openstack/puppet-keystone
Code Issues Proposed changes

Fix OIDCRedirectURI value

Browse Source 
The current configuration includes two OIDCRedirectURI but it does not
work and breaks authentication flow. We should configure only a single
record. Also, the content is based on the quite old keystone guide.

This fixes the OIDCRedirectURI entity and updates the configuration
based on the latest keystone guide.

Closes-Bug: #2002490
Change-Id: If5afb4ac3b5b29f81673af039eeb7736f04a7441
This commit is contained in:
Daniel Fernández
2023-01-13 11:03:09 +01:00
committed by Takashi Kajinami
parent c66ba58ecd
commit bad291ff1f
1 changed files with 18 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
templates/openidc.conf.erb
View File

@@ -44,20 +44,7 @@
OIDCPassClaimsAs "<%= scope['::keystone::federation::openidc::openidc_pass_claim_as'] %>"
<%- end -%>
# The following directives are necessary to support websso from Horizon
# (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html)
OIDCRedirectURI "<%= @keystone_url -%>/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/websso"
OIDCRedirectURI "<%= @keystone_url -%>/v3/auth/OS-FEDERATION/websso/openid"
<Location "/v3/auth/OS-FEDERATION/websso/openid">
AuthType "openid-connect"
Require valid-user
</Location>
<Location "/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/websso">
AuthType "openid-connect"
Require valid-user
</Location>
OIDCRedirectURI "<%= @keystone_url -%>/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/auth"
<%- if scope['::keystone::federation::openidc::openidc_enable_oauth'] -%>
<%- if scope['keystone::federation::openidc::openidc_verify_method'] == 'introspection' -%>
@@ -72,4 +59,21 @@
AuthType oauth20
Require valid-user
</Location>
<%- else -%>
<Location "/v3/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/auth">
AuthType "openid-connect"
Require valid-user
</Location>
<%- end -%>
# The following directives are necessary to support websso from Horizon
# (Per https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#id5)
<Location "/v3/auth/OS-FEDERATION/websso/openid">
AuthType "openid-connect"
Require valid-user
</Location>
<Location "/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/websso">
AuthType "openid-connect"
Require valid-user
</Location>