Resolve OpenID Connect Integration issues

This patch addresses the following issues in OpenID Connect federated
authentication and enables WebSSO as well as non-WebSSO authentication flows.

- WSGIScriptAliasMatch has been removed because default puppet-keystone
  defines a ScriptAlias for the root, effectively creating a redundant
  configuration.

- Added a new parameter `openidc_response_type` to the `openidc` class which
  allows you to select the provider response type.  This is useful for when
  providers don't support default `id_token`.

- Removed `openidc_redirect_uri` from the `openidc_httpd_configuration` class
  in order to be able to build the entire URL in the template for both WebSSO
  and non-WebSSO OpenID connect flows

With this patch, users have the ability to get a fully configured WebSSO setup
out of the box.

Change-Id: I00f57dc92e794aef826a023dcf92f0ce62ffed67

manifests/federation/openidc.pp

@@ -29,6 +29,11 @@
 #  (Optional) String value.
 #  Defaults to 'openstack'
 #
+# [*openidc_response_type*]
+#  Response type to be expected from the OpenID Connect provider.
+#  (Optional) String value.
+#  Defaults to 'id_token'
+#
 # [*admin_port*]
 #  A boolean value to ensure that you want to configure openidc Federation
 #  using Keystone VirtualHost on port 35357.
@@ -66,6 +71,7 @@ class keystone::federation::openidc (
   $openidc_client_id,
   $openidc_client_secret,
   $openidc_crypto_passphrase   = 'openstack',
+  $openidc_response_type       = 'id_token',
   $admin_port                  = false,
   $main_port                   = true,
   $module_plugin               = 'keystone.auth.plugins.mapped.Mapped',

manifests/federation/openidc_httpd_configuration.pp

@@ -15,7 +15,6 @@ define keystone::federation::openidc_httpd_configuration (
   $port              = undef,
   $keystone_endpoint = undef
 ) {
-  $openidc_redirect_uri = "${keystone_endpoint}/v3/auth/OS-FEDERATION/websso/openidc/redirect"
   concat::fragment { "configure_openidc_on_port_${port}":
     target  => "${keystone::wsgi::apache::priority}-keystone_wsgi_${title}.conf",
     content => template('keystone/openidc.conf.erb'),

templates/openidc.conf.erb

@@ -1,15 +1,20 @@
   LoadModule auth_openidc_module modules/mod_auth_openidc.so
-  WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ <%= scope['keystone::params::keystone_wsgi_script_path'] -%>/$1
   OIDCClaimPrefix "OIDC-"
-  OIDCResponseType "id_token"
+  OIDCResponseType "<%= scope['keystone::federation::openidc::openidc_response_type']-%>"
   OIDCScope "openid email profile"
   OIDCProviderMetadataURL "<%= scope['keystone::federation::openidc::openidc_provider_metadata_url']-%>"
   OIDCClientID "<%= scope['keystone::federation::openidc::openidc_client_id']-%>"
   OIDCClientSecret "<%= scope['keystone::federation::openidc::openidc_client_secret']-%>"
   OIDCCryptoPassphrase "<%= scope['keystone::federation::openidc::openidc_crypto_passphrase']-%>"
-  OIDCRedirectURI "<%= @openidc_redirect_uri-%>"
 
-  <Location /v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openidc/auth>
+  OIDCRedirectURI "<%= @keystone_endpoint-%>/v3/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openidc/auth/redirect"
+  <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/openidc/auth>
       AuthType "openid-connect"
       Require valid-user
-  </Location>
+  </LocationMatch>
+
+  OIDCRedirectURI "<%= @keystone_endpoint-%>/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openidc/websso/redirect"
+  <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/openidc/websso>
+      AuthType "openid-connect"
+      Require valid-user
+  </LocationMatch>