From fdf2a2b31a6de76973a35a2494455ef176eee936 Mon Sep 17 00:00:00 2001 From: Takashi Kajinami <kajinamit@oss.nttdata.com> Date: Tue, 10 Sep 2024 13:39:46 +0900 Subject: [PATCH] Fix default OIDCRedirectURI hiding keystone federation auth endpoint This updates the default OIDCRedirectURI according to the change made in the example file in keystone repo[1]. [1] https://review.opendev.org/925553 Closes-Bug: #2075349 Change-Id: Ia0f3cbb842a4c01e6a3ca44ca66dc9a8a731720c --- spec/classes/keystone_federation_openidc_spec.rb | 2 +- templates/openidc.conf.erb | 7 ++++++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/spec/classes/keystone_federation_openidc_spec.rb b/spec/classes/keystone_federation_openidc_spec.rb index 8c64801cd..8fb367bd1 100644 --- a/spec/classes/keystone_federation_openidc_spec.rb +++ b/spec/classes/keystone_federation_openidc_spec.rb @@ -90,7 +90,7 @@ describe 'keystone::federation::openidc' do content = get_param('concat::fragment', 'keystone_wsgi-configure_openidc_keystone', 'content') expect(content).to match('OIDCClientID "openid_client_id"') expect(content).to match('OIDCClientSecret "openid_client_secret"') - expect(content).to match('OIDCRedirectURI "http://localhost:5000/v3/OS-FEDERATION/identity_providers/myidp/protocols/openid/auth"') + expect(content).to match('OIDCRedirectURI "http://localhost:5000/v3/redirect_uri"') expect(content).to match('OIDCProviderMetadataURL "https://accounts.google.com/.well-known/openid-configuration"') end end diff --git a/templates/openidc.conf.erb b/templates/openidc.conf.erb index c0abe7582..bc32418be 100644 --- a/templates/openidc.conf.erb +++ b/templates/openidc.conf.erb @@ -62,7 +62,7 @@ <%- if scope['::keystone::federation::openidc::openidc_redirect_uri'] != nil -%> OIDCRedirectURI "<%= scope['::keystone::federation::openidc::openidc_redirect_uri'] %>" <% else %> - OIDCRedirectURI "<%= @keystone_url -%>/v3/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/auth" + OIDCRedirectURI "<%= @keystone_url -%>/v3/redirect_uri" <%- end -%> <%- if scope['::keystone::federation::openidc::openidc_enable_oauth'] -%> @@ -85,6 +85,11 @@ </Location> <%- end -%> + <Location "/v3/redirect_uri"> + AuthType "openid-connect" + Require valid-user + </Location> + # The following directives are necessary to support websso from Horizon # (Per https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#id5) <Location "/v3/auth/OS-FEDERATION/websso/openid">