diff --git a/manifests/federation/openidc.pp b/manifests/federation/openidc.pp index c248f4156..a69e10031 100644 --- a/manifests/federation/openidc.pp +++ b/manifests/federation/openidc.pp @@ -83,6 +83,19 @@ # Must be one of introspection or jwks # Defaults to introspection # +# [*openidc_pass_userinfo_as*] +# Define the way(s) in which the claims resolved from the userinfo endpoint +# are passed to the application according to OIDCPassClaimsAs. +# Defaults to undef +# +# [*openidc_pass_claim_as*] +# Define the way in which the claims and tokens are passed to the application environment: +# "none": no claims/tokens are passed +# "environment": claims/tokens are passed as environment variables +# "headers": claims/tokens are passed in headers (also useful in reverse proxy scenario's) +# "both": claims/tokens are passed as both headers as well as environment variables (default) +# Defaults to undef +# # [*memcached_servers*] # (Optional) A list of memcache servers. Defaults to undef. # @@ -134,6 +147,8 @@ class keystone::federation::openidc ( $openidc_introspection_endpoint = undef, $openidc_verify_jwks_uri = undef, $openidc_verify_method = 'introspection', + $openidc_pass_userinfo_as = undef, + $openidc_pass_claim_as = undef, $memcached_servers = undef, $redis_server = undef, $redis_password = undef, @@ -163,6 +178,18 @@ class keystone::federation::openidc ( } } + if $openidc_pass_userinfo_as != undef { + if !($openidc_pass_userinfo_as in ['claims', 'json', 'jwt']) { + fail('Unsupported OIDCPassUserInfoAs. Must be one of: claims, json or jwt') + } + } + + if $openidc_pass_claim_as != undef { + if !($openidc_pass_claim_as in ['none', 'environment', 'headers', 'both']) { + fail('Unsupported OIDCPassClaimAs. Must be one of: none, environment, headers, both') + } + } + if $memcached_servers != undef { $memcached_servers_real = join(any2array($memcached_servers), ' ') } else { diff --git a/releasenotes/notes/add-oidc-params-0bddcca8d49ccfdb.yaml b/releasenotes/notes/add-oidc-params-0bddcca8d49ccfdb.yaml new file mode 100644 index 000000000..0f2e9dfba --- /dev/null +++ b/releasenotes/notes/add-oidc-params-0bddcca8d49ccfdb.yaml @@ -0,0 +1,11 @@ +--- +features: + - | + Adding the following configurable items for OpenID: + + - ``keystone::federation::openidc::openidc_pass_userinfo_as`` to set + ``OIDCPassUserInfoAs`` + + - ``keystone::federation::openidc::openidc_pass_claim_as`` to set + ``OIDCPassClaimsAs`` + diff --git a/spec/classes/keystone_federation_openidc_spec.rb b/spec/classes/keystone_federation_openidc_spec.rb index 0e48e2d53..927bc8a3b 100644 --- a/spec/classes/keystone_federation_openidc_spec.rb +++ b/spec/classes/keystone_federation_openidc_spec.rb @@ -176,5 +176,31 @@ describe 'keystone::federation::openidc' do expect(content).to match('OIDCClaimDelimiter ";"') end end + + context 'with openidc_pass_userinfo_as attribute' do + before do + params.merge!({ + :openidc_pass_userinfo_as => 'claims', + }) + end + + it 'should contain OIDC pass userinfo as' do + content = get_param('concat::fragment', 'configure_openidc_keystone', 'content') + expect(content).to match('OIDCPassUserInfoAs "claims"') + end + end + + context 'with openidc_pass_claim_as attribute' do + before do + params.merge!({ + :openidc_pass_claim_as => 'both', + }) + end + + it 'should contain OIDC pass claim as' do + content = get_param('concat::fragment', 'configure_openidc_keystone', 'content') + expect(content).to match('OIDCPassClaimsAs "both"') + end + end end end diff --git a/templates/openidc.conf.erb b/templates/openidc.conf.erb index 687baf4b3..63ebc516d 100644 --- a/templates/openidc.conf.erb +++ b/templates/openidc.conf.erb @@ -34,6 +34,12 @@ <%- if scope['::keystone::federation::openidc::openidc_claim_delimiter'] != nil -%> OIDCClaimDelimiter "<%= scope['::keystone::federation::openidc::openidc_claim_delimiter'] %>" <%- end -%> +<%- if scope['::keystone::federation::openidc::openidc_pass_userinfo_as'] != nil -%> + OIDCPassUserInfoAs "<%= scope['::keystone::federation::openidc::openidc_pass_userinfo_as'] %>" +<%- end -%> +<%- if scope['::keystone::federation::openidc::openidc_pass_claim_as'] != nil -%> + OIDCPassClaimsAs "<%= scope['::keystone::federation::openidc::openidc_pass_claim_as'] %>" +<%- end -%> # The following directives are necessary to support websso from Horizon # (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html)