OIDC: Add support for setting OIDCResponseMode

Default response modes fragment or query are using URL encoding which
limits maximum token size. Response mode form_post does not have limits
for token size.

This change allows to define response mode.

Signed-off-by: Oskari Lemmela <oskari@lemmela.net>
Change-Id: I1855b83ceb377e8c97c351a0434e2ab994fb0bdc
(cherry picked from commit 94fbafd684)
(cherry picked from commit 2b391b409d)
(cherry picked from commit 724e5910be)
(cherry picked from commit 82f37cfdc7)
(cherry picked from commit f6cb44ad66)
This commit is contained in:
Oskari Lemmela 2021-10-28 10:42:37 +03:00 committed by Takashi Kajinami
parent 118401484b
commit 337022a86c
4 changed files with 28 additions and 0 deletions

View File

@ -38,6 +38,11 @@
# (Optional) String value.
# Defaults to 'id_token'
#
# [*openidc_response_mode*]
# (Optional) mod_auth_openidc response mode. Can be any response type
# supported by mod_auth_openidc (fragment, query, form_post).
# Defaults to undef
#
# [*openidc_cache_type*]
# (Optional) mod_auth_openidc cache type. Can be any cache type
# supported by mod_auth_openidc (shm, file, memcache, redis).
@ -137,6 +142,7 @@ class keystone::federation::openidc (
$openidc_client_secret,
$openidc_crypto_passphrase = 'openstack',
$openidc_response_type = 'id_token',
$openidc_response_mode = undef,
$openidc_cache_type = undef,
$openidc_cache_shm_max = undef,
$openidc_cache_shm_entry_size = undef,

View File

@ -0,0 +1,6 @@
---
features:
- |
The ``keystone::federation::ipenidc`` class now supports the new
``openidc_response_mode`` parameter, to customize mod_auth_openidc response
mode.

View File

@ -204,5 +204,18 @@ describe 'keystone::federation::openidc' do
expect(content).to match('OIDCPassClaimsAs "both"')
end
end
context 'with openidc_response_mode attribute' do
before do
params.merge!({
:openidc_response_mode => 'form_post',
})
end
it 'should contain OIDC response mode' do
content = get_param('concat::fragment', 'configure_openidc_keystone', 'content')
expect(content).to match('OIDCResponseMode "form_post"')
end
end
end
end

View File

@ -7,6 +7,9 @@
OIDCClientSecret "<%= scope['keystone::federation::openidc::openidc_client_secret']-%>"
OIDCCryptoPassphrase "<%= scope['keystone::federation::openidc::openidc_crypto_passphrase']-%>"
<%- if scope['::keystone::federation::openidc::openidc_response_mode'] != nil -%>
OIDCResponseMode "<%= scope['::keystone::federation::openidc::openidc_response_mode'] %>"
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_cache_type'] != nil -%>
OIDCCacheType <%= scope['::keystone::federation::openidc::openidc_cache_type'] %>
<%- end -%>