openstack/openstack-ansible-os_keystone
Code Issues Proposed changes

add oauth support

Browse Source 
Some OIDCOAuth* variables were needed to allow CLI access via `--os-auth-type v3oidcaccesstoken`.

See https://docs.egi.eu/providers/cloud-compute/openstack/aai/#cli-access and https://docs.egi.eu/providers/cloud-compute/openstack/aai/#apache-configuration

Change-Id: I693684e4dc85c096f46a3385d70202c39d379d25
This commit is contained in:
Marcus Bahn 2022-03-10 11:01:42 +01:00
parent ba9d685380
commit dc62f04827
2 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
defaults/main.yml
View File

@ -446,6 +446,9 @@ keystone_sp: {}
# oidc_client_secret: secret # oidc_client_secret: secret
# oidc_crypto_passphrase: random string # oidc_crypto_passphrase: random string
# oidc_redirect_uri: https://keystone:5000/v3/OS-FEDERATION/identity_providers/keycloak-idp/protocols/openid/auth # oidc_redirect_uri: https://keystone:5000/v3/OS-FEDERATION/identity_providers/keycloak-idp/protocols/openid/auth
# oidc_oauth_introspection_endpoint: endpoint address (optional)
# oidc_oauth_client_id: string (optional)
# oidc_oauth_client_secret: secret (optional)
# oidc_outgoing_proxy: "proxy address" (optional setting) # oidc_outgoing_proxy: "proxy address" (optional setting)
# oidc_auth_request_params: param=some+url+encoded+value&param2=and+another+one (optional) # oidc_auth_request_params: param=some+url+encoded+value&param2=and+another+one (optional)
# oidc_state_max_number_of_cookies: 5 false (optional) # oidc_state_max_number_of_cookies: 5 false (optional)

9
templates/keystone-httpd.conf.j2
View File

@ -59,6 +59,15 @@ Listen {{ keystone_web_server_bind_address }}:{{ keystone_service_port }}
{% if keystone_sp.trusted_idp_list.0.oidc_outgoing_proxy is defined -%} {% if keystone_sp.trusted_idp_list.0.oidc_outgoing_proxy is defined -%}
OIDCOutgoingProxy {{ keystone_sp.trusted_idp_list.0.oidc_outgoing_proxy }} OIDCOutgoingProxy {{ keystone_sp.trusted_idp_list.0.oidc_outgoing_proxy }}
{% endif -%} {% endif -%}
{% if keystone_sp.trusted_idp_list.0.oidc_oauth_introspection_endpoint is defined -%}
OIDCOAuthIntrospectionEndpoint {{ keystone_sp.trusted_idp_list.0.oidc_oauth_introspection_endpoint }}
{% endif -%}
{% if keystone_sp.trusted_idp_list.0.oidc_oauth_client_id is defined -%}
OIDCOAuthClientID {{ keystone_sp.trusted_idp_list.0.oidc_oauth_client_id }}
{% endif -%}
{% if keystone_sp.trusted_idp_list.0.oidc_oauth_client_secret is defined -%}
OIDCOAuthClientSecret {{ keystone_sp.trusted_idp_list.0.oidc_oauth_client_secret }}
{% endif -%}
{% if keystone_cache_servers | length > 0 -%} {% if keystone_cache_servers | length > 0 -%}
OIDCCacheType memcache OIDCCacheType memcache
OIDCMemCacheServers "{{ keystone_cache_servers | join(' ') }}" OIDCMemCacheServers "{{ keystone_cache_servers | join(' ') }}"