Merge "Add openid connect support"
This commit is contained in:
commit
1d8ff29531
@ -117,11 +117,13 @@ Configure Apache to use a federation capable authentication method
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
There are many ways to configure Federation in the Apache HTTPD server.
|
||||
Shibboleth is the only one documented so far.
|
||||
Using Shibboleth and OpenID Connect are documented so far.
|
||||
|
||||
Follow the steps outlined at: `Setup Shibboleth`_.
|
||||
* Follow the steps outlined at: `Setup Shibboleth`_.
|
||||
* Follow the steps outlined at: `Setup OpenID Connect`_.
|
||||
|
||||
.. _`Setup Shibboleth`: extensions/shibboleth.html
|
||||
.. _`Setup OpenID Connect`: extensions/openidc.html
|
||||
|
||||
Enable the ``OS-FEDERATION`` extension
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
@ -26,12 +26,13 @@ To enable the federation extension:
|
||||
[federation]
|
||||
driver = keystone.contrib.federation.backends.sql.Federation
|
||||
|
||||
2. Add the ``saml2`` authentication method to the ``[auth]`` section in
|
||||
``keystone.conf``::
|
||||
2. Add the ``saml2`` and/or ``oidc`` authentication methods to the ``[auth]``
|
||||
section in ``keystone.conf``::
|
||||
|
||||
[auth]
|
||||
methods = external,password,token,saml2
|
||||
methods = external,password,token,saml2,oidc
|
||||
saml2 = keystone.auth.plugins.mapped.Mapped
|
||||
oidc = keystone.auth.plugins.mapped.Mapped
|
||||
|
||||
.. NOTE::
|
||||
The ``external`` method should be dropped to avoid any interference with
|
||||
|
93
doc/source/extensions/openidc.rst
Normal file
93
doc/source/extensions/openidc.rst
Normal file
@ -0,0 +1,93 @@
|
||||
:orphan:
|
||||
|
||||
..
|
||||
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||
not use this file except in compliance with the License. You may obtain
|
||||
a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
||||
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
||||
License for the specific language governing permissions and limitations
|
||||
under the License.
|
||||
|
||||
====================
|
||||
Setup OpenID Connect
|
||||
====================
|
||||
|
||||
Configuring mod_auth_openidc
|
||||
============================
|
||||
|
||||
Federate Keystone (SP) and an external IdP using OpenID Connect (`mod_auth_openidc`_)
|
||||
|
||||
.. _`mod_auth_openidc`: https://github.com/pingidentity/mod_auth_openidc
|
||||
|
||||
To install `mod_auth_openidc` on Ubuntu, perform the following:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
sudo apt-get install libapache2-mod-auth-openidc
|
||||
|
||||
Note that this module is not available on Fedora/CentOS/Red Hat.
|
||||
|
||||
In the keystone Apache site file, add the following as a top level option, to
|
||||
load the `mod_auth_openidc` module:
|
||||
|
||||
.. code-block:: xml
|
||||
|
||||
LoadModule auth_openidc_module /usr/lib/apache2/modules/mod_auth_openidc.so
|
||||
|
||||
Also within the same file, locate the virtual host entry and add the following
|
||||
entries for OpenID Connect:
|
||||
|
||||
.. code-block:: xml
|
||||
|
||||
<VirtualHost *:5000>
|
||||
|
||||
...
|
||||
|
||||
OIDCClaimPrefix "OIDC-"
|
||||
OIDCResponseType "id_token"
|
||||
OIDCScope "openid email profile"
|
||||
OIDCProviderMetadataURL <url_of_provider_metadata>
|
||||
OIDCClientID <openid_client_id>
|
||||
OIDCClientSecret <openid_client_secret>
|
||||
OIDCCryptoPassphrase openstack
|
||||
OIDCRedirectURI http://localhost:5000/v3/OS-FEDERATION/identity_providers/<idp_id>/protocols/oidc/auth/redirect
|
||||
|
||||
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth>
|
||||
AuthType openid-connect
|
||||
Require valid-user
|
||||
LogLevel debug
|
||||
</LocationMatch>
|
||||
</VirtualHost>
|
||||
|
||||
Note an example of an `OIDCProviderMetadataURL` instance is: https://accounts.google.com/.well-known/openid-configuration
|
||||
If not using `OIDCProviderMetadataURL`, then the following attributes
|
||||
must be specified: `OIDCProviderIssuer`, `OIDCProviderAuthorizationEndpoint`,
|
||||
`OIDCProviderTokenEndpoint`, `OIDCProviderTokenEndpointAuth`,
|
||||
`OIDCProviderUserInfoEndpoint`, and `OIDCProviderJwksUri`
|
||||
|
||||
Note, if using a mod_wsgi version less than 4.3.0, then the `OIDCClaimPrefix`
|
||||
must be specified to have only alphanumerics or a dash ("-"). This is because
|
||||
mod_wsgi blocks headers that do not fit this criteria. See http://modwsgi.readthedocs.org/en/latest/release-notes/version-4.3.0.html#bugs-fixed
|
||||
for more details
|
||||
|
||||
Once you are done, restart your Apache daemon:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
$ service apache2 restart
|
||||
|
||||
Tips
|
||||
====
|
||||
|
||||
1. When creating a mapping, note that the 'remote' attributes will be prefixed,
|
||||
with `HTTP_`, so for instance, if you set OIDCClaimPrefix to `OIDC-`, then a
|
||||
typical remote value to check for is: `HTTP_OIDC_ISS`.
|
||||
|
||||
2. Don't forget to add oidc as an [auth] plugin in keystone.conf, see `Step 2`_
|
||||
|
||||
.. _`Step 2`: federation.html
|
@ -429,7 +429,7 @@ class BaseProvider(provider.Provider):
|
||||
trust = self.trust_api.get_trust(metadata_ref['trust_id'])
|
||||
|
||||
token_ref = None
|
||||
if 'saml2' in method_names:
|
||||
if 'saml2' in method_names or 'oidc' in method_names:
|
||||
token_ref = self._handle_federation_tokens(
|
||||
auth_context, project_id, domain_id)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user