diff --git a/manifests/federation/openidc.pp b/manifests/federation/openidc.pp
index b623bf343..87f2dfede 100644
--- a/manifests/federation/openidc.pp
+++ b/manifests/federation/openidc.pp
@@ -49,13 +49,19 @@
# with a minimum of 8464 bytes. Defaults to undef.
#
# [*openidc_cache_dir*]
-# (Optional) # Directory that holds cache files; must be writable
+# (Optional) Directory that holds cache files; must be writable
# for the Apache process/user. Defaults to undef.
#
# [*openidc_cache_clean_interval*]
-# (Optional) # Cache file clean interval in seconds (only triggered
+# (Optional) Cache file clean interval in seconds (only triggered
# on writes). Defaults to undef.
#
+# [*openidc_enable_oauth*]
+# (Optional) Set to true to enable oauthsupport.
+#
+# [*openidc_introspection_endpoint*]
+# (Required if oauth is enabled) Oauth introspection endpoint url.
+#
# [*memcached_servers*]
# (Optional) A list of memcache servers. Defaults to undef.
#
@@ -108,23 +114,25 @@ class keystone::federation::openidc (
$openidc_provider_metadata_url,
$openidc_client_id,
$openidc_client_secret,
- $openidc_crypto_passphrase = 'openstack',
- $openidc_response_type = 'id_token',
- $openidc_cache_type = undef,
- $openidc_cache_shm_max = undef,
- $openidc_cache_shm_entry_size = undef,
- $openidc_cache_dir = undef,
- $openidc_cache_clean_interval = undef,
- $memcached_servers = undef,
- $redis_server = undef,
- $redis_password = undef,
- $remote_id_attribute = undef,
- $template_order = 331,
- $package_ensure = present,
- $keystone_url = undef,
+ $openidc_crypto_passphrase = 'openstack',
+ $openidc_response_type = 'id_token',
+ $openidc_cache_type = undef,
+ $openidc_cache_shm_max = undef,
+ $openidc_cache_shm_entry_size = undef,
+ $openidc_cache_dir = undef,
+ $openidc_cache_clean_interval = undef,
+ $openidc_enable_oauth = false,
+ $openidc_introspection_endpoint = undef,
+ $memcached_servers = undef,
+ $redis_server = undef,
+ $redis_password = undef,
+ $remote_id_attribute = undef,
+ $template_order = 331,
+ $package_ensure = present,
+ $keystone_url = undef,
# DEPRECATED
- $admin_port = undef,
- $main_port = undef,
+ $admin_port = undef,
+ $main_port = undef,
) {
include ::apache
@@ -144,6 +152,10 @@ class keystone::federation::openidc (
warning('keystone::federation::openidc::admin_port and main_port are deprecated and have no effect')
}
+ if $openidc_enable_oauth and !$openidc_introspection_endpoint {
+ fail('You must set openidc_introspection_endpoint when enabling oauth support')
+ }
+
$memcached_servers_real = join(any2array($memcached_servers), ' ')
# Note: if puppet-apache modify these values, this needs to be updated
diff --git a/spec/classes/keystone_federation_openidc_spec.rb b/spec/classes/keystone_federation_openidc_spec.rb
index 9195a03b1..dc3a127ca 100644
--- a/spec/classes/keystone_federation_openidc_spec.rb
+++ b/spec/classes/keystone_federation_openidc_spec.rb
@@ -48,6 +48,11 @@ describe 'keystone::federation::openidc' do
params.merge!(:template_port => 999)
it_raises 'a Puppet:Error', /The template order should be greater than 330 and less than 999./
end
+
+ before do
+ params.merge!(:openidc_enable_oauth => true)
+ it_raises 'a Puppet:Error', /You must set openidc_introspection_endpoint when enabling oauth support/
+ end
end
on_supported_os({
@@ -87,7 +92,23 @@ describe 'keystone::federation::openidc' do
expect(content).to match('OIDCProviderMetadataURL "https://accounts.google.com/.well-known/openid-configuration"')
expect(content).to match('OIDCClientID "openid_client_id"')
expect(content).to match('OIDCClientSecret "openid_client_secret"')
- expect(content).to match('OS-FEDERATION/identity_providers/myidp/protocols/openid/auth')
+ end
+ end
+
+ context 'with oauth enabled' do
+ before do
+ params.merge!({
+ :openidc_enable_oauth => true,
+ :openidc_introspection_endpoint => 'http://example.com',
+ })
+ end
+
+ it 'should contain oauth config' do
+ content = get_param('concat::fragment', 'configure_openidc_keystone', 'content')
+ expect(content).to match('OIDCOAuthClientID "openid_client_id"')
+ expect(content).to match('OIDCOAuthClientSecret "openid_client_secret"')
+ expect(content).to match('OIDCOAuthIntrospectionEndpoint "http://example.com"')
+ expect(content).to match('/v3/OS-FEDERATION/identity_providers/myidp/protocols/openid/auth')
end
end
diff --git a/templates/openidc.conf.erb b/templates/openidc.conf.erb
index 0c050e1d9..39b957ed3 100644
--- a/templates/openidc.conf.erb
+++ b/templates/openidc.conf.erb
@@ -32,13 +32,6 @@
OIDCRedisCachecPassword scope['::keystone::federation::openidc::redis_password'] %>
<%- end -%>
- # The following directives are required to support openidc from the command
- # line
- /protocols/openid/auth">
- AuthType oauth20
- Require valid-user
-
-
# The following directives are necessary to support websso from Horizon
# (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html)
OIDCRedirectURI "<%= @keystone_url_real -%>/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/websso"
@@ -53,3 +46,14 @@
AuthType "openid-connect"
Require valid-user
+
+<%- if scope['::keystone::federation::openidc::openidc_enable_oauth'] -%>
+ OIDCOAuthClientID "<%= scope['keystone::federation::openidc::openidc_client_id']-%>"
+ OIDCOAuthClientSecret "<%= scope['keystone::federation::openidc::openidc_client_secret']-%>"
+ OIDCOAuthIntrospectionEndpoint "<%= scope['keystone::federation::openidc::openidc_introspection_endpoint']-%>"
+
+ /protocols/openid/auth">
+ AuthType oauth20
+ Require valid-user
+
+<%- end -%>