From 723cc8694dd87d1ed4d06db35346cdc49d9cfacc Mon Sep 17 00:00:00 2001
From: Takashi Kajinami <kajinamit@oss.nttdata.com>
Date: Tue, 10 Sep 2024 13:39:46 +0900
Subject: [PATCH] Fix default OIDCRedirectURI hiding keystone federation auth
 endpoint

This updates the default OIDCRedirectURI according to the change made
in the example file in keystone repo[1].

[1] https://review.opendev.org/925553

Conflicts:
	spec/classes/keystone_federation_openidc_spec.rb

Closes-Bug: #2075349
Change-Id: Ia0f3cbb842a4c01e6a3ca44ca66dc9a8a731720c
(cherry picked from commit fdf2a2b31a6de76973a35a2494455ef176eee936)
---
 spec/classes/keystone_federation_openidc_spec.rb | 2 +-
 templates/openidc.conf.erb                       | 7 ++++++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/spec/classes/keystone_federation_openidc_spec.rb b/spec/classes/keystone_federation_openidc_spec.rb
index 5b991f8aa..98edaf3a6 100644
--- a/spec/classes/keystone_federation_openidc_spec.rb
+++ b/spec/classes/keystone_federation_openidc_spec.rb
@@ -79,7 +79,7 @@ describe 'keystone::federation::openidc' do
         expect(content).to match('OIDCProviderMetadataURL "https://accounts.google.com/.well-known/openid-configuration"')
         expect(content).to match('OIDCClientID "openid_client_id"')
         expect(content).to match('OIDCClientSecret "openid_client_secret"')
-        expect(content).to match('OIDCRedirectURI "http://localhost:5000/v3/OS-FEDERATION/identity_providers/myidp/protocols/openid/auth"')
+        expect(content).to match('OIDCRedirectURI "http://localhost:5000/v3/redirect_uri"')
       end
     end
 
diff --git a/templates/openidc.conf.erb b/templates/openidc.conf.erb
index f51077118..558e5023b 100644
--- a/templates/openidc.conf.erb
+++ b/templates/openidc.conf.erb
@@ -58,7 +58,7 @@
 <%- if scope['::keystone::federation::openidc::openidc_redirect_uri'] != nil -%>
   OIDCRedirectURI "<%= scope['::keystone::federation::openidc::openidc_redirect_uri'] %>"
 <% else %>
-  OIDCRedirectURI "<%= @keystone_url -%>/v3/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/auth"
+  OIDCRedirectURI "<%= @keystone_url -%>/v3/redirect_uri"
 <%- end -%>
 
 <%- if scope['::keystone::federation::openidc::openidc_enable_oauth'] -%>
@@ -81,6 +81,11 @@
   </Location>
 <%- end -%>
 
+   <Location "/v3/redirect_uri">
+       AuthType "openid-connect"
+       Require valid-user
+   </Location>
+
   # The following directives are necessary to support websso from Horizon
   # (Per https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#id5)
   <Location "/v3/auth/OS-FEDERATION/websso/openid">