diff --git a/doc/source/admin/federation/openidc.inc b/doc/source/admin/federation/openidc.inc index 716ddfbb6e..45163c3148 100644 --- a/doc/source/admin/federation/openidc.inc +++ b/doc/source/admin/federation/openidc.inc @@ -63,7 +63,7 @@ options: OIDCClientID OIDCClientSecret OIDCCryptoPassphrase - OIDCRedirectURI https://sp.keystone.example.org/v3/OS-FEDERATION/identity_providers/google/protocols/openid/auth + OIDCRedirectURI https://sp.keystone.example.org/v3/redirect_uri ``OIDCScope`` is the list of attributes that the user will authorize the Identity Provider to send to the Service Provider. ``OIDCClientID`` and @@ -77,7 +77,9 @@ must be used while using the AuthType ``auth-openidc``, when using the AuthType will not be necessary. ``OIDCRedirectURI`` is a vanity URL that must point to a protected path that does not have any content, such as an extension -of the protected federated auth path. +of the protected federated auth path. It should not match any Keystone API endpoints +or mod_auth_openidc will handle requests to the endpoint instead of Keystone. This +can lead to unusual errors and behaviors from Keystone. .. note:: @@ -94,6 +96,10 @@ Configure each protected path to use the ``openid-connect`` AuthType: .. code-block:: apache + + Require valid-user + AuthType openid-connect + Require valid-user AuthType openid-connect