d5a1b27a8f
This patch addresses the following issues in OpenID Connect federated authentication and enables WebSSO as well as non-WebSSO authentication flows. - WSGIScriptAliasMatch has been removed because default puppet-keystone defines a ScriptAlias for the root, effectively creating a redundant configuration. - Added a new parameter `openidc_response_type` to the `openidc` class which allows you to select the provider response type. This is useful for when providers don't support default `id_token`. - Removed `openidc_redirect_uri` from the `openidc_httpd_configuration` class in order to be able to build the entire URL in the template for both WebSSO and non-WebSSO OpenID connect flows With this patch, users have the ability to get a fully configured WebSSO setup out of the box. Change-Id: I00f57dc92e794aef826a023dcf92f0ce62ffed67
24 lines
732 B
Puppet
24 lines
732 B
Puppet
# == define: keystone::federation::openidc_httpd_configuration [70/1473]
|
|
#
|
|
# == Parameters
|
|
#
|
|
# [*port*]
|
|
# The port number to configure OpenIDC federated authentication on
|
|
# (Required) String value.
|
|
#
|
|
# [*keystone_endpoint*]
|
|
# The keystone endpoint to use when configuring the OpenIDC redirect back
|
|
# to keystone
|
|
# (Required) String value.
|
|
#
|
|
define keystone::federation::openidc_httpd_configuration (
|
|
$port = undef,
|
|
$keystone_endpoint = undef
|
|
) {
|
|
concat::fragment { "configure_openidc_on_port_${port}":
|
|
target => "${keystone::wsgi::apache::priority}-keystone_wsgi_${title}.conf",
|
|
content => template('keystone/openidc.conf.erb'),
|
|
order => $keystone::federation::openidc::template_order,
|
|
}
|
|
}
|