# DO NOT USE THIS IN PRODUCTION ENVIRONMENTS!
OIDCSSLValidateServer Off
OIDCOAuthSSLValidateServer Off
OIDCCookieSameSite On

OIDCClaimPrefix "OIDC-"
OIDCClaimDelimiter ";"
OIDCResponseType "id_token"
OIDCScope "openid email profile"
OIDCProviderMetadataURL "%OIDC_METADATA_URL%"
OIDCClientID "%OIDC_CLIENT_ID%"
OIDCClientSecret "%OIDC_CLIENT_SECRET%"
OIDCPKCEMethod "S256"
OIDCCryptoPassphrase "openstack"

OIDCRedirectURI "https://%HOST_IP%/identity/v3/redirect_uri"

<Location "/v3/redirect_uri">
   Require valid-user
   AuthType openid-connect
</Location>

<LocationMatch "/v3/auth/OS-FEDERATION/websso/openid">
    AuthType "openid-connect"
    Require valid-user
    LogLevel debug
</LocationMatch>

<LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/%IDP_ID%/protocols/openid/websso">
    AuthType "openid-connect"
    Require valid-user
    LogLevel debug
</LocationMatch>

<LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/%IDP_ID%/protocols/openid/auth">
    AuthType "openid-connect"
    Require valid-user
    LogLevel debug
</LocationMatch>

<Location ~ "/v3/OS-FEDERATION/identity_providers/%IDP_ID%/protocols/openid/auth">
    AuthType oauth20
    Require valid-user
</Location>

OIDCOAuthClientID "%OIDC_CLIENT_ID%"
OIDCOAuthClientSecret "%OIDC_CLIENT_SECRET%"
OIDCOAuthIntrospectionEndpoint "%OIDC_INTROSPECTION_URL%"

# Horizon favors the referrer to the Keystone URL that is set.
# https://github.com/openstack/horizon/blob/5e4ca1a9fdec04db08552e9e93fe372b8b8b45ae/openstack_auth/views.py#L192
Header always set Referrer-Policy "no-referrer"