Resolve OpenID Connect Integration issues
This patch addresses the following issues in OpenID Connect federated authentication and enables WebSSO as well as non-WebSSO authentication flows. - WSGIScriptAliasMatch has been removed because default puppet-keystone defines a ScriptAlias for the root, effectively creating a redundant configuration. - Added a new parameter `openidc_response_type` to the `openidc` class which allows you to select the provider response type. This is useful for when providers don't support default `id_token`. - Removed `openidc_redirect_uri` from the `openidc_httpd_configuration` class in order to be able to build the entire URL in the template for both WebSSO and non-WebSSO OpenID connect flows With this patch, users have the ability to get a fully configured WebSSO setup out of the box. Change-Id: I00f57dc92e794aef826a023dcf92f0ce62ffed67
This commit is contained in:
parent
3ceb12fd98
commit
d5a1b27a8f
|
@ -29,6 +29,11 @@
|
||||||
# (Optional) String value.
|
# (Optional) String value.
|
||||||
# Defaults to 'openstack'
|
# Defaults to 'openstack'
|
||||||
#
|
#
|
||||||
|
# [*openidc_response_type*]
|
||||||
|
# Response type to be expected from the OpenID Connect provider.
|
||||||
|
# (Optional) String value.
|
||||||
|
# Defaults to 'id_token'
|
||||||
|
#
|
||||||
# [*admin_port*]
|
# [*admin_port*]
|
||||||
# A boolean value to ensure that you want to configure openidc Federation
|
# A boolean value to ensure that you want to configure openidc Federation
|
||||||
# using Keystone VirtualHost on port 35357.
|
# using Keystone VirtualHost on port 35357.
|
||||||
|
@ -66,6 +71,7 @@ class keystone::federation::openidc (
|
||||||
$openidc_client_id,
|
$openidc_client_id,
|
||||||
$openidc_client_secret,
|
$openidc_client_secret,
|
||||||
$openidc_crypto_passphrase = 'openstack',
|
$openidc_crypto_passphrase = 'openstack',
|
||||||
|
$openidc_response_type = 'id_token',
|
||||||
$admin_port = false,
|
$admin_port = false,
|
||||||
$main_port = true,
|
$main_port = true,
|
||||||
$module_plugin = 'keystone.auth.plugins.mapped.Mapped',
|
$module_plugin = 'keystone.auth.plugins.mapped.Mapped',
|
||||||
|
|
|
@ -15,7 +15,6 @@ define keystone::federation::openidc_httpd_configuration (
|
||||||
$port = undef,
|
$port = undef,
|
||||||
$keystone_endpoint = undef
|
$keystone_endpoint = undef
|
||||||
) {
|
) {
|
||||||
$openidc_redirect_uri = "${keystone_endpoint}/v3/auth/OS-FEDERATION/websso/openidc/redirect"
|
|
||||||
concat::fragment { "configure_openidc_on_port_${port}":
|
concat::fragment { "configure_openidc_on_port_${port}":
|
||||||
target => "${keystone::wsgi::apache::priority}-keystone_wsgi_${title}.conf",
|
target => "${keystone::wsgi::apache::priority}-keystone_wsgi_${title}.conf",
|
||||||
content => template('keystone/openidc.conf.erb'),
|
content => template('keystone/openidc.conf.erb'),
|
||||||
|
|
|
@ -1,15 +1,20 @@
|
||||||
LoadModule auth_openidc_module modules/mod_auth_openidc.so
|
LoadModule auth_openidc_module modules/mod_auth_openidc.so
|
||||||
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ <%= scope['keystone::params::keystone_wsgi_script_path'] -%>/$1
|
|
||||||
OIDCClaimPrefix "OIDC-"
|
OIDCClaimPrefix "OIDC-"
|
||||||
OIDCResponseType "id_token"
|
OIDCResponseType "<%= scope['keystone::federation::openidc::openidc_response_type']-%>"
|
||||||
OIDCScope "openid email profile"
|
OIDCScope "openid email profile"
|
||||||
OIDCProviderMetadataURL "<%= scope['keystone::federation::openidc::openidc_provider_metadata_url']-%>"
|
OIDCProviderMetadataURL "<%= scope['keystone::federation::openidc::openidc_provider_metadata_url']-%>"
|
||||||
OIDCClientID "<%= scope['keystone::federation::openidc::openidc_client_id']-%>"
|
OIDCClientID "<%= scope['keystone::federation::openidc::openidc_client_id']-%>"
|
||||||
OIDCClientSecret "<%= scope['keystone::federation::openidc::openidc_client_secret']-%>"
|
OIDCClientSecret "<%= scope['keystone::federation::openidc::openidc_client_secret']-%>"
|
||||||
OIDCCryptoPassphrase "<%= scope['keystone::federation::openidc::openidc_crypto_passphrase']-%>"
|
OIDCCryptoPassphrase "<%= scope['keystone::federation::openidc::openidc_crypto_passphrase']-%>"
|
||||||
OIDCRedirectURI "<%= @openidc_redirect_uri-%>"
|
|
||||||
|
|
||||||
<Location /v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openidc/auth>
|
OIDCRedirectURI "<%= @keystone_endpoint-%>/v3/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openidc/auth/redirect"
|
||||||
|
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/openidc/auth>
|
||||||
AuthType "openid-connect"
|
AuthType "openid-connect"
|
||||||
Require valid-user
|
Require valid-user
|
||||||
</Location>
|
</LocationMatch>
|
||||||
|
|
||||||
|
OIDCRedirectURI "<%= @keystone_endpoint-%>/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openidc/websso/redirect"
|
||||||
|
<LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/openidc/websso>
|
||||||
|
AuthType "openid-connect"
|
||||||
|
Require valid-user
|
||||||
|
</LocationMatch>
|
||||||
|
|
Loading…
Reference in New Issue