Correct openid federation protocol name in httpd template

Keystone requires the auth method for federation using OpenID
Connect to be 'openid', which we already enforce in puppet-keystone.
The protocol name that shows up in the federation URLs in the httpd
config must match the auth method.  We have a few locations that
don't match, which results in an invalid configuration.

This patch corrects the protocol in the locations protected by
mod_auth_openidc and the OIDCRedirectURI directives.

Change-Id: I02027676c532b447e56c8774c25015ec9a40b414
changes/88/626488/1
Nathan Kinder 4 years ago
parent 63142bf6ef
commit 95f02a40e0
  1. 10
      templates/openidc.conf.erb

@ -9,22 +9,22 @@
# The following directives are required to support openidc from the command
# line
<Location ~ "/v3/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openidc/auth">
<Location ~ "/v3/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/auth">
AuthType oauth20
Require valid-user
</Location>
# The following directives are necessary to support websso from Horizon
# (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html)
OIDCRedirectURI "<%= @keystone_endpoint-%>/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openidc/websso"
OIDCRedirectURI "<%= @keystone_endpoint-%>/v3/auth/OS-FEDERATION/websso"
OIDCRedirectURI "<%= @keystone_endpoint-%>/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/websso"
OIDCRedirectURI "<%= @keystone_endpoint-%>/v3/auth/OS-FEDERATION/websso/openid"
<LocationMatch "/v3/auth/OS-FEDERATION/websso/openidc">
<LocationMatch "/v3/auth/OS-FEDERATION/websso/openid">
AuthType "openid-connect"
Require valid-user
</LocationMatch>
<LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openidc/websso">
<LocationMatch "/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/websso">
AuthType "openid-connect"
Require valid-user
</LocationMatch>

Loading…
Cancel
Save