Resolve OpenID Connect Integration issues

This patch addresses the following issues in OpenID Connect federated
authentication and enables WebSSO as well as non-WebSSO authentication flows.

- WSGIScriptAliasMatch has been removed because default puppet-keystone
  defines a ScriptAlias for the root, effectively creating a redundant
  configuration.

- Added a new parameter `openidc_response_type` to the `openidc` class which
  allows you to select the provider response type.  This is useful for when
  providers don't support default `id_token`.

- Removed `openidc_redirect_uri` from the `openidc_httpd_configuration` class
  in order to be able to build the entire URL in the template for both WebSSO
  and non-WebSSO OpenID connect flows

With this patch, users have the ability to get a fully configured WebSSO setup
out of the box.

Change-Id: I00f57dc92e794aef826a023dcf92f0ce62ffed67
This commit is contained in:
Mohammed Naser 2016-09-17 19:05:05 -04:00
parent 3ceb12fd98
commit d5a1b27a8f
3 changed files with 16 additions and 6 deletions

View File

@ -29,6 +29,11 @@
# (Optional) String value. # (Optional) String value.
# Defaults to 'openstack' # Defaults to 'openstack'
# #
# [*openidc_response_type*]
# Response type to be expected from the OpenID Connect provider.
# (Optional) String value.
# Defaults to 'id_token'
#
# [*admin_port*] # [*admin_port*]
# A boolean value to ensure that you want to configure openidc Federation # A boolean value to ensure that you want to configure openidc Federation
# using Keystone VirtualHost on port 35357. # using Keystone VirtualHost on port 35357.
@ -66,6 +71,7 @@ class keystone::federation::openidc (
$openidc_client_id, $openidc_client_id,
$openidc_client_secret, $openidc_client_secret,
$openidc_crypto_passphrase = 'openstack', $openidc_crypto_passphrase = 'openstack',
$openidc_response_type = 'id_token',
$admin_port = false, $admin_port = false,
$main_port = true, $main_port = true,
$module_plugin = 'keystone.auth.plugins.mapped.Mapped', $module_plugin = 'keystone.auth.plugins.mapped.Mapped',

View File

@ -15,7 +15,6 @@ define keystone::federation::openidc_httpd_configuration (
$port = undef, $port = undef,
$keystone_endpoint = undef $keystone_endpoint = undef
) { ) {
$openidc_redirect_uri = "${keystone_endpoint}/v3/auth/OS-FEDERATION/websso/openidc/redirect"
concat::fragment { "configure_openidc_on_port_${port}": concat::fragment { "configure_openidc_on_port_${port}":
target => "${keystone::wsgi::apache::priority}-keystone_wsgi_${title}.conf", target => "${keystone::wsgi::apache::priority}-keystone_wsgi_${title}.conf",
content => template('keystone/openidc.conf.erb'), content => template('keystone/openidc.conf.erb'),

View File

@ -1,15 +1,20 @@
LoadModule auth_openidc_module modules/mod_auth_openidc.so LoadModule auth_openidc_module modules/mod_auth_openidc.so
WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/protocols/.*?/auth)$ <%= scope['keystone::params::keystone_wsgi_script_path'] -%>/$1
OIDCClaimPrefix "OIDC-" OIDCClaimPrefix "OIDC-"
OIDCResponseType "id_token" OIDCResponseType "<%= scope['keystone::federation::openidc::openidc_response_type']-%>"
OIDCScope "openid email profile" OIDCScope "openid email profile"
OIDCProviderMetadataURL "<%= scope['keystone::federation::openidc::openidc_provider_metadata_url']-%>" OIDCProviderMetadataURL "<%= scope['keystone::federation::openidc::openidc_provider_metadata_url']-%>"
OIDCClientID "<%= scope['keystone::federation::openidc::openidc_client_id']-%>" OIDCClientID "<%= scope['keystone::federation::openidc::openidc_client_id']-%>"
OIDCClientSecret "<%= scope['keystone::federation::openidc::openidc_client_secret']-%>" OIDCClientSecret "<%= scope['keystone::federation::openidc::openidc_client_secret']-%>"
OIDCCryptoPassphrase "<%= scope['keystone::federation::openidc::openidc_crypto_passphrase']-%>" OIDCCryptoPassphrase "<%= scope['keystone::federation::openidc::openidc_crypto_passphrase']-%>"
OIDCRedirectURI "<%= @openidc_redirect_uri-%>"
<Location /v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openidc/auth> OIDCRedirectURI "<%= @keystone_endpoint-%>/v3/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openidc/auth/redirect"
<LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/openidc/auth>
AuthType "openid-connect" AuthType "openid-connect"
Require valid-user Require valid-user
</Location> </LocationMatch>
OIDCRedirectURI "<%= @keystone_endpoint-%>/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openidc/websso/redirect"
<LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/openidc/websso>
AuthType "openid-connect"
Require valid-user
</LocationMatch>