From dc62f048278912801ca7d76a01c7db5419d354d3 Mon Sep 17 00:00:00 2001
From: Marcus Bahn <marcusbahn99@gmail.com>
Date: Thu, 10 Mar 2022 11:01:42 +0100
Subject: [PATCH] add oauth support

Some OIDCOAuth* variables were needed to allow CLI access via `--os-auth-type v3oidcaccesstoken`.

See https://docs.egi.eu/providers/cloud-compute/openstack/aai/#cli-access and https://docs.egi.eu/providers/cloud-compute/openstack/aai/#apache-configuration

Change-Id: I693684e4dc85c096f46a3385d70202c39d379d25
---
 defaults/main.yml                | 3 +++
 templates/keystone-httpd.conf.j2 | 9 +++++++++
 2 files changed, 12 insertions(+)

diff --git a/defaults/main.yml b/defaults/main.yml
index 8f1662f1..481c9de5 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -446,6 +446,9 @@ keystone_sp: {}
 #      oidc_client_secret: secret
 #      oidc_crypto_passphrase: random string
 #      oidc_redirect_uri: https://keystone:5000/v3/OS-FEDERATION/identity_providers/keycloak-idp/protocols/openid/auth
+#      oidc_oauth_introspection_endpoint: endpoint address (optional)
+#      oidc_oauth_client_id: string (optional)
+#      oidc_oauth_client_secret: secret (optional)
 #      oidc_outgoing_proxy: "proxy address" (optional setting)
 #      oidc_auth_request_params: param=some+url+encoded+value&param2=and+another+one (optional)
 #      oidc_state_max_number_of_cookies: 5 false (optional)
diff --git a/templates/keystone-httpd.conf.j2 b/templates/keystone-httpd.conf.j2
index 59ad3343..b19b9844 100644
--- a/templates/keystone-httpd.conf.j2
+++ b/templates/keystone-httpd.conf.j2
@@ -59,6 +59,15 @@ Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}
     {% if keystone_sp.trusted_idp_list.0.oidc_outgoing_proxy is defined -%}
     OIDCOutgoingProxy {{ keystone_sp.trusted_idp_list.0.oidc_outgoing_proxy }}
     {% endif -%}
+    {% if keystone_sp.trusted_idp_list.0.oidc_oauth_introspection_endpoint is defined -%}
+    OIDCOAuthIntrospectionEndpoint {{ keystone_sp.trusted_idp_list.0.oidc_oauth_introspection_endpoint }}
+    {% endif -%}
+    {% if keystone_sp.trusted_idp_list.0.oidc_oauth_client_id is defined -%}
+    OIDCOAuthClientID {{ keystone_sp.trusted_idp_list.0.oidc_oauth_client_id }}
+    {% endif -%}
+    {% if keystone_sp.trusted_idp_list.0.oidc_oauth_client_secret is defined -%}
+    OIDCOAuthClientSecret {{ keystone_sp.trusted_idp_list.0.oidc_oauth_client_secret }}
+    {% endif -%}
     {% if keystone_cache_servers | length > 0 -%}
     OIDCCacheType memcache
     OIDCMemCacheServers "{{ keystone_cache_servers | join(' ') }}"