feat: add openidc_scope param to set OIDCScope

Change-Id: I503cb5a2606ec43dc552bf9cf8fbb5fd21f01637
2025-02-18 10:19:33 +01:00 · 2025-02-18 10:19:33 +01:00 · d4ada5b654
commit d4ada5b654
parent 27c2445598
4 changed files with 25 additions and 1 deletions
--- a/manifests/federation/openidc.pp
+++ b/manifests/federation/openidc.pp
@ -53,6 +53,10 @@
 #  supported by mod_auth_openidc (shm, file, memcache, redis).
 #  Defaults to undef.
 #
+# [*openidc_scope*]
+#  (Optional) Array of mod_auth_openidc requested scope(s).
+#  Defaults to ['openid', 'email', 'profile'].
+#
 # [*openidc_cache_shm_max*]
 #  (Optional) The maximum number of name/value pair entries that can
 #  be cached when using the 'shm' cache type. Defaults to undef.
@ -178,6 +182,7 @@ class keystone::federation::openidc (
  Optional[Stdlib::Unixpath] $openidc_metadata_dir         = undef,
  $openidc_crypto_passphrase                               = 'openstack',
  $openidc_response_type                                   = 'id_token',
+  Array[String[1], 1] $openidc_scope                       = ['openid', 'email', 'profile'],
  $openidc_response_mode                                   = undef,
  $openidc_cache_type                                      = undef,
  $openidc_cache_shm_max                                   = undef,
--- a/releasenotes/notes/openidc_scope-5d03655a3c96f0a7.yaml
+++ b/releasenotes/notes/openidc_scope-5d03655a3c96f0a7.yaml
@ -0,0 +1,5 @@
+---
+features:
+  - |
+    The new ``keystone::fedration::openidc::openidc_scope`` parameter has been
+    added.
--- a/spec/classes/keystone_federation_openidc_spec.rb
+++ b/spec/classes/keystone_federation_openidc_spec.rb
@ -88,6 +88,8 @@ describe 'keystone::federation::openidc' do

      it 'should contain expected config' do
        content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content')
+        expect(content).to match('OIDCResponseType "id_token"')
+        expect(content).to match('OIDCScope "openid email profile"')
        expect(content).to match('OIDCClientID "openid_client_id"')
        expect(content).to match('OIDCClientSecret "openid_client_secret"')
        expect(content).to match('OIDCRedirectURI "http://localhost:5000/v3/redirect_uri"')
@ -184,6 +186,18 @@ describe 'keystone::federation::openidc' do
      end
    end

+    context 'with additional openidc scope' do
+      before do
+        params.merge!({
+          :openidc_scope => ['iam', 'openid', 'email', 'profile'],
+        })
+      end
+      it 'should use the specified OIDCScope' do
+        content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content')
+        expect(content).to match('OIDCScope "iam openid email profile"')
+      end
+    end
+
    context 'with memcache options' do
      before do
        params.merge!({
--- a/templates/openidc.conf.erb
+++ b/templates/openidc.conf.erb
@ -1,6 +1,6 @@
  OIDCClaimPrefix "OIDC-"
  OIDCResponseType "<%= scope['keystone::federation::openidc::openidc_response_type']-%>"
-  OIDCScope "openid email profile"
+  OIDCScope "<%= scope['keystone::federation::openidc::openidc_scope'].join(' ')-%>"
 <%- if scope['::keystone::federation::openidc::openidc_provider_metadata_url'] != nil -%>
  OIDCProviderMetadataURL "<%= scope['keystone::federation::openidc::openidc_provider_metadata_url']-%>"
 <%- end -%>