openstack/charm-keystone-openidc
Code Issues Proposed changes
7e375d1fb8
charm-keystone-openidc/config.yaml
Bartosz Woronicz 7e375d1fb8 add ability to manage OIDCResponseType 
In the certains situation customers using tools like Authentik or
Zitadel may encounter issue with using id_token as in that case it may
also return access_token despite not set deliberately
The `code` flow is now the preffered approach for OIDC hence
the ability for setting that options gives more flexibility.

Implements: oidc-response-type option
Closes-Bug: #2084184
Change-Id: I251dffbdf97998998066d5efd2d8d9386ecd19e5
2024-10-23 15:37:39 +02:00

158 lines
5.7 KiB
YAML
Raw Blame History

options:
debug:
default: False
type: boolean
description: |
Enable debug logging.
remote-id-attribute:
default: 'HTTP_OIDC_ISS'
type: string
description: |
Attribute used to obtain the entity ID of the OpenID Connect Provider.
oidc-client-id:
default: ''
type: string
description: |
Client identifier used to connect to the OpenID Connect Provider.
oidc-client-secret:
default: ''
type: string
description: |
Password used to authenticate with the OpenID Connect Provider.
oidc-provider-metadata-url:
default: ''
type: string
description: |
URL to discover the OpenID Connect Provider and obtain information
needed to interact with it, including its OAuth 2.0 endpoint
locations. Example: https://example.com/.well-known/openid-configuration
oidc-provider-issuer:
default: ''
type: string
description: |
Open ID Connect Provider issuer identifier (e.g. https://example.com
). Used when oidc-provider-metadata-url is not set or the metadata
obtained from that URL does not set it.
oidc-provider-auth-endpoint:
default: ''
type: string
description: |
Open ID Connect Provider authorization endpoint
(e.g. https://example.com/as/authorization.oauth2). Used when
oidc-provider-metadata-url is not set or the metadata obtained from that
URL does not set it.
oidc-provider-token-endpoint:
default: ''
type: string
description: |
Open ID Connect Provider token endpoint
(e.g. https://example.com/as/token.oauth2). Used when
oidc-provider-metadata-url is not set or the metadata obtained from that
URL does not set it.
oidc-provider-token-endpoint-auth:
default: ''
type: string
description: |
Authentication method for the Open ID Connect Provider token endpoint,
possible options are: client_secret_basic, client_secret_post,
client_secret_jwt, private_key_jwt or none. Used when
oidc-provider-metadata-url is not set or the metadata obtained from that
URL does not set it.
oidc-provider-user-info-endpoint:
default: ''
type: string
description: |
Open ID Connect Provider user info endpoint
(e.g. https://example.com/idp/userinfo.openid). Used when
oidc-provider-metadata-url is not set or the metadata obtained from that
URL does not set it.
oidc-x-forwarded-headers:
default: ''
type: string
description: |
X-Forwarded-* headers from reverse proxies that mod_auth_openidc should
look for. Must be one or more of "X-Forwarded-Host", "X-Forwarded-Port",
"X-Forwarded-Proto", "Forwarded", or "none". mod_auth_openidc ignores
this setting if it is "none" or undefined. Use this setting when using
a proxy that changes the protocol, host, or port when handling the
authentication workflow.
oidc-state-input-headers:
default: 'user-agent'
type: string
description: |
Define the headers mod_auth_openidc uses to calculate the browser
fingerprint during authentication. Set to "none" if using multiple
units of Keystone behind a load balancer or proxy.
oidc-session-type:
default: 'server-cache'
type: string
description: |
Set where OpenID Connect session cookies are stored. BY default cookies
are stored on the web server. Can be one of 'server-cache',
'server-cache:persistent', 'client-cookie', 'client-cookie:persistent',
'client-cookie:store_id_token', or
'client-cookie:persistent:store_id_token'. When using multiple units
of Keystone behind a proxy, use 'client-cookie:persistent' if you are
not using shared session storage for Keystone.
oidc-response-type:
default: 'id_token'
type: string
description: |
Define the OIDCResponseType for mod_auth_openidc uses limit
the responses type. It must be one of the following:
code|id_token|id_token token|code id_token|code token|code id_token token
Empty string will remove that option completely.
auth-type:
default: 'auth-openidc'
type: string
description: |
To add support to Bearer Access Token authentication flow that is used
by applications that do not adopt the browser flow, such the OpenStack
CLI, the auth-type must be set to auth-openidc (the default) otherwise
to openid-connect.
idp_id:
default: ''
type: string
description: |
The ID of the Identity Provider defined in Keystone.
protocol_id:
default: 'openid'
type: string
description: |
Federation protocol name.
oidc-remote-user-claim:
default: ''
type: string
description: |
The claim that is used when setting the REMOTE_USER variable on OpenID
Connect protected paths, for example: email.
oidc-provider-jwks-uri:
default: ''
type: string
description: |
.
enable-oauth:
default: true
type: boolean
description: |
Set to true to enable OAuth2 support.
oidc-oauth-verify-jwks-uri:
default: ''
type: string
description: |
The JWKs URL on which the Authorization Server publishes the keys used
to sign its JWT access tokens.
oidc-oauth-introspection-endpoint:
default: ''
type: string
description: |
OAuth 2.0 Authorization Server token introspection endpoint. When
`enable-oauth` is set to true and this option unset (the default), the
introspection endpoint available in the metadata will be used.
user-facing-name:
type: string
default: 'OpenID Connect via mapped'
description: |
A user-facing name to be used for the identity provider and protocol
combination. Used in the OpenStack dashboard.
View Git Blame Copy Permalink