Browse Source

OIDC: Add support for setting OIDCResponseMode

Default response modes fragment or query are using URL encoding which
limits maximum token size. Response mode form_post does not have limits
for token size.

This change allows to define response mode.

Signed-off-by: Oskari Lemmela <oskari@lemmela.net>
Change-Id: I1855b83ceb377e8c97c351a0434e2ab994fb0bdc
(cherry picked from commit 94fbafd684)
changes/63/818163/1
Oskari Lemmela 8 months ago committed by Takashi Kajinami
parent
commit
2b391b409d
  1. 6
      manifests/federation/openidc.pp
  2. 6
      releasenotes/notes/openidc_response_mode-f5a2ddf95bd4b752.yaml
  3. 13
      spec/classes/keystone_federation_openidc_spec.rb
  4. 3
      templates/openidc.conf.erb

6
manifests/federation/openidc.pp

@ -38,6 +38,11 @@
# (Optional) String value.
# Defaults to 'id_token'
#
# [*openidc_response_mode*]
# (Optional) mod_auth_openidc response mode. Can be any response type
# supported by mod_auth_openidc (fragment, query, form_post).
# Defaults to undef
#
# [*openidc_cache_type*]
# (Optional) mod_auth_openidc cache type. Can be any cache type
# supported by mod_auth_openidc (shm, file, memcache, redis).
@ -137,6 +142,7 @@ class keystone::federation::openidc (
$openidc_client_secret,
$openidc_crypto_passphrase = 'openstack',
$openidc_response_type = 'id_token',
$openidc_response_mode = undef,
$openidc_cache_type = undef,
$openidc_cache_shm_max = undef,
$openidc_cache_shm_entry_size = undef,

6
releasenotes/notes/openidc_response_mode-f5a2ddf95bd4b752.yaml

@ -0,0 +1,6 @@
---
features:
- |
The ``keystone::federation::ipenidc`` class now supports the new
``openidc_response_mode`` parameter, to customize mod_auth_openidc response
mode.

13
spec/classes/keystone_federation_openidc_spec.rb

@ -202,5 +202,18 @@ describe 'keystone::federation::openidc' do
expect(content).to match('OIDCPassClaimsAs "both"')
end
end
context 'with openidc_response_mode attribute' do
before do
params.merge!({
:openidc_response_mode => 'form_post',
})
end
it 'should contain OIDC response mode' do
content = get_param('concat::fragment', 'configure_openidc_keystone', 'content')
expect(content).to match('OIDCResponseMode "form_post"')
end
end
end
end

3
templates/openidc.conf.erb

@ -7,6 +7,9 @@
OIDCClientSecret "<%= scope['keystone::federation::openidc::openidc_client_secret']-%>"
OIDCCryptoPassphrase "<%= scope['keystone::federation::openidc::openidc_crypto_passphrase']-%>"
<%- if scope['::keystone::federation::openidc::openidc_response_mode'] != nil -%>
OIDCResponseMode "<%= scope['::keystone::federation::openidc::openidc_response_mode'] %>"
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_cache_type'] != nil -%>
OIDCCacheType <%= scope['::keystone::federation::openidc::openidc_cache_type'] %>
<%- end -%>

Loading…
Cancel
Save