Add openid connect support

Add minor changes to the code to support the apache module
mod_auth_openidc (

Also add documention on how to setup mod_auth_openidc for
SP federation.

implements: bp openid-connect

Change-Id: Ia48e94905de0a9ee0e3c8d4f007075cba6e7e770
Steve Martinelli 8 years ago
parent 2ba7d67c34
commit 4e12e19c87
  1. 6
  2. 7
  3. 93
  4. 2

@ -117,11 +117,13 @@ Configure Apache to use a federation capable authentication method
There are many ways to configure Federation in the Apache HTTPD server.
Shibboleth is the only one documented so far.
Using Shibboleth and OpenID Connect are documented so far.
Follow the steps outlined at: `Setup Shibboleth`_.
* Follow the steps outlined at: `Setup Shibboleth`_.
* Follow the steps outlined at: `Setup OpenID Connect`_.
.. _`Setup Shibboleth`: extensions/shibboleth.html
.. _`Setup OpenID Connect`: extensions/openidc.html
Enable the ``OS-FEDERATION`` extension

@ -26,12 +26,13 @@ To enable the federation extension:
driver = keystone.contrib.federation.backends.sql.Federation
2. Add the ``saml2`` authentication method to the ``[auth]`` section in
2. Add the ``saml2`` and/or ``oidc`` authentication methods to the ``[auth]``
section in ``keystone.conf``::
methods = external,password,token,saml2
methods = external,password,token,saml2,oidc
saml2 = keystone.auth.plugins.mapped.Mapped
oidc = keystone.auth.plugins.mapped.Mapped
.. NOTE::
The ``external`` method should be dropped to avoid any interference with

@ -0,0 +1,93 @@
Licensed under the Apache License, Version 2.0 (the "License"); you may
not use this file except in compliance with the License. You may obtain
a copy of the License at
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
License for the specific language governing permissions and limitations
under the License.
Setup OpenID Connect
Configuring mod_auth_openidc
Federate Keystone (SP) and an external IdP using OpenID Connect (`mod_auth_openidc`_)
.. _`mod_auth_openidc`:
To install `mod_auth_openidc` on Ubuntu, perform the following:
.. code-block:: bash
sudo apt-get install libapache2-mod-auth-openidc
Note that this module is not available on Fedora/CentOS/Red Hat.
In the keystone Apache site file, add the following as a top level option, to
load the `mod_auth_openidc` module:
.. code-block:: xml
LoadModule auth_openidc_module /usr/lib/apache2/modules/
Also within the same file, locate the virtual host entry and add the following
entries for OpenID Connect:
.. code-block:: xml
<VirtualHost *:5000>
OIDCClaimPrefix "OIDC-"
OIDCResponseType "id_token"
OIDCScope "openid email profile"
OIDCProviderMetadataURL <url_of_provider_metadata>
OIDCClientID <openid_client_id>
OIDCClientSecret <openid_client_secret>
OIDCCryptoPassphrase openstack
OIDCRedirectURI http://localhost:5000/v3/OS-FEDERATION/identity_providers/<idp_id>/protocols/oidc/auth/redirect
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth>
AuthType openid-connect
Require valid-user
LogLevel debug
Note an example of an `OIDCProviderMetadataURL` instance is:
If not using `OIDCProviderMetadataURL`, then the following attributes
must be specified: `OIDCProviderIssuer`, `OIDCProviderAuthorizationEndpoint`,
`OIDCProviderTokenEndpoint`, `OIDCProviderTokenEndpointAuth`,
`OIDCProviderUserInfoEndpoint`, and `OIDCProviderJwksUri`
Note, if using a mod_wsgi version less than 4.3.0, then the `OIDCClaimPrefix`
must be specified to have only alphanumerics or a dash ("-"). This is because
mod_wsgi blocks headers that do not fit this criteria. See
for more details
Once you are done, restart your Apache daemon:
.. code-block:: bash
$ service apache2 restart
1. When creating a mapping, note that the 'remote' attributes will be prefixed,
with `HTTP_`, so for instance, if you set OIDCClaimPrefix to `OIDC-`, then a
typical remote value to check for is: `HTTP_OIDC_ISS`.
2. Don't forget to add oidc as an [auth] plugin in keystone.conf, see `Step 2`_
.. _`Step 2`: federation.html

@ -429,7 +429,7 @@ class BaseProvider(provider.Provider):
trust = self.trust_api.get_trust(metadata_ref['trust_id'])
token_ref = None
if 'saml2' in method_names:
if 'saml2' in method_names or 'oidc' in method_names:
token_ref = self._handle_federation_tokens(
auth_context, project_id, domain_id)