openstack/puppet-keystone
Code Issues Proposed changes

OIDC: Add support for setting OIDCResponseMode

Browse Source 
Default response modes fragment or query are using URL encoding which
limits maximum token size. Response mode form_post does not have limits
for token size.

This change allows to define response mode.

Signed-off-by: Oskari Lemmela <oskari@lemmela.net>
Change-Id: I1855b83ceb377e8c97c351a0434e2ab994fb0bdc
This commit is contained in:
Oskari Lemmela 2021-10-28 10:42:37 +03:00 committed by Takashi Kajinami
parent da2ed9d5bb
commit 94fbafd684
4 changed files with 28 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
manifests/federation/openidc.pp
View File

@ -38,6 +38,11 @@
# (Optional) String value. # (Optional) String value.
# Defaults to 'id_token' # Defaults to 'id_token'
# #
# [*openidc_response_mode*]
# (Optional) mod_auth_openidc response mode. Can be any response type
# supported by mod_auth_openidc (fragment, query, form_post).
# Defaults to undef
#
# [*openidc_cache_type*] # [*openidc_cache_type*]
# (Optional) mod_auth_openidc cache type. Can be any cache type # (Optional) mod_auth_openidc cache type. Can be any cache type
# supported by mod_auth_openidc (shm, file, memcache, redis). # supported by mod_auth_openidc (shm, file, memcache, redis).
@ -137,6 +142,7 @@ class keystone::federation::openidc (
$openidc_client_secret, $openidc_client_secret,
$openidc_crypto_passphrase = 'openstack', $openidc_crypto_passphrase = 'openstack',
$openidc_response_type = 'id_token', $openidc_response_type = 'id_token',
$openidc_response_mode = undef,
$openidc_cache_type = undef, $openidc_cache_type = undef,
$openidc_cache_shm_max = undef, $openidc_cache_shm_max = undef,
$openidc_cache_shm_entry_size = undef, $openidc_cache_shm_entry_size = undef,

6
releasenotes/notes/openidc_response_mode-f5a2ddf95bd4b752.yaml Normal file
View File

@ -0,0 +1,6 @@
---
features:
- |
The ``keystone::federation::ipenidc`` class now supports the new
``openidc_response_mode`` parameter, to customize mod_auth_openidc response
mode.

13
spec/classes/keystone_federation_openidc_spec.rb
View File

@ -202,5 +202,18 @@ describe 'keystone::federation::openidc' do
expect(content).to match('OIDCPassClaimsAs "both"') expect(content).to match('OIDCPassClaimsAs "both"')
end end
end end
context 'with openidc_response_mode attribute' do
before do
params.merge!({
:openidc_response_mode => 'form_post',
})
end
it 'should contain OIDC response mode' do
content = get_param('concat::fragment', 'configure_openidc_keystone', 'content')
expect(content).to match('OIDCResponseMode "form_post"')
end
end
end end
end end

3
templates/openidc.conf.erb
View File

@ -7,6 +7,9 @@
OIDCClientSecret "<%= scope['keystone::federation::openidc::openidc_client_secret']-%>" OIDCClientSecret "<%= scope['keystone::federation::openidc::openidc_client_secret']-%>"
OIDCCryptoPassphrase "<%= scope['keystone::federation::openidc::openidc_crypto_passphrase']-%>" OIDCCryptoPassphrase "<%= scope['keystone::federation::openidc::openidc_crypto_passphrase']-%>"
<%- if scope['::keystone::federation::openidc::openidc_response_mode'] != nil -%>
OIDCResponseMode "<%= scope['::keystone::federation::openidc::openidc_response_mode'] %>"
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_cache_type'] != nil -%> <%- if scope['::keystone::federation::openidc::openidc_cache_type'] != nil -%>
OIDCCacheType <%= scope['::keystone::federation::openidc::openidc_cache_type'] %> OIDCCacheType <%= scope['::keystone::federation::openidc::openidc_cache_type'] %>
<%- end -%> <%- end -%>