puppet-keystone/templates/openidc.conf.erb

  LoadModule auth_openidc_module modules/mod_auth_openidc.so
  OIDCClaimPrefix "OIDC-"
  OIDCResponseType "<%= scope['keystone::federation::openidc::openidc_response_type']-%>"
  OIDCScope "openid email profile"
  OIDCProviderMetadataURL "<%= scope['keystone::federation::openidc::openidc_provider_metadata_url']-%>"
  OIDCClientID "<%= scope['keystone::federation::openidc::openidc_client_id']-%>"
  OIDCClientSecret "<%= scope['keystone::federation::openidc::openidc_client_secret']-%>"
  OIDCCryptoPassphrase "<%= scope['keystone::federation::openidc::openidc_crypto_passphrase']-%>"

  OIDCRedirectURI "<%= @keystone_endpoint-%>/v3/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openidc/auth/redirect"
  <LocationMatch /v3/OS-FEDERATION/identity_providers/.*?/protocols/openidc/auth>
      AuthType "openid-connect"
      Require valid-user
  </LocationMatch>

  OIDCRedirectURI "<%= @keystone_endpoint-%>/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openidc/websso/redirect"
  <LocationMatch /v3/auth/OS-FEDERATION/identity_providers/.*?/protocols/openidc/websso>
      AuthType "openid-connect"
      Require valid-user
  </LocationMatch>