diff --git a/manifests/federation/openidc.pp b/manifests/federation/openidc.pp
index e281dcd2e..1660a705f 100644
--- a/manifests/federation/openidc.pp
+++ b/manifests/federation/openidc.pp
@@ -29,6 +29,11 @@
# (Optional) String value.
# Defaults to 'openstack'
#
+# [*openidc_response_type*]
+# Response type to be expected from the OpenID Connect provider.
+# (Optional) String value.
+# Defaults to 'id_token'
+#
# [*admin_port*]
# A boolean value to ensure that you want to configure openidc Federation
# using Keystone VirtualHost on port 35357.
@@ -66,6 +71,7 @@ class keystone::federation::openidc (
$openidc_client_id,
$openidc_client_secret,
$openidc_crypto_passphrase = 'openstack',
+ $openidc_response_type = 'id_token',
$admin_port = false,
$main_port = true,
$module_plugin = 'keystone.auth.plugins.mapped.Mapped',
diff --git a/manifests/federation/openidc_httpd_configuration.pp b/manifests/federation/openidc_httpd_configuration.pp
index 88f25e479..de415db10 100644
--- a/manifests/federation/openidc_httpd_configuration.pp
+++ b/manifests/federation/openidc_httpd_configuration.pp
@@ -15,7 +15,6 @@ define keystone::federation::openidc_httpd_configuration (
$port = undef,
$keystone_endpoint = undef
) {
- $openidc_redirect_uri = "${keystone_endpoint}/v3/auth/OS-FEDERATION/websso/openidc/redirect"
concat::fragment { "configure_openidc_on_port_${port}":
target => "${keystone::wsgi::apache::priority}-keystone_wsgi_${title}.conf",
content => template('keystone/openidc.conf.erb'),
diff --git a/templates/openidc.conf.erb b/templates/openidc.conf.erb
index a1efbb059..e5fe33a6f 100644
--- a/templates/openidc.conf.erb
+++ b/templates/openidc.conf.erb
@@ -1,15 +1,20 @@
LoadModule auth_openidc_module modules/mod_auth_openidc.so
- WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ <%= scope['keystone::params::keystone_wsgi_script_path'] -%>/$1
OIDCClaimPrefix "OIDC-"
- OIDCResponseType "id_token"
+ OIDCResponseType "<%= scope['keystone::federation::openidc::openidc_response_type']-%>"
OIDCScope "openid email profile"
OIDCProviderMetadataURL "<%= scope['keystone::federation::openidc::openidc_provider_metadata_url']-%>"
OIDCClientID "<%= scope['keystone::federation::openidc::openidc_client_id']-%>"
OIDCClientSecret "<%= scope['keystone::federation::openidc::openidc_client_secret']-%>"
OIDCCryptoPassphrase "<%= scope['keystone::federation::openidc::openidc_crypto_passphrase']-%>"
- OIDCRedirectURI "<%= @openidc_redirect_uri-%>"
- /protocols/openidc/auth>
+ OIDCRedirectURI "<%= @keystone_endpoint-%>/v3/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openidc/auth/redirect"
+
AuthType "openid-connect"
Require valid-user
-
+
+
+ OIDCRedirectURI "<%= @keystone_endpoint-%>/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openidc/websso/redirect"
+
+ AuthType "openid-connect"
+ Require valid-user
+