Merge "keystone: Add support for OIDC options"

ansible/roles/keystone/defaults/main.yml

@@ -225,6 +225,7 @@ keystone_host_federation_oidc_metadata_folder: "{{ node_config_directory }}/keys
 keystone_host_federation_oidc_idp_certificate_folder: "{{ node_config_directory }}/keystone/federation/oidc/cert"
 keystone_host_federation_oidc_attribute_mappings_folder: "{{ node_config_directory }}/keystone/federation/oidc/attribute_maps"
 keystone_federation_oidc_jwks_uri: ""
+keystone_federation_oidc_additional_options: {}
 
 # These variables are used to define multiple trusted Horizon dashboards.
 # keystone_trusted_dashboards: ['<https://dashboardServerOne/auth/websso/>', '<https://dashboardServerTwo/auth/websso/>', '<https://dashboardServerN/auth/websso/>']

ansible/roles/keystone/templates/wsgi-keystone.conf.j2

@@ -75,6 +75,9 @@ LogLevel info
     OIDCCacheType memcache
     OIDCMemCacheServers "{% for host in groups['memcached'] %}{{ 'api' | kolla_address(host) | put_address_in_context('memcache') }}:{{ memcached_port }}{% if not loop.last %} {% endif %}{% endfor %}"
 {% endif %}
+{% for key, value in keystone_federation_oidc_additional_options.items() %}
+    {{ key }} {{ value }}
+{% endfor %}
 
     <Location ~ "/redirect_uri">
       Require valid-user

doc/source/reference/shared-services/keystone-guide.rst

@@ -96,6 +96,14 @@ used by OpenStack command line client. Example config shown below:
 
     keystone_federation_oidc_jwks_uri: "https://<AUTH PROVIDER>/<ID>/discovery/v2.0/keys"
 
+Some identity providers need additional mod_auth_openidc config.
+Example for Keycloak shown below:
+
+.. code-block:: yaml
+
+    keystone_federation_oidc_additional_options:
+      OIDCTokenBindingPolicy: disabled
+
 Identity providers configurations
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

releasenotes/notes/keystone-oidc-options-ce8744cc8ce6aa9b.yaml

@@ -0,0 +1,5 @@
+---
+features:
+  - |
+    Adds ``keystone_federation_oidc_additional_options`` that allows to pass
+    additional OIDC options.