OpenStack Identity (Keystone)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

3.2 KiB

Setup OpenID Connect

Configuring mod_auth_openidc

Federate Keystone (SP) and an external IdP using OpenID Connect (mod_auth_openidc)

To install mod_auth_openidc on Ubuntu, perform the following:

sudo apt-get install libapache2-mod-auth-openidc

This module is available for other distributions (Fedora/CentOS/Red Hat) from:

In the keystone Apache site file, add the following as a top level option, to load the mod_auth_openidc module:

LoadModule auth_openidc_module /usr/lib/apache2/modules/

Also within the same file, locate the virtual host entry and add the following entries for OpenID Connect:

<VirtualHost *:5000>


    OIDCClaimPrefix "OIDC-"
    OIDCResponseType "id_token"
    OIDCScope "openid email profile"
    OIDCProviderMetadataURL <url_of_provider_metadata>
    OIDCClientID <openid_client_id>
    OIDCClientSecret <openid_client_secret>
    OIDCCryptoPassphrase openstack
    OIDCRedirectURI http://localhost:5000/v3/OS-FEDERATION/identity_providers/<idp_id>/protocols/oidc/auth/redirect

    <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/oidc/auth>
      AuthType openid-connect
      Require valid-user
      LogLevel debug

Note an example of an OIDCProviderMetadataURL instance is: If not using OIDCProviderMetadataURL, then the following attributes must be specified: OIDCProviderIssuer, OIDCProviderAuthorizationEndpoint, OIDCProviderTokenEndpoint, OIDCProviderTokenEndpointAuth, OIDCProviderUserInfoEndpoint, and OIDCProviderJwksUri

Note, if using a mod_wsgi version less than 4.3.0, then the OIDCClaimPrefix must be specified to have only alphanumerics or a dash ("-"). This is because mod_wsgi blocks headers that do not fit this criteria. See for more details

Once you are done, restart your Apache daemon:

$ service apache2 restart


  1. When creating a mapping, note that the 'remote' attributes will be prefixed, with HTTP_, so for instance, if you set OIDCClaimPrefix to OIDC-, then a typical remote value to check for is: HTTP_OIDC_ISS.
  2. Don't forget to add oidc as an [auth] plugin in keystone.conf, see Step 2