From 95f02a40e095a1e32774c4d618acf0cbbea35d96 Mon Sep 17 00:00:00 2001 From: Nathan Kinder Date: Wed, 19 Dec 2018 20:01:12 -0800 Subject: [PATCH] Correct openid federation protocol name in httpd template Keystone requires the auth method for federation using OpenID Connect to be 'openid', which we already enforce in puppet-keystone. The protocol name that shows up in the federation URLs in the httpd config must match the auth method. We have a few locations that don't match, which results in an invalid configuration. This patch corrects the protocol in the locations protected by mod_auth_openidc and the OIDCRedirectURI directives. Change-Id: I02027676c532b447e56c8774c25015ec9a40b414 --- templates/openidc.conf.erb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/templates/openidc.conf.erb b/templates/openidc.conf.erb index 79fd8fa87..c30cea158 100644 --- a/templates/openidc.conf.erb +++ b/templates/openidc.conf.erb @@ -9,22 +9,22 @@ # The following directives are required to support openidc from the command # line - /protocols/openidc/auth"> + /protocols/openid/auth"> AuthType oauth20 Require valid-user # The following directives are necessary to support websso from Horizon # (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html) - OIDCRedirectURI "<%= @keystone_endpoint-%>/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openidc/websso" - OIDCRedirectURI "<%= @keystone_endpoint-%>/v3/auth/OS-FEDERATION/websso" + OIDCRedirectURI "<%= @keystone_endpoint-%>/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/websso" + OIDCRedirectURI "<%= @keystone_endpoint-%>/v3/auth/OS-FEDERATION/websso/openid" - + AuthType "openid-connect" Require valid-user - /protocols/openidc/websso"> + /protocols/openid/websso"> AuthType "openid-connect" Require valid-user