Add oidc options

Add additional OIDC Options to allow for user defined configuration.

This change adds:
keystone::federation::openidc::openidc_pass_userinfo_as
keystone::federation::openidc::openidc_pass_claim_as

Change-Id: Id093956a4c88cfe1f70aa93ecc87da5850bb185c
(cherry picked from commit a3ef077a8a)
changes/64/818164/1
Brendan Shephard 1 year ago committed by Takashi Kajinami
parent 64705ccfbf
commit cf81f460c1
  1. 27
      manifests/federation/openidc.pp
  2. 11
      releasenotes/notes/add-oidc-params-0bddcca8d49ccfdb.yaml
  3. 26
      spec/classes/keystone_federation_openidc_spec.rb
  4. 6
      templates/openidc.conf.erb

@ -83,6 +83,19 @@
# Must be one of introspection or jwks
# Defaults to introspection
#
# [*openidc_pass_userinfo_as*]
# Define the way(s) in which the claims resolved from the userinfo endpoint
# are passed to the application according to OIDCPassClaimsAs.
# Defaults to undef
#
# [*openidc_pass_claim_as*]
# Define the way in which the claims and tokens are passed to the application environment:
# "none": no claims/tokens are passed
# "environment": claims/tokens are passed as environment variables
# "headers": claims/tokens are passed in headers (also useful in reverse proxy scenario's)
# "both": claims/tokens are passed as both headers as well as environment variables (default)
# Defaults to undef
#
# [*memcached_servers*]
# (Optional) A list of memcache servers. Defaults to undef.
#
@ -134,6 +147,8 @@ class keystone::federation::openidc (
$openidc_introspection_endpoint = undef,
$openidc_verify_jwks_uri = undef,
$openidc_verify_method = 'introspection',
$openidc_pass_userinfo_as = undef,
$openidc_pass_claim_as = undef,
$memcached_servers = undef,
$redis_server = undef,
$redis_password = undef,
@ -163,6 +178,18 @@ class keystone::federation::openidc (
}
}
if $openidc_pass_userinfo_as != undef {
if !($openidc_pass_userinfo_as in ['claims', 'json', 'jwt']) {
fail('Unsupported OIDCPassUserInfoAs. Must be one of: claims, json or jwt')
}
}
if $openidc_pass_claim_as != undef {
if !($openidc_pass_claim_as in ['none', 'environment', 'headers', 'both']) {
fail('Unsupported OIDCPassClaimAs. Must be one of: none, environment, headers, both')
}
}
if $memcached_servers != undef {
$memcached_servers_real = join(any2array($memcached_servers), ' ')
} else {

@ -0,0 +1,11 @@
---
features:
- |
Adding the following configurable items for OpenID:
- ``keystone::federation::openidc::openidc_pass_userinfo_as`` to set
``OIDCPassUserInfoAs``
- ``keystone::federation::openidc::openidc_pass_claim_as`` to set
``OIDCPassClaimsAs``

@ -176,5 +176,31 @@ describe 'keystone::federation::openidc' do
expect(content).to match('OIDCClaimDelimiter ";"')
end
end
context 'with openidc_pass_userinfo_as attribute' do
before do
params.merge!({
:openidc_pass_userinfo_as => 'claims',
})
end
it 'should contain OIDC pass userinfo as' do
content = get_param('concat::fragment', 'configure_openidc_keystone', 'content')
expect(content).to match('OIDCPassUserInfoAs "claims"')
end
end
context 'with openidc_pass_claim_as attribute' do
before do
params.merge!({
:openidc_pass_claim_as => 'both',
})
end
it 'should contain OIDC pass claim as' do
content = get_param('concat::fragment', 'configure_openidc_keystone', 'content')
expect(content).to match('OIDCPassClaimsAs "both"')
end
end
end
end

@ -34,6 +34,12 @@
<%- if scope['::keystone::federation::openidc::openidc_claim_delimiter'] != nil -%>
OIDCClaimDelimiter "<%= scope['::keystone::federation::openidc::openidc_claim_delimiter'] %>"
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_pass_userinfo_as'] != nil -%>
OIDCPassUserInfoAs "<%= scope['::keystone::federation::openidc::openidc_pass_userinfo_as'] %>"
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_pass_claim_as'] != nil -%>
OIDCPassClaimsAs "<%= scope['::keystone::federation::openidc::openidc_pass_claim_as'] %>"
<%- end -%>
# The following directives are necessary to support websso from Horizon
# (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html)

Loading…
Cancel
Save