OIDC: Add support for setting OIDCResponseMode

Default response modes fragment or query are using URL encoding which limits maximum token size. Response mode form_post does not have limits for token size. This change allows to define response mode. Signed-off-by: Oskari Lemmela <oskari@lemmela.net> Change-Id: I1855b83ceb377e8c97c351a0434e2ab994fb0bdc
2021-10-28 10:42:37 +03:00 · 2021-10-28 10:42:37 +03:00 · 94fbafd684
commit 94fbafd684
parent da2ed9d5bb
4 changed files with 28 additions and 0 deletions
--- a/manifests/federation/openidc.pp
+++ b/manifests/federation/openidc.pp
@ -38,6 +38,11 @@
 #  (Optional) String value.
 #  Defaults to 'id_token'
 #
+# [*openidc_response_mode*]
+#  (Optional) mod_auth_openidc response mode. Can be any response type
+#  supported by mod_auth_openidc (fragment, query, form_post).
+#  Defaults to undef
+#
 # [*openidc_cache_type*]
 #  (Optional) mod_auth_openidc cache type.  Can be any cache type
 #  supported by mod_auth_openidc (shm, file, memcache, redis).
@ -137,6 +142,7 @@ class keystone::federation::openidc (
  $openidc_client_secret,
  $openidc_crypto_passphrase      = 'openstack',
  $openidc_response_type          = 'id_token',
+  $openidc_response_mode          = undef,
  $openidc_cache_type             = undef,
  $openidc_cache_shm_max          = undef,
  $openidc_cache_shm_entry_size   = undef,
--- a/releasenotes/notes/openidc_response_mode-f5a2ddf95bd4b752.yaml
+++ b/releasenotes/notes/openidc_response_mode-f5a2ddf95bd4b752.yaml
@ -0,0 +1,6 @@
+---
+features:
+  - |
+    The ``keystone::federation::ipenidc`` class now supports the new
+    ``openidc_response_mode`` parameter, to customize mod_auth_openidc response
+    mode.
--- a/spec/classes/keystone_federation_openidc_spec.rb
+++ b/spec/classes/keystone_federation_openidc_spec.rb
@ -202,5 +202,18 @@ describe 'keystone::federation::openidc' do
        expect(content).to match('OIDCPassClaimsAs "both"')
      end
    end
+
+    context 'with openidc_response_mode attribute' do
+      before do
+        params.merge!({
+          :openidc_response_mode => 'form_post',
+        })
+      end
+
+      it 'should contain OIDC response mode' do
+        content = get_param('concat::fragment', 'configure_openidc_keystone', 'content')
+        expect(content).to match('OIDCResponseMode "form_post"')
+      end
+    end
  end
 end
--- a/templates/openidc.conf.erb
+++ b/templates/openidc.conf.erb
@ -7,6 +7,9 @@
  OIDCClientSecret "<%= scope['keystone::federation::openidc::openidc_client_secret']-%>"
  OIDCCryptoPassphrase "<%= scope['keystone::federation::openidc::openidc_crypto_passphrase']-%>"

+<%- if scope['::keystone::federation::openidc::openidc_response_mode'] != nil -%>
+  OIDCResponseMode "<%= scope['::keystone::federation::openidc::openidc_response_mode'] %>"
+<%- end -%>
 <%- if scope['::keystone::federation::openidc::openidc_cache_type'] != nil -%>
  OIDCCacheType <%= scope['::keystone::federation::openidc::openidc_cache_type'] %>
 <%- end -%>