openstack/puppet-keystone
Code Issues Proposed changes
puppet-keystone/templates/openidc.conf.erb
Takashi Kajinami fdf2a2b31a Fix default OIDCRedirectURI hiding keystone federation auth endpoint 
This updates the default OIDCRedirectURI according to the change made
in the example file in keystone repo[1].

[1] https://review.opendev.org/925553

Closes-Bug: #2075349
Change-Id: Ia0f3cbb842a4c01e6a3ca44ca66dc9a8a731720c
2024-09-10 13:39:46 +09:00

120 lines
6.1 KiB
Plaintext
Raw Blame History

OIDCClaimPrefix "OIDC-"
OIDCResponseType "<%= scope['keystone::federation::openidc::openidc_response_type']-%>"
OIDCScope "openid email profile"
<%- if scope['::keystone::federation::openidc::openidc_provider_metadata_url'] != nil -%>
OIDCProviderMetadataURL "<%= scope['keystone::federation::openidc::openidc_provider_metadata_url']-%>"
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_metadata_dir'] != nil -%>
OIDCMetadataDir "<%= scope['::keystone::federation::openidc::openidc_metadata_dir'] %>"
<%- end -%>
OIDCClientID "<%= scope['keystone::federation::openidc::openidc_client_id']-%>"
OIDCClientSecret "<%= scope['keystone::federation::openidc::openidc_client_secret']-%>"
OIDCCryptoPassphrase "<%= scope['keystone::federation::openidc::openidc_crypto_passphrase']-%>"
<%- if scope['::keystone::federation::openidc::openidc_response_mode'] != nil -%>
OIDCResponseMode "<%= scope['::keystone::federation::openidc::openidc_response_mode'] %>"
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_cache_type'] != nil -%>
OIDCCacheType <%= scope['::keystone::federation::openidc::openidc_cache_type'] %>
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_cache_shm_max'] != nil -%>
OIDCCacheShmMax <%= scope['::keystone::federation::openidc::openidc_cache_shm_max'] %>
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_cache_shm_entry_size'] != nil -%>
OIDCCacheShmEntrySize <%= scope['::keystone::federation::openidc::openidc_cache_shm_entry_size'] %>
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_cache_dir'] != nil -%>
OIDCCacheDir <%= scope['::keystone::federation::openidc::openidc_cache_dir'] %>
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_cache_clean_interval'] != nil -%>
OIDCCacheFileCleanInterval <%= scope['::keystone::federation::openidc::openidc_cache_clean_interval'] %>
<%- end -%>
<%- if scope['::keystone::federation::openidc::memcached_servers_real'] != nil -%>
OIDCMemCacheServers "<%= scope['::keystone::federation::openidc::memcached_servers_real'] %>"
<%- end -%>
<%- if scope['::keystone::federation::openidc::redis_server'] != nil -%>
OIDCRedisCacheServer "<%= scope['::keystone::federation::openidc::redis_server'] %>"
<%- end -%>
<%- if scope['::keystone::federation::openidc::redis_password'] != nil -%>
OIDCRedisCachePassword "<%= scope['::keystone::federation::openidc::redis_password'] %>"
<%- end -%>
<%- if scope['::keystone::federation::openidc::redis_username'] != nil -%>
OIDCRedisCacheUsername "<%= scope['::keystone::federation::openidc::redis_username'] %>"
<%- end -%>
<%- if scope['::keystone::federation::openidc::redis_database'] != nil -%>
OIDCRedisCacheDatabase <%= scope['::keystone::federation::openidc::redis_database'] %>
<%- end -%>
<%- if scope['::keystone::federation::openidc::redis_connect_timeout'] != nil -%>
OIDCRedisCacheConnectTimeout <%= scope['::keystone::federation::openidc::redis_connect_timeout'] %>
<%- end -%>
<%- if scope['::keystone::federation::openidc::redis_timeout'] != nil -%>
OIDCRedisCacheTimeout <%= scope['::keystone::federation::openidc::redis_timeout'] %>
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_claim_delimiter'] != nil -%>
OIDCClaimDelimiter "<%= scope['::keystone::federation::openidc::openidc_claim_delimiter'] %>"
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_pass_userinfo_as'] != nil -%>
OIDCPassUserInfoAs "<%= scope['::keystone::federation::openidc::openidc_pass_userinfo_as'] %>"
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_pass_claim_as'] != nil -%>
OIDCPassClaimsAs "<%= scope['::keystone::federation::openidc::openidc_pass_claim_as'] %>"
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_redirect_uri'] != nil -%>
OIDCRedirectURI "<%= scope['::keystone::federation::openidc::openidc_redirect_uri'] %>"
<% else %>
OIDCRedirectURI "<%= @keystone_url -%>/v3/redirect_uri"
<%- end -%>
<%- if scope['::keystone::federation::openidc::openidc_enable_oauth'] -%>
<%- if scope['keystone::federation::openidc::openidc_verify_method'] == 'introspection' -%>
OIDCOAuthClientID "<%= scope['keystone::federation::openidc::openidc_client_id']-%>"
OIDCOAuthClientSecret "<%= scope['keystone::federation::openidc::openidc_client_secret']-%>"
OIDCOAuthIntrospectionEndpoint "<%= scope['keystone::federation::openidc::openidc_introspection_endpoint']-%>"
<%- elsif scope['keystone::federation::openidc::openidc_verify_method'] == 'jwks' -%>
OIDCOAuthVerifyJwksUri "<%= scope['keystone::federation::openidc::openidc_verify_jwks_uri']-%>"
<%- end -%>
<Location "/v3/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/auth">
AuthType oauth20
Require valid-user
</Location>
<%- else -%>
<Location "/v3/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/auth">
AuthType "openid-connect"
Require valid-user
</Location>
<%- end -%>
<Location "/v3/redirect_uri">
AuthType "openid-connect"
Require valid-user
</Location>
# The following directives are necessary to support websso from Horizon
# (Per https://docs.openstack.org/keystone/latest/admin/federation/configure_federation.html#id5)
<Location "/v3/auth/OS-FEDERATION/websso/openid">
AuthType "openid-connect"
Require valid-user
</Location>
<Location "/v3/auth/OS-FEDERATION/identity_providers/<%= scope['keystone::federation::openidc::idp_name']-%>/protocols/openid/websso">
AuthType "openid-connect"
Require valid-user
</Location>
<%- if @additional_locations -%>
# Additional Location directives from keystone::federation::openidc:locations
<% @additional_locations.each do |loc| %>
<Location "<%= loc['url'] %>">
AuthType "<%= loc['authtype'] %>"
<%- if loc['oidcdiscoverurl'] -%>
OIDCDiscoverURL <%= loc['oidcdiscoverurl'] %>
<%- end -%>
Require <%= loc['requireoidc'] %>
<%- if loc['loglevel'] -%>
LogLevel <%= loc['loglevel'] %>
<%- end -%>
</Location>
<%- end -%>
<%- end -%>
View Git Blame Copy Permalink