LoadModule auth_openidc_module modules/mod_auth_openidc.so OIDCClaimPrefix "OIDC-" OIDCResponseType "<%= scope['keystone::federation::openidc::openidc_response_type']-%>" OIDCScope "openid email profile" OIDCProviderMetadataURL "<%= scope['keystone::federation::openidc::openidc_provider_metadata_url']-%>" OIDCClientID "<%= scope['keystone::federation::openidc::openidc_client_id']-%>" OIDCClientSecret "<%= scope['keystone::federation::openidc::openidc_client_secret']-%>" OIDCCryptoPassphrase "<%= scope['keystone::federation::openidc::openidc_crypto_passphrase']-%>" <%- if scope['::keystone::federation::openidc::openidc_response_mode'] != nil -%> OIDCResponseMode "<%= scope['::keystone::federation::openidc::openidc_response_mode'] %>" <%- end -%> <%- if scope['::keystone::federation::openidc::openidc_cache_type'] != nil -%> OIDCCacheType <%= scope['::keystone::federation::openidc::openidc_cache_type'] %> <%- end -%> <%- if scope['::keystone::federation::openidc::openidc_cache_shm_max'] != nil -%> OIDCCacheShmMax scope['::keystone::federation::openidc::openidc_cache_shm_max'] %> <%- end -%> <%- if scope['::keystone::federation::openidc::openidc_cache_shm_entry_size'] != nil -%> OIDCCacheShmEntrySize scope['::keystone::federation::openidc::openidc_cache_shm_entry_size'] %> <%- end -%> <%- if scope['::keystone::federation::openidc::openidc_cache_dir'] != nil -%> OIDCCacheDir scope['::keystone::federation::openidc::openidc_cache_dir'] %> <%- end -%> <%- if scope['::keystone::federation::openidc::openidc_cache_clean_interval'] != nil -%> OIDCCacheFileCleanInterval scope['::keystone::federation::openidc::openidc_cache_clean_interval'] %> <%- end -%> <%- if scope['::keystone::federation::openidc::memcached_servers_real'] != nil -%> OIDCMemCacheServers "<%= scope['::keystone::federation::openidc::memcached_servers_real'] %>" <%- end -%> <%- if scope['::keystone::federation::openidc::redis_server'] != nil -%> OIDCRedisCacheServer "<%= scope['::keystone::federation::openidc::redis_server'] %>" <%- end -%> <%- if scope['::keystone::federation::openidc::redis_password'] != nil -%> OIDCRedisCachecPassword scope['::keystone::federation::openidc::redis_password'] %> <%- end -%> <%- if scope['::keystone::federation::openidc::openidc_claim_delimiter'] != nil -%> OIDCClaimDelimiter "<%= scope['::keystone::federation::openidc::openidc_claim_delimiter'] %>" <%- end -%> <%- if scope['::keystone::federation::openidc::openidc_pass_userinfo_as'] != nil -%> OIDCPassUserInfoAs "<%= scope['::keystone::federation::openidc::openidc_pass_userinfo_as'] %>" <%- end -%> <%- if scope['::keystone::federation::openidc::openidc_pass_claim_as'] != nil -%> OIDCPassClaimsAs "<%= scope['::keystone::federation::openidc::openidc_pass_claim_as'] %>" <%- end -%> # The following directives are necessary to support websso from Horizon # (Per https://docs.openstack.org/keystone/pike/advanced-topics/federation/websso.html) OIDCRedirectURI "<%= @keystone_url -%>/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/websso" OIDCRedirectURI "<%= @keystone_url -%>/v3/auth/OS-FEDERATION/websso/openid" AuthType "openid-connect" Require valid-user /protocols/openid/websso"> AuthType "openid-connect" Require valid-user <%- if scope['::keystone::federation::openidc::openidc_enable_oauth'] -%> <%- if scope['keystone::federation::openidc::openidc_verify_method'] == 'introspection' -%> OIDCOAuthClientID "<%= scope['keystone::federation::openidc::openidc_client_id']-%>" OIDCOAuthClientSecret "<%= scope['keystone::federation::openidc::openidc_client_secret']-%>" OIDCOAuthIntrospectionEndpoint "<%= scope['keystone::federation::openidc::openidc_introspection_endpoint']-%>" <%- elsif scope['keystone::federation::openidc::openidc_verify_method'] == 'jwks' -%> OIDCOAuthVerifyJwksUri "<%= scope['keystone::federation::openidc::openidc_verify_jwks_uri']-%>" <%- end -%> /protocols/openid/auth"> AuthType oauth20 Require valid-user <%- end -%>