From 94fbafd684b04d28a601419cfe10d1e1fbe8b0b1 Mon Sep 17 00:00:00 2001
From: Oskari Lemmela <oskari@lemmela.net>
Date: Thu, 28 Oct 2021 10:42:37 +0300
Subject: [PATCH] OIDC: Add support for setting OIDCResponseMode

Default response modes fragment or query are using URL encoding which
limits maximum token size. Response mode form_post does not have limits
for token size.

This change allows to define response mode.

Signed-off-by: Oskari Lemmela <oskari@lemmela.net>
Change-Id: I1855b83ceb377e8c97c351a0434e2ab994fb0bdc
---
 manifests/federation/openidc.pp                     |  6 ++++++
 .../openidc_response_mode-f5a2ddf95bd4b752.yaml     |  6 ++++++
 spec/classes/keystone_federation_openidc_spec.rb    | 13 +++++++++++++
 templates/openidc.conf.erb                          |  3 +++
 4 files changed, 28 insertions(+)
 create mode 100644 releasenotes/notes/openidc_response_mode-f5a2ddf95bd4b752.yaml

diff --git a/manifests/federation/openidc.pp b/manifests/federation/openidc.pp
index a69e10031..87ac32bff 100644
--- a/manifests/federation/openidc.pp
+++ b/manifests/federation/openidc.pp
@@ -38,6 +38,11 @@
 #  (Optional) String value.
 #  Defaults to 'id_token'
 #
+# [*openidc_response_mode*]
+#  (Optional) mod_auth_openidc response mode. Can be any response type
+#  supported by mod_auth_openidc (fragment, query, form_post).
+#  Defaults to undef
+#
 # [*openidc_cache_type*]
 #  (Optional) mod_auth_openidc cache type.  Can be any cache type
 #  supported by mod_auth_openidc (shm, file, memcache, redis).
@@ -137,6 +142,7 @@ class keystone::federation::openidc (
   $openidc_client_secret,
   $openidc_crypto_passphrase      = 'openstack',
   $openidc_response_type          = 'id_token',
+  $openidc_response_mode          = undef,
   $openidc_cache_type             = undef,
   $openidc_cache_shm_max          = undef,
   $openidc_cache_shm_entry_size   = undef,
diff --git a/releasenotes/notes/openidc_response_mode-f5a2ddf95bd4b752.yaml b/releasenotes/notes/openidc_response_mode-f5a2ddf95bd4b752.yaml
new file mode 100644
index 000000000..bf92069cd
--- /dev/null
+++ b/releasenotes/notes/openidc_response_mode-f5a2ddf95bd4b752.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    The ``keystone::federation::ipenidc`` class now supports the new
+    ``openidc_response_mode`` parameter, to customize mod_auth_openidc response
+    mode.
diff --git a/spec/classes/keystone_federation_openidc_spec.rb b/spec/classes/keystone_federation_openidc_spec.rb
index 927bc8a3b..ee1260d5d 100644
--- a/spec/classes/keystone_federation_openidc_spec.rb
+++ b/spec/classes/keystone_federation_openidc_spec.rb
@@ -202,5 +202,18 @@ describe 'keystone::federation::openidc' do
         expect(content).to match('OIDCPassClaimsAs "both"')
       end
     end
+
+    context 'with openidc_response_mode attribute' do
+      before do
+        params.merge!({
+          :openidc_response_mode => 'form_post',
+        })
+      end
+
+      it 'should contain OIDC response mode' do
+        content = get_param('concat::fragment', 'configure_openidc_keystone', 'content')
+        expect(content).to match('OIDCResponseMode "form_post"')
+      end
+    end
   end
 end
diff --git a/templates/openidc.conf.erb b/templates/openidc.conf.erb
index 63ebc516d..b91158300 100644
--- a/templates/openidc.conf.erb
+++ b/templates/openidc.conf.erb
@@ -7,6 +7,9 @@
   OIDCClientSecret "<%= scope['keystone::federation::openidc::openidc_client_secret']-%>"
   OIDCCryptoPassphrase "<%= scope['keystone::federation::openidc::openidc_crypto_passphrase']-%>"
 
+<%- if scope['::keystone::federation::openidc::openidc_response_mode'] != nil -%>
+  OIDCResponseMode "<%= scope['::keystone::federation::openidc::openidc_response_mode'] %>"
+<%- end -%>
 <%- if scope['::keystone::federation::openidc::openidc_cache_type'] != nil -%>
   OIDCCacheType <%= scope['::keystone::federation::openidc::openidc_cache_type'] %>
 <%- end -%>