From bad291ff1f8b13ecc6b74ffb26ca5752744ae2c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Fern=C3=A1ndez?= <daferoes@gmail.com>
Date: Fri, 13 Jan 2023 11:03:09 +0100
Subject: [PATCH] Fix OIDCRedirectURI value

The current configuration includes two OIDCRedirectURI but it does not
work and breaks authentication flow. We should configure only a single
record. Also, the content is based on the quite old keystone guide.

This fixes the OIDCRedirectURI entity and updates the configuration
based on the latest keystone guide.

Closes-Bug: #2002490
Change-Id: If5afb4ac3b5b29f81673af039eeb7736f04a7441
---
 templates/openidc.conf.erb | 32 ++++++++++++++++++--------------
 1 file changed, 18 insertions(+), 14 deletions(-)

diff --git a/templates/openidc.conf.erb b/templates/openidc.conf.erb
index 72698f7fb..4c9866476 100644
--- a/templates/openidc.conf.erb
+++ b/templates/openidc.conf.erb
@@ -44,20 +44,7 @@
   OIDCPassClaimsAs "<%= scope['::keystone::federation::openidc::openidc_pass_claim_as'] %>"
 <%- end -%>
 
-  # The following directives are necessary to support websso from Horizon
-  # (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html)
-  OIDCRedirectURI "<%= @keystone_url -%>/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/websso"
-  OIDCRedirectURI "<%= @keystone_url -%>/v3/auth/OS-FEDERATION/websso/openid"
-
-  <Location "/v3/auth/OS-FEDERATION/websso/openid">
-      AuthType "openid-connect"
-      Require valid-user
-  </Location>
-
-  <Location "/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/websso">
-      AuthType "openid-connect"
-      Require valid-user
-  </Location>
+  OIDCRedirectURI "<%= @keystone_url -%>/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/auth"
 
 <%- if scope['::keystone::federation::openidc::openidc_enable_oauth'] -%>
   <%- if scope['keystone::federation::openidc::openidc_verify_method'] == 'introspection' -%>
@@ -72,4 +59,21 @@
       AuthType oauth20
       Require valid-user
   </Location>
+<%- else -%>
+  <Location "/v3/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/auth">
+      AuthType "openid-connect"
+      Require valid-user
+  </Location>
 <%- end -%>
+
+  # The following directives are necessary to support websso from Horizon
+  # (Per https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#id5)
+  <Location "/v3/auth/OS-FEDERATION/websso/openid">
+      AuthType "openid-connect"
+      Require valid-user
+  </Location>
+
+  <Location "/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/websso">
+      AuthType "openid-connect"
+      Require valid-user
+  </Location>