Add Paramaters to httpd.conf template

Added the following parameters to the httpd.conf template to be used with mod_auth_openidc Apache mod. Params include: - OIDCStateMaxNumberOfCookies - this takes parameters in the form <number> <false|true> where number is the maximum number of state cookies stored in parallel for outstanding auth requests, and the boolean indicates whether cookies that are still valid over this amount are deleted - OIDCDefaultURL - Defines a default URL to be used in case of 3rd-party or OP initiated SSO when no explicit target_link_uri has been provided. The user is also sent to this URL is in case an invalid authorization response was received (ref: https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf) The reason these have been added is due to some stability issues that have been seen regarding cached session cookies that subsequently cause a "state mismatch" error. Being able to limit the number of active cookies appears to resolve this issue. Change-Id: Id2248e93f2636407396d4ac8fe29c8943e4a3a57
2020-06-17 16:01:28 +01:00 · 2020-06-17 16:01:28 +01:00 · eda646382a
parent 7199dcd543
commit eda646382a
2 changed files with 9 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -437,6 +437,9 @@ keystone_sp: {}
 #      oidc_crypto_passphrase: random string
 #      oidc_redirect_uri: https://keystone:5000/v3/OS-FEDERATION/identity_providers/keycloak-idp/protocols/openid/auth
 #      oidc_outgoing_proxy: "proxy address" (optional setting)
+#      oidc_auth_request_params: param=some+url+encoded+value&param2=and+another+one (optional)
+#      oidc_state_max_number_of_cookies: 5 false (optional)
+#      oidc_default_url: https://example.com/callback (optional)
 #      entity_ids:
 #        - 'https://identity-provider/openid-endpoint/'
 #      federated_identities:
--- a/templates/keystone-httpd.conf.j2
+++ b/templates/keystone-httpd.conf.j2
@ -56,6 +56,12 @@ Listen {{ keystone_service_port }}
    {% if keystone_sp.trusted_idp_list.0.oidc_auth_request_params is defined -%}
    OIDCAuthRequestParams {{ keystone_sp.trusted_idp_list.0.oidc_auth_request_params }}
    {% endif %}
+    {% if keystone_sp.trusted_idp_list.0.oidc_state_max_number_of_cookies is defined -%}
+    OIDCStateMaxNumberOfCookies {{ keystone_sp.trusted_idp_list.0.oidc_state_max_number_of_cookies }}
+    {% endif %}
+    {% if keystone_sp.trusted_idp_list.0.oidc_default_url is defined -%}
+    OIDCDefaultURL {{ keystone_sp.trusted_idp_list.0.oidc_default_url }}
+    {% endif %}

    <Location /v3/OS-FEDERATION/identity_providers/{{ keystone_sp.trusted_idp_list.0.name }}/protocols/openid/auth>
      Require valid-user