openstack/keystone
Code Issues Proposed changes
Files
aa0cdc539758bc22e7fa6021435cf8cac2020ea2
keystone/devstack/files/oidc/apache_oidc.conf
Takashi Kajinami c450599cbd Update mod_openidc config for devstack 
Use a vanity URL for redirect uri so that it does not conflict with
existing keystone endpoint. The documentation was updated recently[1]
but the actual configuration used in devstack setup was still kept old
at that time.

[1] 7ac0c3cd33

Related-Bug: #2075349
Change-Id: I8d06f3c388260f356c7a1da0212bb3b399f3a848
2024-09-10 13:46:57 +09:00

52 lines
1.5 KiB
Plaintext
Raw Blame History

# DO NOT USE THIS IN PRODUCTION ENVIRONMENTS!
OIDCSSLValidateServer Off
OIDCOAuthSSLValidateServer Off
OIDCCookieSameSite On
OIDCClaimPrefix "OIDC-"
OIDCResponseType "id_token"
OIDCScope "openid email profile"
OIDCProviderMetadataURL "%OIDC_METADATA_URL%"
OIDCClientID "%OIDC_CLIENT_ID%"
OIDCClientSecret "%OIDC_CLIENT_SECRET%"
OIDCPKCEMethod "S256"
OIDCCryptoPassphrase "openstack"
OIDCRedirectURI "https://%HOST_IP%/identity/v3/redirect_uri"
<Location "/v3/redirect_uri">
Require valid-user
AuthType openid-connect
</Location>
<LocationMatch "/v3/auth/OS-FEDERATION/websso/openid">
AuthType "openid-connect"
Require valid-user
LogLevel debug
</LocationMatch>
<LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/%IDP_ID%/protocols/openid/websso">
AuthType "openid-connect"
Require valid-user
LogLevel debug
</LocationMatch>
<LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/%IDP_ID%/protocols/openid/auth">
AuthType "openid-connect"
Require valid-user
LogLevel debug
</LocationMatch>
<Location ~ "/v3/OS-FEDERATION/identity_providers/%IDP_ID%/protocols/openid/auth">
AuthType oauth20
Require valid-user
</Location>
OIDCOAuthClientID "%OIDC_CLIENT_ID%"
OIDCOAuthClientSecret "%OIDC_CLIENT_SECRET%"
OIDCOAuthIntrospectionEndpoint "%OIDC_INTROSPECTION_URL%"
# Horizon favors the referrer to the Keystone URL that is set.
# https://github.com/openstack/horizon/blob/5e4ca1a9fdec04db08552e9e93fe372b8b8b45ae/openstack_auth/views.py#L192
Header always set Referrer-Policy "no-referrer"
View Git Blame Copy Permalink